From 5e197e1d3d9751a1336df8e1b94e6bafe9cf82b4 Mon Sep 17 00:00:00 2001
From: Tiago Vieira <tiago.vieira@sqills.com>
Date: Thu, 4 Sep 2025 22:33:20 +0100
Subject: [PATCH] feat: Add source_kms_key_arn parameter for lambda zip
 encryption

---
 README.md                                 | 5 +++--
 examples/alias/README.md                  | 4 ++--
 examples/alias/versions.tf                | 2 +-
 examples/async/README.md                  | 4 ++--
 examples/async/versions.tf                | 2 +-
 examples/build-package/README.md          | 2 +-
 examples/build-package/versions.tf        | 2 +-
 examples/code-signing/README.md           | 4 ++--
 examples/code-signing/versions.tf         | 2 +-
 examples/complete/README.md               | 5 +++--
 examples/complete/main.tf                 | 7 +++++++
 examples/complete/versions.tf             | 2 +-
 examples/container-image/README.md        | 4 ++--
 examples/container-image/versions.tf      | 2 +-
 examples/deploy/README.md                 | 4 ++--
 examples/deploy/versions.tf               | 2 +-
 examples/event-source-mapping/README.md   | 4 ++--
 examples/event-source-mapping/versions.tf | 2 +-
 examples/multiple-regions/README.md       | 6 +++---
 examples/multiple-regions/versions.tf     | 2 +-
 examples/runtimes/README.md               | 4 ++--
 examples/runtimes/versions.tf             | 2 +-
 examples/simple-cicd/README.md            | 2 +-
 examples/simple-cicd/versions.tf          | 2 +-
 examples/simple/README.md                 | 2 +-
 examples/simple/versions.tf               | 2 +-
 examples/triggers/README.md               | 4 ++--
 examples/triggers/versions.tf             | 2 +-
 examples/with-efs/README.md               | 4 ++--
 examples/with-efs/versions.tf             | 2 +-
 examples/with-vpc-s3-endpoint/README.md   | 4 ++--
 examples/with-vpc-s3-endpoint/versions.tf | 2 +-
 examples/with-vpc/README.md               | 2 +-
 examples/with-vpc/versions.tf             | 2 +-
 main.tf                                   | 5 +++--
 variables.tf                              | 6 ++++++
 versions.tf                               | 2 +-
 wrappers/main.tf                          | 1 +
 wrappers/versions.tf                      | 2 +-
 39 files changed, 68 insertions(+), 51 deletions(-)

