'Error adding bucket KMS encryption in S3

I have Terraform code that I've added KMS encryption to. 

resource "aws_s3_bucket" "bucket" {
  bucket = "${var.bucket}${var.envSuffix}"
  acl    = "private"
  tags {
      Name = "${var.bucket}${var.envSuffix}"
      Environment = "${var.env}"
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${var.kms_key_id}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

When I run an apply, I get the error: 

invalid or unknown key: server_side_encryption_configuration

I'm running Terraform v0.11.0. Why isn't Terraform recognizing server_side_encryption_configuration as a valid element? I assume it is referring to the server_side_encryption_configuration element and not the kms_master_key_id element.

I've tested without the kms_master_key_id element at all and get exactly the same error, so it doesn't appear to be related to an incorrect value assigned to the kms_master_key_id element.

terraform


Solution 1:[1]

kms_master_key_id should be the ARN more than the key name.

Can you confirm if you do the right setting in var.kms_key_id?

   kms_master_key_id = "${aws_kms_key.mykey.arn}"

kms_master_key_id - (optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms.

Solution 2:[2]

This is obviously a dated question but for the help of passer-bys, the terraform module "aws_s3_server_side_encryption_configuration" is to be used and not the server_side_encryption...block inside the aws_s3 module, which is deprecated.

Like,

resource "aws_s3_bucket_server_side_encryption_configuration" "bEncryption"{ 
  bucket = aws_s3_bucket.sourceBucket.id
    rule{
      apply_server_side_encryption_by_default {
        sse_algorithm = "aws:kms"
      }    
    }
...
}

It should ideally have been showing up a warning and not an error unless the $var key variable contains the string "server_side_encryption_configuration".

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 BMW
Solution 2

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

How to enable terraform module only with a specific workspace

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Terragrunt ignores newly added outputs in a project

tls unsigned certificate when using terraform

What is the best way to solve `EntityAlreadyExists` error in terraform?

Terraform: How to create API Gateway endpoints and methods from a list of objects?

Terraform - refactoring modules: Error: Provider configuration not present

Passing multiple provider aliases to a module in terraform 0.12.13

What is the AWS Service Principal value for stepfunction?

Terraform - Use of environment variables in TF files

Terraform : Init