From 9fa9948998c87e9e710e70583353853375184b25 Mon Sep 17 00:00:00 2001 From: Conor Date: Wed, 30 Mar 2022 12:30:16 +1100 Subject: [PATCH] Added s3 sse resource Bit of a novel for you in case you were curious, but in TL;DR form, it's worked. There was no error, it was just not generating the encrypted credentials. I should say there was a 404 error when running the AWS CLI commands, due to the bucket object not existing - though the bucket existed, so I assume the problem popped up somewhere between vault initializing, encrypting & then sending the keys to S3. I was unable to properly diagnose it without any explicit error output, but after poking around I noticed a lot of the resources such as the EC2 instances, load balancers, etc - were still in a "Terminating" state while I was rerunning the terraform destroy/apply commands. I decided to wait a bit and try again.. Also learned that a full destroy isn't necessary in this type of scenario which is nice to know :) I cloned the repo again today and started from scratch, and it's worked now with the aws_s3_bucket_server_side_encryption_configuration resource! The S3 bucket properties now list default encryption as enabled and Server-side-encryption as Amazon S3-managed keys (SSE). --- s3.tf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/s3.tf b/s3.tf index e22e8a6..bace68c 100644 --- a/s3.tf +++ b/s3.tf @@ -7,6 +7,17 @@ resource "aws_s3_bucket" "vault_data" { tags = merge({ "Project" = var.main_project_tag }) } +## S3 Server-side bucket encryption +resource "aws_s3_bucket_server_side_encryption_configuration" "vault_data_sse" { + bucket = aws_s3_bucket.vault_data.bucket + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + ## S3 Bucket Public Access Block resource "aws_s3_bucket_public_access_block" "vault_data" { bucket = aws_s3_bucket.vault_data.id