Add kms to s3 remote state module (#302)

* Changes to the s3-remote-state for issue 286 * Initial attempt to add server side encryption to the s3-remote-state bucket
fpco · Mar 7, 2020 · b4feb7f · b4feb7f
1 parent 941d441
commit b4feb7f
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/modules/s3-remote-state/main.tf b/modules/s3-remote-state/main.tf
@@ -35,12 +35,26 @@ variable "force_destroy" {
   type        = bool
 }
 
+variable "kms_key_id" {
+  description = "The ARN of a KMS Key to use for encrypting the state"
+  type        = string
+}
+
 resource "aws_s3_bucket" "remote-state" {
   bucket        = var.bucket_name
   acl           = "private"
   region        = var.region
   force_destroy = var.force_destroy
 
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = var.kms_key_id
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
   versioning {
     enabled = var.versioning
   }