Support s3 sync with kms-sse

Dockerfile

@@ -5,10 +5,10 @@ LABEL "com.github.actions.description"="Sync a directory to an AWS S3 repository
 LABEL "com.github.actions.icon"="refresh-cw"
 LABEL "com.github.actions.color"="green"
 
-LABEL version="0.5.1"
-LABEL repository="https://github.com/jakejarvis/s3-sync-action"
-LABEL homepage="https://jarv.is/"
-LABEL maintainer="Jake Jarvis <[email protected]>"
+LABEL version="0.5.3"
+LABEL repository="https://github.com/lks21c/s3-sync-action"
+LABEL homepage="http://www.kwangsiklee.com/"
+LABEL maintainer="Kwangsik Lee <[email protected]>"
 
 # https://github.com/aws/aws-cli/blob/master/CHANGELOG.rst
 ENV AWSCLI_VERSION='1.18.14'

README.md

@@ -40,22 +40,24 @@ jobs:
         AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         AWS_REGION: 'us-west-1'   # optional: defaults to us-east-1
         SOURCE_DIR: 'public'      # optional: defaults to entire repository
+        AWS_S3_SSE_KMS_KEY_ID: ${{ secrets.AWS_S3_SSE_KMS_KEY_ID }} # optional: defaults to None
 ```
 
 
 ### Configuration
 
 The following settings must be passed as environment variables as shown in the example. Sensitive information, especially `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, should be [set as encrypted secrets](https://help.github.com/en/articles/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables) — otherwise, they'll be public to anyone browsing your repository's source code and CI logs.
 
-| Key | Value | Suggested Type | Required | Default |
-| ------------- | ------------- | ------------- | ------------- | ------------- |
-| `AWS_ACCESS_KEY_ID` | Your AWS Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `secret env` | **Yes** | N/A |
-| `AWS_SECRET_ACCESS_KEY` | Your AWS Secret Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `secret env` | **Yes** | N/A |
-| `AWS_S3_BUCKET` | The name of the bucket you're syncing to. For example, `jarv.is` or `my-app-releases`. | `secret env` | **Yes** | N/A |
-| `AWS_REGION` | The region where you created your bucket. Set to `us-east-1` by default. [Full list of regions here.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) | `env` | No | `us-east-1` |
+| Key | Value                                                                                                                                                                                                                                                                                                                                  | Suggested Type | Required | Default                                                            |
+| ------------- |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- |--------------------------------------------------------------------|
+| `AWS_ACCESS_KEY_ID` | Your AWS Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)                                                                                                                                                                                                                    | `secret env` | **Yes** | N/A                                                                |
+| `AWS_SECRET_ACCESS_KEY` | Your AWS Secret Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)                                                                                                                                                                                                             | `secret env` | **Yes** | N/A                                                                |
+| `AWS_S3_BUCKET` | The name of the bucket you're syncing to. For example, `jarv.is` or `my-app-releases`.                                                                                                                                                                                                                                                 | `secret env` | **Yes** | N/A                                                                |
+| `AWS_REGION` | The region where you created your bucket. Set to `us-east-1` by default. [Full list of regions here.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions)                                                                                                            | `env` | No | `us-east-1`                                                        |
 | `AWS_S3_ENDPOINT` | The endpoint URL of the bucket you're syncing to. Can be used for [VPC scenarios](https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/) or for non-AWS services using the S3 API, like [DigitalOcean Spaces](https://www.digitalocean.com/community/tools/adapting-an-existing-aws-s3-application-to-digitalocean-spaces). | `env` | No | Automatic (`s3.amazonaws.com` or AWS's region-specific equivalent) |
-| `SOURCE_DIR` | The local directory (or file) you wish to sync/upload to S3. For example, `public`. Defaults to your entire repository. | `env` | No | `./` (root of cloned repository) |
-| `DEST_DIR` | The directory inside of the S3 bucket you wish to sync/upload to. For example, `my_project/assets`. Defaults to the root of the bucket. | `env` | No | `/` (root of bucket) |
+| `SOURCE_DIR` | The local directory (or file) you wish to sync/upload to S3. For example, `public`. Defaults to your entire repository.                                                                                                                                                                                                                | `env` | No | `./` (root of cloned repository)                                   |
+| `DEST_DIR` | The directory inside of the S3 bucket you wish to sync/upload to. For example, `my_project/assets`. Defaults to the root of the bucket.                                                                                                                                                                                                | `env` | No | `/` (root of bucket)                                               |
+| `AWS_S3_SSE_KMS_KEY_ID` | Your customer managed sse kms id to upload to S3 with [SSE-KMS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html). For example, `aaaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee`. Defaults to None which means no encryption.                                                                                    | `env` | No | N/A                                                                |
 
 
 ## License

action.yml

@@ -1,6 +1,6 @@
-name: "S3 Sync"
-description: "Sync a directory to an AWS S3 repository"
-author: jakejarvis
+name: "S3 Sync With KMS"
+description: "Sync a directory to an AWS S3 repository using sse-kms"
+author: kwangsik
 runs:
   using: docker
   image: Dockerfile

entrypoint.sh

@@ -39,7 +39,12 @@ EOF
 
 # Sync using our dedicated profile and suppress verbose messages.
 # All other flags are optional via the `args:` directive.
-sh -c "aws s3 sync ${SOURCE_DIR:-.} s3://${AWS_S3_BUCKET}/${DEST_DIR} \
+CMD_PREFIX="aws s3 sync"
+if [ -n "$AWS_S3_SSE_KMS_KEY_ID" ]; then
+  CMD_PREFIX="${CMD_PREFIX} --sse aws:kms --sse-kms-key-id ${AWS_S3_SSE_KMS_KEY_ID}"
+fi
+
+sh -c "${CMD_PREFIX} ${SOURCE_DIR:-.} s3://${AWS_S3_BUCKET}/${DEST_DIR} \
               --profile s3-sync-action \
               --no-progress \
               ${ENDPOINT_APPEND} $*"