Added a kms_key_id parameter which will allow you to encrypt objects that are put into a bucket.

builtin/providers/aws/resource_aws_s3_bucket_object.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"net/http"
 	"os"
 	"strings"
 
@@ -74,6 +75,11 @@ func resourceAwsS3BucketObject() *schema.Resource {
 				ConflictsWith: []string{"source"},
 			},
 
+			"kms_key_id": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+
 			"etag": &schema.Schema{
 				Type: schema.TypeString,
 				// This will conflict with SSE-C and SSE-KMS encryption and multi-part upload
@@ -97,6 +103,7 @@ func resourceAwsS3BucketObjectPut(d *schema.ResourceData, meta interface{}) erro
 	bucket := d.Get("bucket").(string)
 	key := d.Get("key").(string)
 	var body io.ReadSeeker
+	headers := make(http.Header)
 
 	if v, ok := d.GetOk("source"); ok {
 		source := v.(string)
@@ -143,7 +150,14 @@ func resourceAwsS3BucketObjectPut(d *schema.ResourceData, meta interface{}) erro
 		putInput.ContentDisposition = aws.String(v.(string))
 	}
 
-	resp, err := s3conn.PutObject(putInput)
+	if v, ok := d.GetOk("kms_key_id"); ok {
+		putInput.SSEKMSKeyId = aws.String(v.(string))
+		headers.Add("x-amz-server-side-encryption", "aws:kms")
+	}
+
+	req, resp := s3conn.PutObjectRequest(putInput)
+	req.HTTPRequest.Header = headers
+	err := req.Send()
 	if err != nil {
 		return fmt.Errorf("Error putting object in S3 bucket (%s): %s", bucket, err)
 	}
@@ -186,6 +200,7 @@ func resourceAwsS3BucketObjectRead(d *schema.ResourceData, meta interface{}) err
 	d.Set("content_language", resp.ContentLanguage)
 	d.Set("content_type", resp.ContentType)
 	d.Set("version_id", resp.VersionId)
+	d.Set("kms_key_id", resp.SSEKMSKeyId)
 
 	log.Printf("[DEBUG] Reading S3 Bucket Object meta: %s", resp)
 	return nil

builtin/providers/aws/resource_aws_s3_bucket_object_test.go

@@ -247,6 +247,24 @@ func testAccCheckAWSS3BucketObjectExists(n string, obj *s3.GetObjectOutput) reso
 	}
 }
 
+func TestAccAWSS3BucketObject_kms(t *testing.T) {
+	rInt := acctest.RandInt()
+	var obj s3.GetObjectOutput
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSS3BucketObjectDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				PreConfig: func() {},
+				Config:    testAccAWSS3BucketObjectConfig_withKMSId(rInt),
+				Check:     testAccCheckAWSS3BucketObjectExists("aws_s3_bucket_object.object", &obj),
+			},
+		},
+	})
+}
+
 func testAccAWSS3BucketObjectConfigSource(randInt int, source string) string {
 	return fmt.Sprintf(`
 resource "aws_s3_bucket" "object_bucket" {
@@ -322,3 +340,18 @@ resource "aws_s3_bucket_object" "object" {
 }
 `, randInt, source, source)
 }
+
+func testAccAWSS3BucketObjectConfig_withKMSId(randInt int) string {
+	return fmt.Sprintf(`
+resource "aws_s3_bucket" "object_bucket_2" {
+	bucket = "tf-object-test-bucket-%d"
+}
+
+resource "aws_s3_bucket_object" "object" {
+	bucket = "${aws_s3_bucket.object_bucket_2.bucket}"
+	key = "test-key"
+	content = "stuff"
+	kms_key_id = "01961aed-d0b6-4ad3-9f7f-8264818ea611"
+}
+`, randInt)
+}

website/source/docs/providers/aws/r/s3_bucket_object.html.markdown

@@ -37,6 +37,7 @@ The following arguments are supported:
 * `content_language` - (Optional) The language the content is in e.g. en-US or en-GB.
 * `content_type` - (Optional) A standard MIME type describing the format of the object data, e.g. application/octet-stream. All Valid MIME Types are valid for this input.
 * `etag` - (Optional) Used to trigger updates. The only meaningful value is `${md5(file("path/to/file"))}`
+* `kms_key_id` - (Optional) Specifies the AWS KMS key ID to use for object encryption.
 
 Either `source` or `content` must be provided to specify the bucket content.
 These two arguments are mutually-exclusive.