From 3a82652022032f0a68086ea05dff87bdcfeb8345 Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Fri, 16 Nov 2018 17:18:33 -0500
Subject: [PATCH] Add support for Amazon SNS server-side encryption.

---
 aws/resource_aws_sns_topic.go          |  5 ++++
 aws/resource_aws_sns_topic_test.go     | 38 ++++++++++++++++++++++++++
 website/docs/r/sns_topic.html.markdown | 10 +++++++
 3 files changed, 53 insertions(+)

diff --git a/aws/resource_aws_sns_topic.go b/aws/resource_aws_sns_topic.go
index 933ca17ebe2..93284520e12 100644
--- a/aws/resource_aws_sns_topic.go
+++ b/aws/resource_aws_sns_topic.go
@@ -24,6 +24,7 @@ var SNSAttributeMap = map[string]string{
 	"http_failure_feedback_role_arn":      "HTTPFailureFeedbackRoleArn",
 	"http_success_feedback_role_arn":      "HTTPSuccessFeedbackRoleArn",
 	"http_success_feedback_sample_rate":   "HTTPSuccessFeedbackSampleRate",
+	"kms_master_key_id":                   "KmsMasterKeyId",
 	"lambda_failure_feedback_role_arn":    "LambdaFailureFeedbackRoleArn",
 	"lambda_success_feedback_role_arn":    "LambdaSuccessFeedbackRoleArn",
 	"lambda_success_feedback_sample_rate": "LambdaSuccessFeedbackSampleRate",
@@ -109,6 +110,10 @@ func resourceAwsSnsTopic() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"kms_master_key_id": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
 			"lambda_success_feedback_role_arn": {
 				Type:     schema.TypeString,
 				Optional: true,
diff --git a/aws/resource_aws_sns_topic_test.go b/aws/resource_aws_sns_topic_test.go
index 1c586e8ceea..543af3f0c79 100644
--- a/aws/resource_aws_sns_topic_test.go
+++ b/aws/resource_aws_sns_topic_test.go
@@ -227,6 +227,35 @@ func TestAccAWSSNSTopic_deliveryStatus(t *testing.T) {
 	})
 }
 
+func TestAccAWSSNSTopic_encryption(t *testing.T) {
+	attributes := make(map[string]string)
+
+	rName := acctest.RandString(10)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:      func() { testAccPreCheck(t) },
+		IDRefreshName: "aws_sns_topic.test_topic",
+		Providers:     testAccProviders,
+		CheckDestroy:  testAccCheckAWSSNSTopicDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSSNSTopicConfig_withEncryption(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSNSTopicExists("aws_sns_topic.test_topic", attributes),
+					resource.TestCheckResourceAttr("aws_sns_topic.test_topic", "kms_master_key_id", "alias/aws/sns"),
+				),
+			},
+			{
+				Config: testAccAWSSNSTopicConfig_withName(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSNSTopicExists("aws_sns_topic.test_topic", attributes),
+					resource.TestCheckResourceAttr("aws_sns_topic.test_topic", "kms_master_key_id", ""),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckAWSNSTopicHasPolicy(n string, expectedPolicyText string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
@@ -593,3 +622,12 @@ EOF
 }
 `, r, r, r)
 }
+
+func testAccAWSSNSTopicConfig_withEncryption(r string) string {
+	return fmt.Sprintf(`
+resource "aws_sns_topic" "test_topic" {
+	name = "terraform-test-topic-%s"
+	kms_master_key_id = "alias/aws/sns"
+}
+`, r)
+}
diff --git a/website/docs/r/sns_topic.html.markdown b/website/docs/r/sns_topic.html.markdown
index c508bc3ca06..6b2e68f3370 100644
--- a/website/docs/r/sns_topic.html.markdown
+++ b/website/docs/r/sns_topic.html.markdown
@@ -45,6 +45,15 @@ EOF
 }
 ```
 
+##  Example with Server-side encryption (SSE)
+
+```hcl
+resource "aws_sns_topic" "user_updates" {
+  name = "user-updates-topic"
+  kms_master_key_id = "alias/aws/sns"
+}
+```
+
 ## Message Delivery Status Arguments
 
 The `<endpoint>_success_feedback_role_arn` and `<endpoint>_failure_feedback_role_arn` arguments are used to give Amazon SNS write access to use CloudWatch Logs on your behalf. The `<endpoint>_success_feedback_sample_rate` argument is for specifying the sample rate percentage (0-100) of successfully delivered messages. After you configure the  `<endpoint>_failure_feedback_role_arn` argument, then all failed message deliveries generate CloudWatch Logs.
@@ -64,6 +73,7 @@ The following arguments are supported:
 * `http_success_feedback_role_arn` - (Optional) The IAM role permitted to receive success feedback for this topic
 * `http_success_feedback_sample_rate` - (Optional) Percentage of success to sample
 * `http_failure_feedback_role_arn` - (Optional) IAM role for failure feedback
+* `kms_master_key_id` - (Optional) The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK. For more information, see [Key Terms](https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms)
 * `lambda_success_feedback_role_arn` - (Optional) The IAM role permitted to receive success feedback for this topic
 * `lambda_success_feedback_sample_rate` - (Optional) Percentage of success to sample
 * `lambda_failure_feedback_role_arn` - (Optional) IAM role for failure feedback