Resource: awsS3BucketServerSideEncryptionConfiguration
Provides a S3 bucket server-side encryption configuration resource.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsKmsKeyMykey = new aws.kmsKey.KmsKey(this, "mykey", {
deletionWindowInDays: 10,
description: "This key is used to encrypt bucket objects",
});
const awsS3BucketMybucket = new aws.s3Bucket.S3Bucket(this, "mybucket", {
bucket: "mybucket",
});
new aws.s3BucketServerSideEncryptionConfiguration.S3BucketServerSideEncryptionConfigurationA(
this,
"example",
{
bucket: awsS3BucketMybucket.id,
rule: [
{
applyServerSideEncryptionByDefault: {
kmsMasterKeyId: awsKmsKeyMykey.arn,
sseAlgorithm: "aws:kms",
},
},
],
}
);
Argument Reference
The following arguments are supported:
bucket
- (Required, Forces new resource) ID (name) of the bucket.expectedBucketOwner
- (Optional, Forces new resource) Account ID of the expected bucket owner.rule
- (Required) Set of server-side encryption configuration rules. See below. Currently, only a single rule is supported.
rule
The rule
configuration block supports the following arguments:
applyServerSideEncryptionByDefault
- (Optional) Single object for setting server-side encryption by default. See below.bucketKeyEnabled
- (Optional) Whether or not to use Amazon S3 Bucket Keys for SSE-KMS.
applyServerSideEncryptionByDefault
The applyServerSideEncryptionByDefault
configuration block supports the following arguments:
sseAlgorithm
- (Required) Server-side encryption algorithm to use. Valid values areaes256
andaws:kms
kmsMasterKeyId
- (Optional) AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value ofsseAlgorithm
asaws:kms
. The defaultaws/s3
AWS KMS master key is used if this element is absent while thesseAlgorithm
isaws:kms
.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id
- Thebucket
orbucket
andexpectedBucketOwner
separated by a comma (,
) if the latter is provided.
Import
S3 bucket server-side encryption configuration can be imported in one of two ways.
If the owner (account ID) of the source bucket is the same account used to configure the Terraform AWS Provider, the S3 server-side encryption configuration resource should be imported using the bucket
e.g.,
If the owner (account ID) of the source bucket differs from the account used to configure the Terraform AWS Provider, the S3 bucket server-side encryption configuration resource should be imported using the bucket
and expectedBucketOwner
separated by a comma (,
) e.g.,