Skip to content

Commit

Permalink
Merge pull request #6 from AndrewPentsak/main
Browse files Browse the repository at this point in the history 
Added support SSE-C
  • Loading branch information
@loafoe
loafoe authored May 8, 2023
2 parents 3b9560f + 5bb1d36 commit 71ba59b
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 1 deletion.
27 changes: 27 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,33 @@ resource "hsdp_function" "s3mirror" {
}
}
```
# Using server-side encryption with customer-provided encryption keys (SSE-C)
Mirror your server-side objects with SSE-C (by default it uses [SSE-S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html)). Add two variables to `environment` section:
- source_sse_customer_key - AES 256-bit, base64-encoded encryption key for source (_Example_: __`openssl rand -base64 32`__). If empty then use SSE-S3 by default.
- dest_sse_customer_key - AES 256-bit, base64-encoded encryption key for destination. If empty then use SSE-S3 by default.

```hcl
resource "hsdp_function" "s3mirror-sse-c" {
...
environment = {
# Source bucket details
source_access_key = "AAA"
source_secret_key = "BBB"
source_endpoint = "s3-eu-west-1.amazonaws.com"
source_bucket = "cf-s3-xxx"
source_prefix = "/data"
source_sse_customer_key = "4GRsukWAbk8TwphV5X/2LnHHE3gFyifRCB0lS98Ztr4="
# Destination bucket details
dest_access_key = "CCC"
dest_secret_key = "DDD"
dest_endpoint = "s3-eu-west-1.amazonaws.com"
dest_bucket = "cf-s3-yyy"
dest_prefix = "/backups/data"
}
...
}
```

# Contact / Getting help

Expand Down
15 changes: 14 additions & 1 deletion s3mirror.sh
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,19 @@
#!/bin/bash
ENCRYPT_INFO=""

if [[ -n ${source_sse_customer_key} ]]; then
ENCRYPT_INFO="--encrypt-key source=${source_sse_customer_key}"
fi

if [[ -n ${dest_sse_customer_key} ]]; then
ENCRYPT_INFO="--encrypt-key dest=${dest_sse_customer_key}"
fi

if [[ -n ${source_sse_customer_key} && -n ${dest_sse_customer_key} ]]; then
ENCRYPT_INFO="--encrypt-key source=${source_sse_customer_key},dest=${dest_sse_customer_key}"
fi

mc alias set source https://${source_endpoint} ${source_access_key} ${source_secret_key}
mc alias set dest https://${dest_endpoint} ${dest_access_key} ${dest_secret_key}

mc mirror --overwrite source/${source_bucket}${source_prefix} dest/${dest_bucket}${dest_prefix}
mc mirror --overwrite source/${source_bucket}${source_prefix} dest/${dest_bucket}${dest_prefix} ${ENCRYPT_INFO}

0 comments on commit 71ba59b

Please sign in to comment.