Support customer-managed keys for server_side_encryption in DynamoDB

[sworisbreathing]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

As of November, 2018, CreateTable in DynamoDB now supports Server-Side Encryption with the use of a specific customer-managed key (as opposed to the default DynamoDB KMS master key). However, at the moment, the aws_dynamodb_table resource only supports turning SSE on/off but does not support specifying the KMS master key ID used for SSE.

Ideally, we should be able to pick which KMS key is used for encrypting data in a DDB table through the aws_dynamodb_table resource.

In my example below, I've also included sse_algorithm as I've copied it from how aws_s3_bucket works. It should be noted that per the documentation for SSESpecification, only KMS is applicable. So it's debatable whether or not terraform should expose sse_algorithm as a config option, given that only kms appears to be supported.

New or Affected Resource(s)

• aws_dynamodb_table

Potential Terraform Configuration

resource "aws_kms_key" "mykey" {}

resource "aws_dynamodb_table" "mytable" {
  ...
  server_side_encryption {
    enabled = true
    kms_master_key_id = "${aws_kms_key.mykey.arn}"
    sse_algorithm     = "aws:kms"
  }
}

References

• CreateTable API Documentation

• SSESpecification for CreateTable API

• How Amazon DynamoDB Uses AWS KMS

[ewbankkit]

Related:

• Feature request: Encryption at rest for DynamoDB #3298
• r/aws_dynamodb_table: Support 11/15/2018 Server-Side Encryption enhancements #5637
• Documentation: Update r/aws_dynamodb_table server_side_encryption noting DEFAULT encryption type #7498

[ewbankkit]

@sworisbreathing Thanks for this; We saw this change in the DynamoDB API about 8 months ago in the release notes for AWS SDK v1.15.16:

service/dynamodb: Updates service API and documentation
Added SSESpecification block to update-table command which allows users to modify table Server-> Side Encryption. Added two new fields (SSEType and KMSMasterKeyId) to SSESpecification block used by create-table and update-table commands. Added new SSEDescription Status value UPDATING

and I did some work in #5666 that I ultimately ended up closing as at the time the DynamoDB service didn't support the additions.
I still have the code so I will see if the service has been updated.

[ewbankkit]

This has now been officially announced.
Blog post.
I will try and reuse my code from #5666.

[bflad]

Support for this functionality has been merged and will release with version 2.47.0 of the Terraform AWS Provider, tomorrow. Thanks to @ewbankkit for the implementation. 👍

[ghost]

This has been released in version 2.47.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!