AWS SQS Server Side Encryption Support For Queues

[brandongalbraith]

AWS recently rolled out support of server side encryption of SQS message payloads. It would be helpful for this queue attribute to be supported for organizations where compliance requirements dictate it (encryption in flight, encryption at rest, etc).

Support of this queue attribute could follow the S3 server side encryption and KMS key id syntax.

Example SQS queue resource:

resource "aws_sqs_queue" "super_secret_queue" {
  name                      = "super_secret-example-queue"
  delay_seconds             = 90
  max_message_size          = 2048
  message_retention_seconds = 86400
  receive_wait_time_seconds = 10
  redrive_policy            = "
{\"deadLetterTargetArn\":\"${aws_sqs_queue.terraform_queue_deadletter.arn}\",\"maxReceiveCount\":4}"
  server_side_encryption = true
  sse_kms_key_id = "<AWS_KMS_CMK>" 
}

Note the deviation from the S3 SSE attribute behavior; SQS only supports KMS, therefore server_side_encryption may be a bool versus defining which encryption scheme to use.

[stack72]

I believe this can be closed via #962

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!