Complete the code to enable encryption for the Terraform state file in an S3 backend.
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "state.tfstate"
region = "us-west-2"
[1] = true
}
}The correct attribute to enable encryption in the S3 backend is encrypt. Setting it to true ensures the state file is encrypted at rest.
Complete the code to specify the KMS key ID for encrypting the Terraform state file in the S3 backend.
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "state.tfstate"
region = "us-west-2"
encrypt = true
[1] = "arn:aws:kms:us-west-2:123456789012:key/abcd-1234-efgh-5678"
}
}The correct attribute to specify the KMS key for encryption in the S3 backend is kms_key_id. This tells Terraform which KMS key to use for encrypting the state file.
Fix the error in the backend configuration to properly enable server-side encryption with a KMS key.
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "state.tfstate"
region = "us-west-2"
encrypt = [1]
kms_key_id = "arn:aws:kms:us-west-2:123456789012:key/abcd-1234-efgh-5678"
}
}The encrypt attribute expects a boolean value true without quotes. Using quotes makes it a string, which causes an error.
Fill both blanks to configure the S3 backend with encryption enabled and a specific KMS key.
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "state.tfstate"
region = "us-west-2"
[1] = true
[2] = "arn:aws:kms:us-west-2:123456789012:key/abcd-1234-efgh-5678"
}
}The encrypt attribute enables encryption, and kms_key_id specifies the KMS key ARN for server-side encryption.
Fill all three blanks to create a backend configuration that enables encryption, specifies the KMS key, and sets the region.
terraform {
backend "s3" {
bucket = "my-terraform-state"
[1] = "us-west-2"
encrypt = true
[2] = "arn:aws:kms:us-west-2:123456789012:key/abcd-1234-efgh-5678"
[3] = "state.tfstate"
}
}region sets the AWS region, kms_key_id specifies the KMS key ARN, and key defines the path to the state file in the bucket.