DynamoDB for Terraform OSS backend state lock is not encrypted with KMS CMK

[david-musgrove]

Describe the outcome you'd like

The DynamoDB table (and its replica) used as a state lock table for Terraform OSS back ends should be encrypted using a customer-managed KMS key, presumably the same KMS CMK as is used for the Terraform state in S3. The DynamoDB tables storing other AFT data are already encrypted in this way.

Is your feature request related to a problem you are currently experiencing? If so, please describe.

The default server-side encryption used flags up in external security testing of our AWS Landing Zone. Many third-party sets of security guidelines and best practices include this requirement, and for good reason.

Additional context

This can be remediated, I think, by the following change around line 271 of modules/aft-backend/main.tf:

 replica {
    region_name = var.secondary_region
    kms_key_arn = aws_kms_key.encrypt-secondary-region.arn
  }

  server_side_encryption {
    enabled     = true
    kms_key_arn = aws_kms_key.encrypt-primary-region.arn
  }

IAM permissions are already granted for the key to the role using the Terraform OSS back end.

[hanafya]

Hey @david-musgrove!

I went ahead and created an item in our backlog for this feature request.