From def3d07aa89e4ddc23e587d9e1ac587946ca4768 Mon Sep 17 00:00:00 2001 From: Conor Date: Mon, 28 Mar 2022 11:06:41 +1100 Subject: [PATCH 1/2] Removed unsupported apply_server_side_encryption https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption https://github.com/hashicorp/terraform-provider-aws/issues/23106 This is read-only and so the terraform apply fails as it's unable to use this feature. Removing this code so that any other noobs like myself going through the project/YouTube series don't get tripped up on this. --- s3.tf | 8 -------- 1 file changed, 8 deletions(-) diff --git a/s3.tf b/s3.tf index 9214d7a..e22e8a6 100644 --- a/s3.tf +++ b/s3.tf @@ -4,14 +4,6 @@ resource "aws_s3_bucket" "vault_data" { bucket_prefix = "${var.main_project_tag}-" - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" - } - } - } - tags = merge({ "Project" = var.main_project_tag }) } From 9fa9948998c87e9e710e70583353853375184b25 Mon Sep 17 00:00:00 2001 From: Conor Date: Wed, 30 Mar 2022 12:30:16 +1100 Subject: [PATCH 2/2] Added s3 sse resource Bit of a novel for you in case you were curious, but in TL;DR form, it's worked. There was no error, it was just not generating the encrypted credentials. I should say there was a 404 error when running the AWS CLI commands, due to the bucket object not existing - though the bucket existed, so I assume the problem popped up somewhere between vault initializing, encrypting & then sending the keys to S3. I was unable to properly diagnose it without any explicit error output, but after poking around I noticed a lot of the resources such as the EC2 instances, load balancers, etc - were still in a "Terminating" state while I was rerunning the terraform destroy/apply commands. I decided to wait a bit and try again.. Also learned that a full destroy isn't necessary in this type of scenario which is nice to know :) I cloned the repo again today and started from scratch, and it's worked now with the aws_s3_bucket_server_side_encryption_configuration resource! The S3 bucket properties now list default encryption as enabled and Server-side-encryption as Amazon S3-managed keys (SSE). --- s3.tf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/s3.tf b/s3.tf index e22e8a6..bace68c 100644 --- a/s3.tf +++ b/s3.tf @@ -7,6 +7,17 @@ resource "aws_s3_bucket" "vault_data" { tags = merge({ "Project" = var.main_project_tag }) } +## S3 Server-side bucket encryption +resource "aws_s3_bucket_server_side_encryption_configuration" "vault_data_sse" { + bucket = aws_s3_bucket.vault_data.bucket + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + ## S3 Bucket Public Access Block resource "aws_s3_bucket_public_access_block" "vault_data" { bucket = aws_s3_bucket.vault_data.id