feat(object): sse-c: draft + test

Author: Mia-Cross

internal/services/object/object.go

@@ -3,7 +3,9 @@ package object
 import (
 	"bytes"
 	"context"
+	"crypto/md5"
 	"encoding/base64"
+	"encoding/hex"
 	"fmt"
 	"os"
 	"strings"
@@ -71,6 +73,12 @@ func ResourceObject() *schema.Resource {
 				Optional:    true,
 				Description: "File hash to trigger upload",
 			},
+			"sse_customer_key": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Customer key used for server-side encryption (SSE-C)",
+				Sensitive:   true,
+			},
 			"storage_class": {
 				Type:         schema.TypeString,
 				Optional:     true,
@@ -141,6 +149,7 @@ func resourceObjectCreate(ctx context.Context, d *schema.ResourceData, m interfa
 		Metadata:     types.ExpandMapStringStringPtr(d.Get("metadata")),
 	}
 
+	// Object content
 	if filePath, hasFile := d.GetOk("file"); hasFile {
 		file, err := os.Open(filePath.(string))
 		if err != nil {
@@ -162,6 +171,15 @@ func resourceObjectCreate(ctx context.Context, d *schema.ResourceData, m interfa
 		req.Body = bytes.NewReader([]byte{})
 	}
 
+	// Server-side encryption
+	if customerKey := d.Get("sse_customer_key").(string); customerKey != "" {
+		//TODO: encode the following fields to base64 before adding them to the request ?
+		req.SSECustomerAlgorithm = scw.StringPtr("AES256")
+		req.SSECustomerKey = &customerKey
+		hash := md5.Sum([]byte(customerKey))
+		req.SSECustomerKeyMD5 = scw.StringPtr(hex.EncodeToString(hash[:]))
+	}
+
 	_, err = s3Client.PutObjectWithContext(ctx, req)
 	if err != nil {
 		return diag.FromErr(err)

internal/services/object/object_test.go

@@ -684,6 +684,66 @@ func TestAccObject_ByContentBase64(t *testing.T) {
 	})
 }
 
+func TestAccObject_SSECustomer(t *testing.T) {
+	tt := acctest.NewTestTools(t)
+	defer tt.Cleanup()
+	bucketName := sdkacctest.RandomWithPrefix("test-acc-scaleway-object-sse-customer")
+
+	fileContentStep1 := "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua."
+	fileContentStep2 := "This is a different content"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:          func() { acctest.PreCheck(t) },
+		ProviderFactories: tt.ProviderFactories,
+		CheckDestroy: resource.ComposeTestCheckFunc(
+			objectchecks.IsObjectDestroyed(tt),
+			objectchecks.IsBucketDestroyed(tt),
+		),
+		Steps: []resource.TestStep{
+			{
+				Config: fmt.Sprintf(`
+					resource "scaleway_object_bucket" "base-01" {
+						name = "%s"
+						region = "%s"
+					}
+					
+					resource scaleway_object "sse-c-encrypted" {
+						bucket = scaleway_object_bucket.base-01.id
+						key = "test-sse-c-encrypted"
+						content = "%s"
+						sse_customer_key = "mY5up3r4w3s0meK3y"
+					}
+				`, bucketName, objectTestsMainRegion, fileContentStep1),
+				Check: resource.ComposeTestCheckFunc(
+					objectchecks.CheckBucketExists(tt, "scaleway_object_bucket.base-01", true),
+					testAccCheckObjectExists(tt, "scaleway_object.sse-c-encrypted"),
+					resource.TestCheckResourceAttr("scaleway_object.sse-c-encrypted", "content", fileContentStep1),
+				),
+			},
+			{
+				Config: fmt.Sprintf(`
+					resource "scaleway_object_bucket" "base-01" {
+						name = "%s"
+						region = "%s"
+					}
+					
+					resource scaleway_object "sse-c-encrypted" {
+						bucket = scaleway_object_bucket.base-01.id
+						key = "test-by-content"
+						content = "%s"
+						sse_customer_key = "mY5up3r4w3s0meK3y"
+					}
+				`, bucketName, objectTestsMainRegion, fileContentStep2),
+				Check: resource.ComposeTestCheckFunc(
+					objectchecks.CheckBucketExists(tt, "scaleway_object_bucket.base-01", true),
+					testAccCheckObjectExists(tt, "scaleway_object.sse-c-encrypted"),
+					resource.TestCheckResourceAttr("scaleway_object.sse-c-encrypted", "content", fileContentStep2),
+				),
+			},
+		},
+	})
+}
+
 func TestAccObject_WithBucketName(t *testing.T) {
 	if !*acctest.UpdateCassettes {
 		t.Skip("Skipping ObjectStorage test as this kind of resource can't be deleted before 24h")