F r 2217 (#15)

* Makefile: Add sweep target

* Add more example and missing field

* docs/elasticache_replication_group: Add missing fields

* Update CHANGELOG.md

* r/aws_dynamodb_table: Ensure ttl is properly read (hashicorp#2452)

* r/aws_dynamodb_table: Ensure ttl is properly read

* r/aws_dynamodb_table: hashicorp#2452 review updates

* Add timeToLiveOutput.TimeToLiveDescription nil check
* Simplify logic to d.Set ttl

* Update CHANGELOG.md

* Bump aws-sdk-go to v.1.12.45

* New Resource: PublicDnsNamespace (hashicorp#2569)

* WIP

* Add test, docs

* Reflect reviews

* Modify error handling

* Update CHANGELOG.md

* New Resource: ServiceDiscovery PrivateDNS Namespace (hashicorp#2589)

* New Resource: service_discovery_private_dns_namespace

* Reflect reviews

* Update CHANGELOG.md

* hashicorp#2217: re-enable default encryption after disabling in via UI

* hashicorp#2217: documentation

aws/resource_aws_s3_bucket.go

@@ -993,6 +993,7 @@ func resourceAwsS3BucketRead(d *schema.ResourceData, meta interface{}) error {
 	if err != nil {
 		if isAWSErr(err, "ServerSideEncryptionConfigurationNotFoundError", "encryption configuration was not found") {
 			log.Printf("[DEBUG] Default encryption is not enabled for %s", d.Id())
+			d.Set("server_side_encryption_configuration", []map[string]interface{}{})
 		} else {
 			return err
 		}

website/docs/r/s3_bucket.html.markdown

@@ -287,6 +287,27 @@ resource "aws_s3_bucket" "bucket" {
 }
 ```
 
+### Enable Default Server Side Encryption
+
+```hcl
+resource "aws_kms_key" "mykey" {
+  description             = "This key is used to encrypt bucket objects"
+  deletion_window_in_days = 10
+}
+
+resource "aws_s3_bucket" "mybucket" {
+  bucket = "mybucket"
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = "${aws_kms_key.mykey.arn}"
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
@@ -310,6 +331,7 @@ Can be either `BucketOwner` or `Requester`. By default, the owner of the S3 buck
 the costs of any data transfer. See [Requester Pays Buckets](http://docs.aws.amazon.com/AmazonS3/latest/dev/RequesterPaysBuckets.html)
 developer guide for more information.
 * `replication_configuration` - (Optional) A configuration of [replication configuration](http://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html) (documented below).
+* `server_side_encryption_configuration` - (Optional) A confguration of [server-side encryption configuration](http://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html) (documented blow)
 
 ~> **NOTE:** You cannot use `acceleration_status` in `cn-north-1` or `us-gov-west-1`
 
@@ -391,6 +413,19 @@ The `destination` object supports the following:
 * `bucket` - (Required) The ARN of the S3 bucket where you want Amazon S3 to store replicas of the object identified by the rule.
 * `storage_class` - (Optional) The class of storage used to store the object.
 
+The `server_side_encryption_configuration` object supports the following:
+
+* `rule` - (required) A single object for server-side encryption by default configuration. (documented below)
+
+The 'rule' object supports the following:
+
+* `apply_server_side_encryption_by_default` - (required) A single object for setting server-side encryption by default. (documented below)
+
+The `apply_server_side_encryption_by_default` object supports the following:
+
+* `sse_algorithm` - (required) The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms`
+* `kms_master_key_id` - (optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of `sse_algorithm` as `aws:kms`. The default `aws/s3` AWS KMS master key is used if this element is absent while the `sse_algorithm` is `aws:kms`.
+
 ## Attributes Reference
 
 The following attributes are exported: