Merge pull request #446 from tatsuyafw/support-s3-server-side-encryption

Add have_server_side_encryption matcher to s3_bucket
k1LoW · Feb 11, 2019 · 947b032 · 947b032
2 parents 42ce8a8 + 2a3a703
commit 947b032
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 0 deletions.
diff --git a/doc/_resource_types/s3_bucket.md b/doc/_resource_types/s3_bucket.md
@@ -130,6 +130,15 @@ describe s3_bucket('my-bucket') do
 end
 ```
 
+### have_server_side_encryption
+
+```
+describe s3_bucket('my-bucket') do
+  it { should have_server_side_encryption(algorithm: "AES256") }
+  it { should have_server_side_encryption(algorithm: "aws:kms") }
+end
+```
+
 ### advanced
 
 `s3_bucket` can use `Aws::S3::Bucket` resource (see http://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Bucket.html).

diff --git a/doc/resource_types.md b/doc/resource_types.md
@@ -2962,6 +2962,16 @@ end
 ```
 
 
+### have_server_side_encryption
+
+```
+describe s3_bucket('my-bucket') do
+  it { should have_server_side_encryption(algorithm: "AES256") }
+  it { should have_server_side_encryption(algorithm: "aws:kms") }
+end
+```
+
+
 ### have_tag
 
 ```ruby

diff --git a/lib/awspec/helper/finder/s3.rb b/lib/awspec/helper/finder/s3.rb
@@ -56,6 +56,13 @@ def find_bucket_lifecycle_configuration(id)
         nil
       end
 
+      def find_bucket_server_side_encryption(id)
+        res = s3_client.get_bucket_encryption(bucket: id)
+        res.server_side_encryption_configuration
+      rescue Aws::S3::Errors::ServiceError
+        nil
+      end
+
       def select_all_buckets
         s3_client.list_buckets.buckets
       end

diff --git a/lib/awspec/stub/s3_bucket.rb b/lib/awspec/stub/s3_bucket.rb
@@ -118,6 +118,18 @@
           }
         }
       ]
+    },
+    get_bucket_encryption: {
+      server_side_encryption_configuration: {
+        rules: [
+          {
+            apply_server_side_encryption_by_default: {
+              sse_algorithm: 'aws:kms',
+              kms_master_key_id: '[FILTERED]'
+            }
+          }
+        ]
+      }
     }
   }
 }
diff --git a/lib/awspec/type/s3_bucket.rb b/lib/awspec/type/s3_bucket.rb
@@ -109,6 +109,14 @@ def has_mfa_delete_enabled?
       bv ? (bv.mfa_delete == 'Enabled') : false
     end
 
+    def has_server_side_encryption?(algorithm:)
+      configuration = find_bucket_server_side_encryption(id)
+      return false unless configuration
+
+      sse_algorithm = configuration.rules[0].apply_server_side_encryption_by_default.sse_algorithm
+      sse_algorithm ? (sse_algorithm == algorithm) : false
+    end
+
     private
 
     def cors_rules

diff --git a/spec/type/s3_bucket_spec.rb b/spec/type/s3_bucket_spec.rb
@@ -56,6 +56,8 @@
 
   it { should have_mfa_delete_enabled }
 
+  it { should have_server_side_encryption(algorithm: 'aws:kms') }
+
   context 'nested attribute call' do
     its(:resource) { should be_an_instance_of(Awspec::ResourceReader) }
     its('resource.name') { should eq 'my-bucket' }