feat: Add s3_acl and s3_server_site_encryption variables (#120)

Author: tcharewicz

README.md

@@ -694,10 +694,12 @@ No Modules.
 | role\_permissions\_boundary | The ARN of the policy that is used to set the permissions boundary for the IAM role used by Lambda Function | `string` | `null` | no |
 | role\_tags | A map of tags to assign to IAM role | `map(string)` | `{}` | no |
 | runtime | Lambda Function runtime | `string` | `""` | no |
+| s3\_acl | The canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, bucket-owner-read, and bucket-owner-full-control. Defaults to private. | `string` | `"private"` | no |
 | s3\_bucket | S3 bucket to store artifacts | `string` | `null` | no |
 | s3\_existing\_package | The S3 bucket object with keys bucket, key, version pointing to an existing zip-file to use | `map(string)` | `null` | no |
 | s3\_object\_storage\_class | Specifies the desired Storage Class for the artifact uploaded to S3. Can be either STANDARD, REDUCED\_REDUNDANCY, ONEZONE\_IA, INTELLIGENT\_TIERING, or STANDARD\_IA. | `string` | `"ONEZONE_IA"` | no |
 | s3\_object\_tags | A map of tags to assign to S3 bucket object. | `map(string)` | `{}` | no |
+| s3\_server\_side\_encryption | Specifies server-side encryption of the object in S3. Valid values are "AES256" and "aws:kms". | `string` | `null` | no |
 | source\_path | The absolute path to a local file or directory containing your Lambda source code | `any` | `null` | no |
 | store\_on\_s3 | Whether to store produced artifacts on S3 or locally. | `bool` | `false` | no |
 | tags | A map of tags to assign to resources. | `map(string)` | `{}` | no |

main.tf

@@ -109,11 +109,14 @@ resource "aws_s3_bucket_object" "lambda_package" {
   count = var.create && var.store_on_s3 && var.create_package ? 1 : 0
 
   bucket        = var.s3_bucket
+  acl           = var.s3_acl
   key           = data.external.archive_prepare[0].result.filename
   source        = data.external.archive_prepare[0].result.filename
   etag          = fileexists(data.external.archive_prepare[0].result.filename) ? filemd5(data.external.archive_prepare[0].result.filename) : null
   storage_class = var.s3_object_storage_class
 
+  server_side_encryption = var.s3_server_side_encryption
+
   tags = merge(var.tags, var.s3_object_tags)
 
   depends_on = [null_resource.archive]

variables.tf

@@ -523,6 +523,18 @@ variable "s3_bucket" {
   default     = null
 }
 
+variable "s3_acl" {
+  description = "The canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, bucket-owner-read, and bucket-owner-full-control. Defaults to private."
+  type        = string
+  default     = "private"
+}
+
+variable "s3_server_side_encryption" {
+  description = "Specifies server-side encryption of the object in S3. Valid values are \"AES256\" and \"aws:kms\"."
+  type        = string
+  default     = null
+}
+
 variable "source_path" {
   description = "The absolute path to a local file or directory containing your Lambda source code"
   type        = any # string | list(string | map(any))