Provides a S3 bucket server-side encryption configuration resource.
resource "aws_kms_key" "mykey" {
description = "This key is used to encrypt bucket objects"
deletion_window_in_days = 10
}
resource "aws_s3_bucket" "mybucket" {
bucket = "mybucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
bucket = aws_s3_bucket.mybucket.id
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
This resource supports the following arguments:
bucket
- (Required, Forces new resource) ID (name) of the bucket.expected_bucket_owner
- (Optional, Forces new resource) Account ID of the expected bucket owner.rule
- (Required) Set of server-side encryption configuration rules. See below. Currently, only a single rule is supported.The rule
configuration block supports the following arguments:
apply_server_side_encryption_by_default
- (Optional) Single object for setting server-side encryption by default. See below.bucket_key_enabled
- (Optional) Whether or not to use Amazon S3 Bucket Keys for SSE-KMS.The apply_server_side_encryption_by_default
configuration block supports the following arguments:
sse_algorithm
- (Required) Server-side encryption algorithm to use. Valid values are AES256
, aws:kms
, and aws:kms:dsse
kms_master_key_id
- (Optional) AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm
as aws:kms
. The default aws/s3
AWS KMS master key is used if this element is absent while the sse_algorithm
is aws:kms
.This resource exports the following attributes in addition to the arguments above:
id
- The bucket
or bucket
and expected_bucket_owner
separated by a comma (,
) if the latter is provided.In Terraform v1.5.0 and later, use an import
block to import S3 bucket server-side encryption configuration using the bucket
or using the bucket
and expected_bucket_owner
separated by a comma (,
). For example:
If the owner (account ID) of the source bucket is the same account used to configure the Terraform AWS Provider, import using the bucket
:
import {
to = aws_s3_bucket_server_side_encryption_configuration.example
id = "bucket-name"
}
If the owner (account ID) of the source bucket differs from the account used to configure the Terraform AWS Provider, import using the bucket
and expected_bucket_owner
separated by a comma (,
):
import {
to = aws_s3_bucket_server_side_encryption_configuration.example
id = "bucket-name,123456789012"
}
Using terraform import
to import S3 bucket server-side encryption configuration using the bucket
or using the bucket
and expected_bucket_owner
separated by a comma (,
). For example:
If the owner (account ID) of the source bucket is the same account used to configure the Terraform AWS Provider, import using the bucket
:
% terraform import aws_s3_bucket_server_side_encryption_configuration.example bucket-name
If the owner (account ID) of the source bucket differs from the account used to configure the Terraform AWS Provider, import using the bucket
and expected_bucket_owner
separated by a comma (,
):
% terraform import aws_s3_bucket_server_side_encryption_configuration.example bucket-name,123456789012