diff --git a/README.md b/README.md
index 3d045ce0..03892358 100644
--- a/README.md
+++ b/README.md
@@ -667,7 +667,7 @@ Q4: What does this error mean - `"We currently do not support adding policies fo
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_external"></a> [external](#requirement\_external) | >= 1.0 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
@@ -676,7 +676,7 @@ Q4: What does this error mean - `"We currently do not support adding policies fo
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.12 |
 | <a name="provider_external"></a> [external](#provider\_external) | >= 1.0 |
 | <a name="provider_local"></a> [local](#provider\_local) | >= 1.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 2.0 |
@@ -855,6 +855,7 @@ No modules.
 | <a name="input_s3_server_side_encryption"></a> [s3\_server\_side\_encryption](#input\_s3\_server\_side\_encryption) | Specifies server-side encryption of the object in S3. Valid values are "AES256" and "aws:kms". | `string` | `null` | no |
 | <a name="input_skip_destroy"></a> [skip\_destroy](#input\_skip\_destroy) | Set to true if you do not wish the function to be deleted at destroy time, and instead just remove the function from the Terraform state. Useful for Lambda@Edge functions attached to CloudFront distributions. | `bool` | `null` | no |
 | <a name="input_snap_start"></a> [snap\_start](#input\_snap\_start) | (Optional) Snap start settings for low-latency startups | `bool` | `false` | no |
+| <a name="input_source_kms_key_arn"></a> [source\_kms\_key\_arn](#input\_source\_kms\_key\_arn) | The ARN of the AWS Key Management Service key used to encrypt the function's .zip deployment package. Conflicts with image\_uri. | `string` | `null` | no |
 | <a name="input_source_path"></a> [source\_path](#input\_source\_path) | The absolute path to a local file or directory containing your Lambda source code | `any` | `null` | no |
 | <a name="input_store_on_s3"></a> [store\_on\_s3](#input\_store\_on\_s3) | Whether to store produced artifacts on S3 or locally. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to resources. | `map(string)` | `{}` | no |
diff --git a/examples/alias/README.md b/examples/alias/README.md
index 6bcb2530..4126fba4 100644
--- a/examples/alias/README.md
+++ b/examples/alias/README.md
@@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.12 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
diff --git a/examples/alias/versions.tf b/examples/alias/versions.tf
index d2f4f3e8..4e7fc3dc 100644
--- a/examples/alias/versions.tf
+++ b/examples/alias/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/async/README.md b/examples/async/README.md
index 3bca0e68..a2173289 100644
--- a/examples/async/README.md
+++ b/examples/async/README.md
@@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.12 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
diff --git a/examples/async/versions.tf b/examples/async/versions.tf
index d2f4f3e8..4e7fc3dc 100644
--- a/examples/async/versions.tf
+++ b/examples/async/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/build-package/README.md b/examples/build-package/README.md
index 7c354473..95c34156 100644
--- a/examples/build-package/README.md
+++ b/examples/build-package/README.md
@@ -22,7 +22,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
diff --git a/examples/build-package/versions.tf b/examples/build-package/versions.tf
index d2f4f3e8..4e7fc3dc 100644
--- a/examples/build-package/versions.tf
+++ b/examples/build-package/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/code-signing/README.md b/examples/code-signing/README.md
index 74d1062f..42d60e96 100644
--- a/examples/code-signing/README.md
+++ b/examples/code-signing/README.md
@@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.12 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
diff --git a/examples/code-signing/versions.tf b/examples/code-signing/versions.tf
index d2f4f3e8..4e7fc3dc 100644
--- a/examples/code-signing/versions.tf
+++ b/examples/code-signing/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/complete/README.md b/examples/complete/README.md
index 552ea09c..aa0bf5a5 100644
--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -21,14 +21,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.12 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
@@ -56,6 +56,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Type |
 |------|------|
 | [aws_cloudwatch_log_group.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_kms_key.function_deployment_package_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_sqs_queue.dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 356d9f3e..7ea35ec4 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -30,6 +30,8 @@ module "lambda_function" {
 
   source_path = "${path.module}/../fixtures/python-app1"
 
