Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remote config S3 Server Side Encryption not working #3692

Closed
coen-hyde opened this issue Oct 29, 2015 · 4 comments
Closed

Remote config S3 Server Side Encryption not working #3692

coen-hyde opened this issue Oct 29, 2015 · 4 comments
Labels
bug provider/aws

Comments

@coen-hyde
Copy link

I'm attempting to use SSE with S3 to store the Terraform state file. But the state file is not being encrypted. Here is my terraform config setup.

  terraform remote config \
    --backend=s3 \
    --backend-config="region=us-east-1" \
    --backend-config="bucket=${STATE_BUCKET}" \
    --backend-config="key=${DEPLOYMENT}.tfstate" \
    --backend-config="encrypt=1"
@radeksimko
Copy link
Member

Hi @coen-hyde
I cannot reproduce any specific issue with encryption & S3 remote state backend. See my repro steps below:

provider "aws" {
  region = "us-east-1"
}

resource "aws_s3_bucket" "state" {
    bucket = "tf_test_state_bucket"
    acl = "private"
}

resource "aws_vpc" "test" {
    cidr_block = "10.0.0.0/16"
}
$ terraform apply
...
aws_vpc.test: Creation complete
aws_s3_bucket.state: Creation complete

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

export STATE_BUCKET=tf_test_state_bucket
export DEPLOYMENT=terraform
terraform remote config \
    --backend=s3 \
    --backend-config="region=us-east-1" \
    --backend-config="bucket=${STATE_BUCKET}" \
    --backend-config="key=${DEPLOYMENT}.tfstate" \
    --backend-config="encrypt=1"
Remote state management enabled
Remote state configured and pulled.

$ aws s3api head-object --bucket=${STATE_BUCKET} --key=${DEPLOYMENT}.tfstate
{
    "AcceptRanges": "bytes",
    "ContentType": "application/json",
    "LastModified": "Tue, 26 Jan 2016 07:44:11 GMT",
    "ContentLength": 2037,
    "ETag": "\"03393fbb238ce6635efa978d045be550\"",
    "ServerSideEncryption": "AES256",
    "Metadata": {}
}

As you can see in the last JSON output, the object is encrypted using AES256.

In case you'd like to use your own KMS key to encrypt it, you can use kms_key_id which was introduced in #2903 and will be available in the next release (isn't part of any release yet).

Feel free to reopen or open a new issue if you're still having issues with this, ideally with repro steps, like I did above.

@coen-hyde
Copy link
Author

@radeksimko I noticed this started working. I'm on 0.6.9. At the time i reported this, I think i was on 0.6.6.

@marcbachmann
Copy link

I just experienced a similar issue in terraform 0.9.11.
I first defined the backend using

terraform {
  backend "s3" {
    bucket = "bucket-name"
    key = "terraform.tfstate"
    region = "eu-west-1"
  }
}

then called terraform init, then changed the config to

terraform {
  backend "s3" {
    bucket = "bucket-name"
    key = "terraform.tfstate"
    region = "eu-west-1"
    encrypt = 1
  }
}

after that the encryption wasn't enabled.
I had to switch to local, delete the state file on s3 and then init again with the new config.
Looks like that's some issue in s3.

@ghost
Copy link

ghost commented Apr 8, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 8, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug provider/aws
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@catsby @coen-hyde @radeksimko @marcbachmann