DynamoDB lock table encryption at rest
Dear All, I am using below config which created s3 bucket and dynamodb lock table during first terragrunt plan and apply. The dynamodb lock table created with default encryption (Owned by Amazon DynamoDB). Now I want to change default encryption to AWS managed key(KMS) encryption instead of default encryption. Could any one using KMS key to encrypt dynamodb lock table can help on this? Basically I want to change default encryption to KMS encryption for existing dynamodb lock table. $ cat terragrunt.hcl ``` remote_state { backend = "s3" config = { bucket = "test-terraform" key = "${path_relative_to_include()}/terraform.tfstate" region = "xx-xxxxxxxxx-1" encrypt = true dynamodb_table = "test-lock-table" } } ``` Thanks --- <ins datetime="2023-03-23T06:45:38Z"> <p><a href="https://support.gruntwork.io/hc/requests/110015">Tracked in ticket #110015</a></p> </ins>
Can you use the kms_key_id field? You can find the documentation on this here: https://developer.hashicorp.com/terraform/language/settings/backends/s3. I believe this specific section is what you are interested in: > [kms_key_id](https://developer.hashicorp.com/terraform/language/settings/backends/s3#kms_key_id) - (Optional) Amazon Resource Name (ARN) of a Key Management Service (KMS) Key to use for encrypting the state. Note that if this value is specified, Terraform will need kms:Encrypt, kms:Decrypt and kms:GenerateDataKey permissions on this KMS key. Caution: since you are changing the encryption method, terraform apply might delete the old table and try to re-create it with the new encryption method. Hope this answer your question.