+  source_kms_key_arn = aws_kms_key.function_deployment_package_encrypt.arn
+
   store_on_s3 = true
   s3_bucket   = module.s3_bucket.s3_bucket_id
   s3_prefix   = "lambda-builds/"
@@ -485,3 +487,8 @@ resource "aws_cloudwatch_log_group" "custom" {
   name              = "/example/${random_pet.this.id}"
   retention_in_days = 1
 }
+
+resource "aws_kms_key" "function_deployment_package_encrypt" {
+  description             = "KMS key to encrypt Lambda source code"
+  deletion_window_in_days = 7
+}
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
index d2f4f3e8..4e7fc3dc 100644
--- a/examples/complete/versions.tf
+++ b/examples/complete/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/container-image/README.md b/examples/container-image/README.md
index 8c2bf290..193e379c 100644
--- a/examples/container-image/README.md
+++ b/examples/container-image/README.md
@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_docker"></a> [docker](#requirement\_docker) | >= 3.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
@@ -28,7 +28,7 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.12 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
diff --git a/examples/container-image/versions.tf b/examples/container-image/versions.tf
index dbb8009c..69e3b178 100644
--- a/examples/container-image/versions.tf
+++ b/examples/container-image/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     docker = {
       source  = "kreuzwerker/docker"
diff --git a/examples/deploy/README.md b/examples/deploy/README.md
index 829a0468..bc5ad25d 100644
--- a/examples/deploy/README.md
+++ b/examples/deploy/README.md
@@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.12 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
diff --git a/examples/deploy/versions.tf b/examples/deploy/versions.tf
index d2f4f3e8..4e7fc3dc 100644
--- a/examples/deploy/versions.tf
+++ b/examples/deploy/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/event-source-mapping/README.md b/examples/event-source-mapping/README.md
index 49d4fa75..8213250b 100644
--- a/examples/event-source-mapping/README.md
+++ b/examples/event-source-mapping/README.md
@@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.12 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
diff --git a/examples/event-source-mapping/versions.tf b/examples/event-source-mapping/versions.tf
index d2f4f3e8..4e7fc3dc 100644
--- a/examples/event-source-mapping/versions.tf
+++ b/examples/event-source-mapping/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/multiple-regions/README.md b/examples/multiple-regions/README.md
index ed4c573a..b76b3a90 100644
--- a/examples/multiple-regions/README.md
+++ b/examples/multiple-regions/README.md
@@ -21,15 +21,15 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
-| <a name="provider_aws.us-east-1"></a> [aws.us-east-1](#provider\_aws.us-east-1) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.12 |
+| <a name="provider_aws.us-east-1"></a> [aws.us-east-1](#provider\_aws.us-east-1) | >= 6.12 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
diff --git a/examples/multiple-regions/versions.tf b/examples/multiple-regions/versions.tf
index d2f4f3e8..4e7fc3dc 100644
--- a/examples/multiple-regions/versions.tf
+++ b/examples/multiple-regions/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/runtimes/README.md b/examples/runtimes/README.md
index 95a28a08..695bbeae 100644
--- a/examples/runtimes/README.md
+++ b/examples/runtimes/README.md
@@ -24,7 +24,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_http"></a> [http](#requirement\_http) | >= 3.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
@@ -32,7 +32,7 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.12 |
 | <a name="provider_http"></a> [http](#provider\_http) | >= 3.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
diff --git a/examples/runtimes/versions.tf b/examples/runtimes/versions.tf
index 36f51034..f0ab51ce 100644
--- a/examples/runtimes/versions.tf
+++ b/examples/runtimes/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/simple-cicd/README.md b/examples/simple-cicd/README.md
index 8afef1be..8159efc3 100644
--- a/examples/simple-cicd/README.md
+++ b/examples/simple-cicd/README.md
@@ -22,7 +22,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
diff --git a/examples/simple-cicd/versions.tf b/examples/simple-cicd/versions.tf
index d2f4f3e8..4e7fc3dc 100644
--- a/examples/simple-cicd/versions.tf
+++ b/examples/simple-cicd/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/simple/README.md b/examples/simple/README.md
index b9a4f785..a0abcf5b 100644
--- a/examples/simple/README.md
+++ b/examples/simple/README.md
@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
diff --git a/examples/simple/versions.tf b/examples/simple/versions.tf
index d2f4f3e8..4e7fc3dc 100644
--- a/examples/simple/versions.tf
+++ b/examples/simple/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/triggers/README.md b/examples/triggers/README.md
index aa6fb08f..91e9f59e 100644
--- a/examples/triggers/README.md
+++ b/examples/triggers/README.md
@@ -21,14 +21,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.12 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
diff --git a/examples/triggers/versions.tf b/examples/triggers/versions.tf
index d2f4f3e8..4e7fc3dc 100644
--- a/examples/triggers/versions.tf
+++ b/examples/triggers/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/with-efs/README.md b/examples/with-efs/README.md
index ce9cc15e..aa135910 100644
--- a/examples/with-efs/README.md
+++ b/examples/with-efs/README.md
@@ -21,14 +21,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.12 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
diff --git a/examples/with-efs/versions.tf b/examples/with-efs/versions.tf
index d2f4f3e8..4e7fc3dc 100644
--- a/examples/with-efs/versions.tf
+++ b/examples/with-efs/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/with-vpc-s3-endpoint/README.md b/examples/with-vpc-s3-endpoint/README.md
index f84ba32c..8a2f8e95 100644
--- a/examples/with-vpc-s3-endpoint/README.md
+++ b/examples/with-vpc-s3-endpoint/README.md
@@ -22,14 +22,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.4 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.12 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.4 |
 
