From d29cdccb5bc0e34665092c5dc3a832f0ca9226bf Mon Sep 17 00:00:00 2001 From: Ben Moskovitz Date: Wed, 30 Jun 2021 16:39:31 +1200 Subject: [PATCH] Add a note to the docs on the S3 backend around permissions needed for encrypted state storage --- website/docs/language/settings/backends/s3.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/language/settings/backends/s3.html.md b/website/docs/language/settings/backends/s3.html.md index 678cb24b7..c6dac3b99 100644 --- a/website/docs/language/settings/backends/s3.html.md +++ b/website/docs/language/settings/backends/s3.html.md @@ -190,7 +190,7 @@ The following configuration is optional: * `encrypt` - (Optional) Enable [server side encryption](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html) of the state file. * `endpoint` - (Optional) Custom endpoint for the AWS S3 API. This can also be sourced from the `AWS_S3_ENDPOINT` environment variable. * `force_path_style` - (Optional) Enable path-style S3 URLs (`https:///` instead of `https://.`). -* `kms_key_id` - (Optional) Amazon Resource Name (ARN) of a Key Management Service (KMS) Key to use for encrypting the state. +* `kms_key_id` - (Optional) Amazon Resource Name (ARN) of a Key Management Service (KMS) Key to use for encrypting the state. Note that if this value is specified, Terraform will need `kms:Encrypt`, `kms:Decrypt` and `kms:GenerateDataKey` permissions on this KMS key. * `sse_customer_key` - (Optional) The key to use for encrypting state with [Server-Side Encryption with Customer-Provided Keys (SSE-C)](https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html). This is the base64-encoded value of the key, which must decode to 256 bits. This can also be sourced from the `AWS_SSE_CUSTOMER_KEY` environment variable, which is recommended due to the sensitivity of the value. Setting it inside a terraform file will cause it to be persisted to disk in `terraform.tfstate`. * `workspace_key_prefix` - (Optional) Prefix applied to the state path inside the bucket. This is only relevant when using a non-default workspace. Defaults to `env:`.