Terraform AWS S3 backend encryption with AWS Customer Managed Key

Hi,

At the moment terraspace automatically creates a S3 bucket to store the terraform state. If I set encrypt to true, then the default encryption of the S3 bucket is set to SSE-S3. I would like to use a Customer Managed KMS Key. I tried to set the kms_key_id in the backend.tf. Unfortunately this is ignored by terraspace.

I want to use a Customer managed key, because then we own the key. The SSE-S3 key is owned by AWS. We don’t want that.

Is it possible to enhance terraspace to support the kms_key_id setting and the use of Customer Managed Keys?

I see. Terraspace doesn’t yet provide this option. Dug into the source. Here’s the relevant lines:

• https://github.com/boltops-tools/terraspace_plugin_aws/blob/416fe146634f0ffb20f4900ff67cf5bbaca95614/lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb#L29
• https://github.com/boltops-tools/s3-secure/blob/bce9f6b93ee303a87b99e1d8ada1fb43a63a48c9/lib/s3_secure/encryption/enable.rb#L25

Just need to pass the option into S3Secure::Encryption::Enable.new(options) from the c.encryption option.

And then update the docs:

• https://github.com/boltops-tools/terraspace-docs/blob/main/_docs/plugins/aws.md
• AWS Terraspace Plugin - Terraspace

Would like to get to it when get some free time. Unsure when though. Happy to also review PRs. Of course, no sweat either way