 ## Modules
diff --git a/examples/with-vpc-s3-endpoint/versions.tf b/examples/with-vpc-s3-endpoint/versions.tf
index 7f27783c..5ba9df4c 100644
--- a/examples/with-vpc-s3-endpoint/versions.tf
+++ b/examples/with-vpc-s3-endpoint/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/with-vpc/README.md b/examples/with-vpc/README.md
index e1808811..572a13fa 100644
--- a/examples/with-vpc/README.md
+++ b/examples/with-vpc/README.md
@@ -22,7 +22,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
diff --git a/examples/with-vpc/versions.tf b/examples/with-vpc/versions.tf
index d2f4f3e8..4e7fc3dc 100644
--- a/examples/with-vpc/versions.tf
+++ b/examples/with-vpc/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/main.tf b/main.tf
index cc7d011a..57922f4f 100644
--- a/main.tf
+++ b/main.tf
@@ -54,8 +54,9 @@ resource "aws_lambda_function" "this" {
     }
   }
 
-  filename         = local.filename
-  source_code_hash = var.ignore_source_code_hash ? null : (local.filename == null ? false : fileexists(local.filename)) && !local.was_missing ? filebase64sha256(local.filename) : null
+  filename           = local.filename
+  source_code_hash   = var.ignore_source_code_hash ? null : (local.filename == null ? false : fileexists(local.filename)) && !local.was_missing ? filebase64sha256(local.filename) : null
+  source_kms_key_arn = var.source_kms_key_arn
 
   s3_bucket         = local.s3_bucket
   s3_key            = local.s3_key
diff --git a/variables.tf b/variables.tf
index 6ea454f6..52e3ffe8 100644
--- a/variables.tf
+++ b/variables.tf
@@ -278,6 +278,12 @@ variable "skip_destroy" {
   default     = null
 }
 
+variable "source_kms_key_arn" {
+  description = "The ARN of the AWS Key Management Service key used to encrypt the function's .zip deployment package. Conflicts with image_uri."
+  type        = string
+  default     = null
+}
+
 ###############
 # Function URL
 ###############
diff --git a/versions.tf b/versions.tf
index 8dea461c..e445b159 100644
--- a/versions.tf
+++ b/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     external = {
       source  = "hashicorp/external"
diff --git a/wrappers/main.tf b/wrappers/main.tf
index eb78bb41..df5c4be1 100644
--- a/wrappers/main.tf
+++ b/wrappers/main.tf
@@ -126,6 +126,7 @@ module "wrapper" {
   skip_destroy                                 = try(each.value.skip_destroy, var.defaults.skip_destroy, null)
   snap_start                                   = try(each.value.snap_start, var.defaults.snap_start, false)
   source_path                                  = try(each.value.source_path, var.defaults.source_path, null)
+  source_kms_key_arn                           = try(each.value.source_kms_key_arn, var.defaults.source_kms_key_arn, null)
   store_on_s3                                  = try(each.value.store_on_s3, var.defaults.store_on_s3, false)
   tags                                         = try(each.value.tags, var.defaults.tags, {})
   timeout                                      = try(each.value.timeout, var.defaults.timeout, 3)
diff --git a/wrappers/versions.tf b/wrappers/versions.tf
index 8dea461c..e445b159 100644
--- a/wrappers/versions.tf
+++ b/wrappers/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.12"
     }
     external = {
       source  = "hashicorp/external"