From ba8f1fa1f0ef564c24503709e69f1bd8cb02c8f1 Mon Sep 17 00:00:00 2001
From: Kazunori Kojima <kjm.kznr@gmail.com>
Date: Fri, 31 Jul 2015 16:09:28 +0900
Subject: [PATCH 1/3] Add support S3 server side encryption with KMS.

* Example

```
terraform remote config \
  -backend=s3
  -backend-config="bucket=bucket-tfstate"
  -backend-config="key=terraform.tfstate"
  -backend-config="region=ap-northeast-1"
  -backend-config="encrypt=1"
  -backend-config="kmsKeyID=arn:aws:kms:ap-northeast-1:123456789:key/ac54dbd2-f301-42c1-bab9-88e6a84292a9"
```
---
 state/remote/s3.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/state/remote/s3.go b/state/remote/s3.go
index 26330d112..dcf9a3b80 100644
--- a/state/remote/s3.go
+++ b/state/remote/s3.go
@@ -50,6 +50,7 @@ func s3Factory(conf map[string]string) (Client, error) {
 	if raw, ok := conf["acl"]; ok {
 		acl = raw
 	}
+	kmsKeyID := conf["kmsKeyID"]
 
 	accessKeyId := conf["access_key"]
 	secretAccessKey := conf["secret_key"]
@@ -84,6 +85,7 @@ func s3Factory(conf map[string]string) (Client, error) {
 		keyName:              keyName,
 		serverSideEncryption: serverSideEncryption,
 		acl:                  acl,
+		kmsKeyID:             kmsKeyID,
 	}, nil
 }
 
@@ -93,6 +95,7 @@ type S3Client struct {
 	keyName              string
 	serverSideEncryption bool
 	acl                  string
+	kmsKeyID             string
 }
 
 func (c *S3Client) Get() (*Payload, error) {
@@ -145,7 +148,12 @@ func (c *S3Client) Put(data []byte) error {
 	}
 
 	if c.serverSideEncryption {
-		i.ServerSideEncryption = aws.String("AES256")
+		if c.kmsKeyID != "" {
+			i.SSEKMSKeyID = &c.kmsKeyID
+			i.ServerSideEncryption = aws.String("aws:kms")
+		} else {
+			i.ServerSideEncryption = aws.String("AES256")
+		}
 	}
 
 	if c.acl != "" {

From 576b2d11093f0b750cd0402ebb1a55eaf30a3b9e Mon Sep 17 00:00:00 2001
From: Kazunori Kojima <kjm.kznr@gmail.com>
Date: Wed, 7 Oct 2015 23:09:03 +0900
Subject: [PATCH 2/3] Change KMS Key ID configuration name to used in other

---
 state/remote/s3.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/state/remote/s3.go b/state/remote/s3.go
index dcf9a3b80..f9d95c718 100644
--- a/state/remote/s3.go
+++ b/state/remote/s3.go
@@ -50,7 +50,7 @@ func s3Factory(conf map[string]string) (Client, error) {
 	if raw, ok := conf["acl"]; ok {
 		acl = raw
 	}
-	kmsKeyID := conf["kmsKeyID"]
+	kmsKeyID := conf["kms_key_id"]
 
 	accessKeyId := conf["access_key"]
 	secretAccessKey := conf["secret_key"]

From 9186c29dd8816e06f0283a4d0364a6caefae572c Mon Sep 17 00:00:00 2001
From: Kazunori Kojima <kjm.kznr@gmail.com>
Date: Wed, 7 Oct 2015 23:39:08 +0900
Subject: [PATCH 3/3] Fix typo

---
 state/remote/s3.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/state/remote/s3.go b/state/remote/s3.go
index f9d95c718..cfe2c570e 100644
--- a/state/remote/s3.go
+++ b/state/remote/s3.go
@@ -149,7 +149,7 @@ func (c *S3Client) Put(data []byte) error {
 
 	if c.serverSideEncryption {
 		if c.kmsKeyID != "" {
-			i.SSEKMSKeyID = &c.kmsKeyID
+			i.SSEKMSKeyId = &c.kmsKeyID
 			i.ServerSideEncryption = aws.String("aws:kms")
 		} else {
 			i.ServerSideEncryption = aws.String("AES256")