Terraform AWS S3 backend encryption with AWS Customer Managed Key


At the moment terraspace automatically creates a S3 bucket to store the terraform state. If I set encrypt to true, then the default encryption of the S3 bucket is set to SSE-S3. I would like to use a Customer Managed KMS Key. I tried to set the kms_key_id in the backend.tf. Unfortunately this is ignored by terraspace.

I want to use a Customer managed key, because then we own the key. The SSE-S3 key is owned by AWS. We don’t want that.

Is it possible to enhance terraspace to support the kms_key_id setting and the use of Customer Managed Keys?

I see. Terraspace doesn’t yet provide this option. Dug into the source. Here’s the relevant lines:

Just need to pass the option into S3Secure::Encryption::Enable.new(options) from the c.encryption option.

And then update the docs:

Would like to get to it when get some free time. Unsure when though. Happy to also review PRs. Of course, no sweat either way :+1:

1 Like