hashicorp#2217: documentation

trung · Dec 13, 2017 · f19e809 · f19e809
1 parent 1f3fd42
commit f19e809
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/website/docs/r/s3_bucket.html.markdown b/website/docs/r/s3_bucket.html.markdown
@@ -287,6 +287,27 @@ resource "aws_s3_bucket" "bucket" {
 }
 ```
 
+### Enable Default Server Side Encryption
+
+```hcl
+resource "aws_kms_key" "mykey" {
+  description             = "This key is used to encrypt bucket objects"
+  deletion_window_in_days = 10
+}
+
+resource "aws_s3_bucket" "mybucket" {
+  bucket = "mybucket"
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = "${aws_kms_key.mykey.arn}"
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
@@ -310,6 +331,7 @@ Can be either `BucketOwner` or `Requester`. By default, the owner of the S3 buck
 the costs of any data transfer. See [Requester Pays Buckets](http://docs.aws.amazon.com/AmazonS3/latest/dev/RequesterPaysBuckets.html)
 developer guide for more information.
 * `replication_configuration` - (Optional) A configuration of [replication configuration](http://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html) (documented below).
+* `server_side_encryption_configuration` - (Optional) A confguration of [server-side encryption configuration](http://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html) (documented blow)
 
 ~> **NOTE:** You cannot use `acceleration_status` in `cn-north-1` or `us-gov-west-1`
 
@@ -391,6 +413,19 @@ The `destination` object supports the following:
 * `bucket` - (Required) The ARN of the S3 bucket where you want Amazon S3 to store replicas of the object identified by the rule.
 * `storage_class` - (Optional) The class of storage used to store the object.
 
+The `server_side_encryption_configuration` object supports the following:
+
+* `rule` - (required) A single object for server-side encryption by default configuration. (documented below)
+
+The 'rule' object supports the following:
+
+* `apply_server_side_encryption_by_default` - (required) A single object for setting server-side encryption by default. (documented below)
+
+The `apply_server_side_encryption_by_default` object supports the following:
+
+* `sse_algorithm` - (required) The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms`
+* `kms_master_key_id` - (optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of `sse_algorithm` as `aws:kms`. The default `aws/s3` AWS KMS master key is used if this element is absent while the `sse_algorithm` is `aws:kms`.
+
 ## Attributes Reference
 
 The following attributes are exported: