DynamoDB lock table encryption at rest

[thefossgeek]

Dear All,

I am using below config which created s3 bucket and dynamodb lock table during first terragrunt plan and apply.

The dynamodb lock table created with default encryption (Owned by Amazon DynamoDB). Now I want to change default encryption to AWS managed key(KMS) encryption instead of default encryption.

Could any one using KMS key to encrypt dynamodb lock table can help on this? Basically I want to change default encryption to KMS encryption for existing dynamodb lock table.

$ cat terragrunt.hcl

remote_state {
  backend = "s3"
  config = {
    bucket = "test-terraform"

    key            = "${path_relative_to_include()}/terraform.tfstate"
    region         = "xx-xxxxxxxxx-1"
    encrypt        = true
    dynamodb_table = "test-lock-table"
  }
}

Thanks

---

Tracked in ticket #110015

[james03160927]

Can you use the kms_key_id field? You can find the documentation on this here: https://developer.hashicorp.com/terraform/language/settings/backends/s3.

I believe this specific section is what you are interested in:

kms_key_id - (Optional) Amazon Resource Name (ARN) of a Key Management Service (KMS) Key to use for encrypting the state. Note that if this value is specified, Terraform will need kms:Encrypt, kms:Decrypt and kms:GenerateDataKey permissions on this KMS key.

Caution: since you are changing the encryption method, terraform apply might delete the old table and try to re-create it with the new encryption method.

Hope this answer your question.