Hi…trying to use the aws_s3_bucket resource (https://www.terraform.io/docs/providers/aws/r/s3_bucket.html#source_selection_criteria) to setup an encrypted S3 bucket with replication. Everything works except for source replication config doesnt select the source Replicate objects encrypted with AWS KMS key. If I look at the gui at the replication setting the box is checked but no KMS item is selected. I can’t figure out which TF item sets that. Does anyone know?
resource "aws_s3_bucket" "source_bucket" {
provider = aws.central
bucket = "tf-test-bucket-12345888888x"
acl = "private"
region = "eu-central-1"
versioning {
enabled = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.kms_source_bucket.arn
sse_algorithm = "aws:kms"
}
}
}
replication_configuration {
role = aws_iam_role.replication.arn
rules {
// id = "all"
prefix = ""
status = "Enabled"
destination {
bucket = aws_s3_bucket.destination_bucket.arn
storage_class = "STANDARD"
replica_kms_key_id = aws_kms_key.kms_destination_bucket.arn
}
source_selection_criteria {
sse_kms_encrypted_objects {
enabled = "true"
}
}
}
}
}
Feels like i am missing the source kms ID in the source_selection_criteria block but in the docs there is no option for it.