chore: disable SSE-KMS encryption in S3

infrastructure/environments/dev/main.tf

@@ -8,9 +8,12 @@ module "core" {
 module "glue" {
   source = "../../modules/glue"
 
-  environment              = var.environment
-  data_bucket_id           = module.core.data_bucket_id
-  s3_encryption_key_arn    = module.core.s3_encryption_key_arn
+  environment    = var.environment
+  data_bucket_id = module.core.data_bucket_id
+  # =====================================================================================
+  # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3.
+  # =====================================================================================
+  # s3_encryption_key_arn  = module.core.s3_encryption_key_arn
   glue_assets_bucket_name  = var.glue_assets_bucket_name
   glue_scripts_bucket_name = var.glue_scripts_bucket_name
 }

infrastructure/environments/prod/main.tf

@@ -8,9 +8,12 @@ module "core" {
 module "glue" {
   source = "../../modules/glue"
 
-  environment              = var.environment
-  data_bucket_id           = module.core.data_bucket_id
-  s3_encryption_key_arn    = module.core.s3_encryption_key_arn
+  environment    = var.environment
+  data_bucket_id = module.core.data_bucket_id
+  # =====================================================================================
+  # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3.
+  # =====================================================================================
+  # s3_encryption_key_arn  = module.core.s3_encryption_key_arn
   glue_assets_bucket_name  = var.glue_assets_bucket_name
   glue_scripts_bucket_name = var.glue_scripts_bucket_name
 }

infrastructure/environments/qa/main.tf

@@ -8,9 +8,12 @@ module "core" {
 module "glue" {
   source = "../../modules/glue"
 
-  environment              = var.environment
-  data_bucket_id           = module.core.data_bucket_id
-  s3_encryption_key_arn    = module.core.s3_encryption_key_arn
+  environment    = var.environment
+  data_bucket_id = module.core.data_bucket_id
+  # =====================================================================================
+  # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3.
+  # =====================================================================================
+  # s3_encryption_key_arn  = module.core.s3_encryption_key_arn
   glue_assets_bucket_name  = var.glue_assets_bucket_name
   glue_scripts_bucket_name = var.glue_scripts_bucket_name
 }

infrastructure/environments/staging/main.tf

@@ -8,9 +8,12 @@ module "core" {
 module "glue" {
   source = "../../modules/glue"
 
-  environment              = var.environment
-  data_bucket_id           = module.core.data_bucket_id
-  s3_encryption_key_arn    = module.core.s3_encryption_key_arn
+  environment    = var.environment
+  data_bucket_id = module.core.data_bucket_id
+  # =====================================================================================
+  # DELETE THIS AND UNCOMMENT THE FOLLOWING LINE TO ENABLE SSE-KMS ENCRYPTION IN S3.
+  # =====================================================================================
+  # s3_encryption_key_arn  = module.core.s3_encryption_key_arn
   glue_assets_bucket_name  = var.glue_assets_bucket_name
   glue_scripts_bucket_name = var.glue_scripts_bucket_name
 }

infrastructure/modules/core/kms.tf

@@ -6,12 +6,17 @@
 # Service keys (SSE-KMS) instead. Please refer to
 # https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html for further
 # details.
-resource "aws_kms_key" "s3" {
-  description         = "This key protects S3 objects tackled by the AWS Glue CI/CD Blueprint"
-  enable_key_rotation = true
-}
-
-resource "aws_kms_alias" "s3" {
-  name          = "alias/glue-ci-cd-blueprint/s3-${var.environment}"
-  target_key_id = aws_kms_key.s3.key_id
-}
+# =======================================================================================
+# THE KMS KEY IS DISABLED BY DEFAULT TO AVOID EXTRA COSTS IN THE BLUEPRINT VALIDATION
+# ACCOUNTS. DELETE THE LINES DELIMITED BY `# =...=` AND UNCOMMENT THE FOLLOWING RESOURCES
+# TO CREATE/ENABLE THEM.
+# =======================================================================================
+# resource "aws_kms_key" "s3" {
+#  description         = "This key protects S3 objects tackled by the AWS Glue CI/CD Blueprint"
+#  enable_key_rotation = true
+# }
+#
+# resource "aws_kms_alias" "s3" {
+#  name          = "alias/glue-ci-cd-blueprint/s3-${var.environment}"
+#  target_key_id = aws_kms_key.s3.key_id
+# }

infrastructure/modules/core/outputs.tf

@@ -2,6 +2,9 @@ output "data_bucket_id" {
   value = aws_s3_bucket.data.id
 }
 
-output "s3_encryption_key_arn" {
-  value = aws_kms_key.s3.arn
-}
+# =======================================================================================
+# KMS KEY ARE DISABLED BY DEFAULT. PLEASE REFER TO `kms.tf` FOR DETAILS.
+# =======================================================================================
+# output "s3_encryption_key_arn" {
+#   value = aws_kms_key.s3.arn
+# }

infrastructure/modules/core/s3.tf

@@ -2,13 +2,16 @@ resource "aws_s3_bucket" "data" {
   bucket = "${var.data_bucket_name}-${var.environment}"
 }
 
-resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
-  bucket = aws_s3_bucket.data.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      kms_master_key_id = aws_kms_key.s3.arn
-      sse_algorithm     = "aws:kms"
-    }
-  }
-}
+# =======================================================================================
+# KMS KEY ARE DISABLED BY DEFAULT. PLEASE REFER TO `kms.tf` FOR DETAILS.
+# =======================================================================================
+# resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
+#   bucket = aws_s3_bucket.data.id
+#
+#   rule {
+#     apply_server_side_encryption_by_default {
+#       kms_master_key_id = aws_kms_key.s3.arn
+#       sse_algorithm     = "aws:kms"
+#     }
+#   }
+# }

infrastructure/modules/glue/data.tf

@@ -3,16 +3,19 @@ data "aws_s3_bucket" "data" {
 }
 
 data "aws_iam_policy_document" "glue_service_custom" {
-  statement {
-    effect = "Allow"
-    actions = [
-      "kms:Decrypt",
-      "kms:GenerateDataKey"
-    ]
-    resources = [
-      var.s3_encryption_key_arn
-    ]
-  }
+  # =====================================================================================
+  # DELETE THIS AND UNCOMMENT THE FOLLOWING STATEMENT TO ENABLE SSE-KMS ENCRYPTION IN S3.
+  # =====================================================================================
+  # statement {
+  #   effect = "Allow"
+  #   actions = [
+  #     "kms:Decrypt",
+  #     "kms:GenerateDataKey"
+  #   ]
+  #   resources = [
+  #     var.s3_encryption_key_arn
+  #   ]
+  # }
   statement {
     effect = "Allow"
     actions = [

infrastructure/modules/glue/variables.tf

@@ -10,11 +10,14 @@ variable "data_bucket_id" {
   default     = ""
 }
 
-variable "s3_encryption_key_arn" {
-  description = "ARN of the key that protects S3 objects tackled by the AWS Glue CI/CD Blueprint."
-  type        = string
-  default     = ""
-}
+# =======================================================================================
+# DELETE THIS AND UNCOMMENT THE FOLLOWING VARIABLE TO ENABLE SSE-KMS ENCRYPTION IN S3.
+# =======================================================================================
+# variable "s3_encryption_key_arn" {
+#   description = "ARN of the key that protects S3 objects tackled by the AWS Glue CI/CD Blueprint."
+#   type        = string
+#   default     = ""
+# }
 
 variable "glue_assets_bucket_name" {
   description = "Name of the S3 bucket used to store AWS Glue assets."