Modify the Program

Now that we have an instance of our Pulumi program deployed, let’s enable encryption on our S3 bucket.

Replace the entire contents of index.jsindex.ts__main__.pymain.goProgram.csProgram.fsProgram.vb with the following:

"use strict";
const pulumi = require("@pulumi/pulumi");
const aws = require("@pulumi/aws");
const awsx = require("@pulumi/awsx");

// Create a KMS Key for S3 server-side encryption
const key = new aws.kms.Key("my-key");

// Create an AWS resource (S3 Bucket)
const bucket = new aws.s3.Bucket("my-bucket", {
    serverSideEncryptionConfiguration: {
        rule: {
            applyServerSideEncryptionByDefault: {
                sseAlgorithm: "aws:kms",
                kmsMasterKeyId: key.id,
            }
        }
    }
});

// Export the name of the bucket
exports.bucketName = bucket.id;
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";

// Create a KMS Key for S3 server-side encryption
const key = new aws.kms.Key("my-key");

// Create an AWS resource (S3 Bucket)
const bucket = new aws.s3.Bucket("my-bucket", {
    serverSideEncryptionConfiguration: {
        rule: {
            applyServerSideEncryptionByDefault: {
                sseAlgorithm: "aws:kms",
                kmsMasterKeyId: key.id,
            }
        }
    }
});

// Export the name of the bucket
export const bucketName = bucket.id;
import pulumi
from pulumi_aws import kms, s3

# Create a KMS Key for S3 server-side encryption
key = kms.Key('my-key')

# Create an AWS resource (S3 Bucket)
bucket = s3.Bucket('my-bucket',
    server_side_encryption_configuration={
        'rule': {
            'apply_server_side_encryption_by_default': {
                'sse_algorithm': 'aws:kms',
                'kms_master_key_id': key.id
            }
        }
    })

# Export the name of the bucket
pulumi.export('bucket_name',  bucket.id)
package main

import (
    "github.com/pulumi/pulumi-aws/sdk/go/aws/kms"
    "github.com/pulumi/pulumi-aws/sdk/go/aws/s3"
    "github.com/pulumi/pulumi/sdk/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        // Create a KMS Key for S3 server-side encryption
        key, err := kms.NewKey(ctx, "my-key", nil)
        if err != nil {
            return err
        }

        // Create an AWS resource (S3 Bucket)
        bucket, err := s3.NewBucket(ctx, "my-bucket", &s3.BucketArgs{
            ServerSideEncryptionConfiguration: map[string]interface{}{
                "rule": map[string]interface{}{
                    "applyServerSideEncryptionByDefault": map[string]interface{}{
                        "sseAlgorithm":   "aws:kms",
                        "kmsMasterKeyId": key.ID(),
                    },
                },
            },
        })
        if err != nil {
            return err
        }

        // Export the name of the bucket
        ctx.Export("bucketName", bucket.ID())
        return nil
    })
}
using System.Collections.Generic;
using System.Threading.Tasks;
using Pulumi;
using Aws = Pulumi.Aws;

class Program
{
    static Task Main()
    {
        return Deployment.RunAsync(() =>
        {
            // Create a KMS Key for S3 server-side encryption
            var key = new Aws.Kms.Key("my-key");

            // Create an AWS resource (S3 Bucket)
            var bucket = new Aws.S3.Bucket("my-bucket", new Aws.S3.BucketArgs
            {
                ServerSideEncryptionConfiguration = new Aws.S3.Inputs.BucketServerSideEncryptionConfigurationArgs
                {
                    Rule = new Aws.S3.Inputs.BucketServerSideEncryptionConfigurationRuleArgs
                    {
                        ApplyServerSideEncryptionByDefault = new Aws.S3.Inputs.BucketServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefaultArgs
                        {
                            SseAlgorithm = "aws:kms",
                            KmsMasterKeyId = key.Id,
                        },
                    },
                },
            });

            // Export the name of the bucket
            return new Dictionary<string, object> {
                { "bucket_name", bucket.Id },
            };
        });
    }
}

Our program now creates a KMS key and enables server-side encryption on the S3 bucket using the KMS key.

Recompile your project so the changes are picked up:

$ go build $(basename $(pwd))

Next, we’ll deploy the changes.