Add support S3 server side encryption with KMS.

* Example ``` terraform remote config \ -backend=s3 -backend-config="bucket=bucket-tfstate" -backend-config="key=terraform.tfstate" -backend-config="region=ap-northeast-1" -backend-config="encrypt=1" -backend-config="kmsKeyID=arn:aws:kms:ap-northeast-1:123456789:key/ac54dbd2-f301-42c1-bab9-88e6a84292a9" ```
hashicorp · Jul 31, 2015 · b86be99 · b86be99
1 parent 593d833
commit b86be99
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/state/remote/s3.go b/state/remote/s3.go
@@ -44,6 +44,8 @@ func s3Factory(conf map[string]string) (Client, error) {
 		serverSideEncryption = v
 	}
 
+	kmsKeyID := conf["kmsKeyID"]
+
 	accessKeyId := conf["access_key"]
 	secretAccessKey := conf["secret_key"]
 
@@ -76,6 +78,7 @@ func s3Factory(conf map[string]string) (Client, error) {
 		bucketName:           bucketName,
 		keyName:              keyName,
 		serverSideEncryption: serverSideEncryption,
+		kmsKeyID:             kmsKeyID,
 	}, nil
 }
 
@@ -84,6 +87,7 @@ type S3Client struct {
 	bucketName           string
 	keyName              string
 	serverSideEncryption bool
+	kmsKeyID             string
 }
 
 func (c *S3Client) Get() (*Payload, error) {
@@ -136,7 +140,12 @@ func (c *S3Client) Put(data []byte) error {
 	}
 
 	if c.serverSideEncryption {
-		i.ServerSideEncryption = aws.String("AES256")
+		if c.kmsKeyID != "" {
+			i.SSEKMSKeyID = &c.kmsKeyID
+			i.ServerSideEncryption = aws.String("aws:kms")
+		} else {
+			i.ServerSideEncryption = aws.String("AES256")
+		}
 	}
 
 	if _, err := c.nativeClient.PutObject(i); err == nil {