Terraform-provider-aws: Feature request: New S3 encryption support

See also:

• https://github.com/terraform-providers/terraform-provider-aws/issues/2196
• https://github.com/terraform-providers/terraform-provider-aws/issues/2200
• https://github.com/terraform-providers/terraform-provider-aws/issues/2221

There's an open issue for S3 Inventory support:

• https://github.com/terraform-providers/terraform-provider-aws/issues/532

Just checked the AWS go SDK, don't see the PUT Bucket Encryption API is there yet. It's in Python SDK for the obvious reason.

Related to https://github.com/aws/aws-sdk-go/issues/1638

Updated: it's in the latest Go SDK. What missing is the documentation

Proposal:

Reference: http://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html

Couple of places to change:

1. Data source aws_s3_bucket to read bucket encryption information from the get-bucket-encryption
2. Resource aws_s3_bucket to allow to allow setting default encryption
   hcl resource "aws_s3_bucket" "foo" { encryption { sse_algorithm = "aws:kms" kms_master_key__id = "" } }
   This means put-bucket and put-bucket-encryption are used. I am not sure what happen when put-bucket-encryption fails. We may need to have separate resource for the bucket encryption?
3. Resource aws_s3_bucket to read bucket encryption information from get-bucket-encryption

I think this is addressed by #2472 - if anyone feels that there is missing functionality please comment here!

In case this helps anyone, this means that terraform plan now needs the s3:GetEncryptionConfiguration permission.

Hi jen20,

I would like to add this SSE feature to a custom terraform module that we have used to create all our s3 buckets.
Due to changed regulations I would like to enable SSE on some of the S3 buckets that were created by this s3 bucket terraform module, because I would like to enable SSE on a few of the S3 buckets I would like to be able to add an empty or disabled S3 server_side_encryption_configuration on the buckets that do not require SSE.
Is there a way to do this now? If not, would it be possible to make this feature optional like for instance like the 'enabled = true' option on the lifecyle rules?
thanks in advance,

Sorry for the confusion,
let me rephrase;
can we get an enabled Argument on the logging object and the server_side_encryption_configuration object.
as currently exists on for instance the versioning object.
This would help a lot when creating a custom S3 bucket terraform module that allows for optionally configuring server_side_encryption_configuration and/or bucket logging

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!