NRL-1188 set up encryption

jackleary · jackleary · commit 1e56f9b7b4cf · 2024-12-16T15:32:03.000Z
diff --git a/terraform/account-wide-infrastructure/modules/athena/athena.tf b/terraform/account-wide-infrastructure/modules/athena/athena.tf
@@ -3,10 +3,10 @@ resource "aws_athena_database" "reporting-db" {
 
   bucket = var.target_bucket_name
 
-  #   encryption_configuration {
-  #     encryption_option = "SSE_KMS"
-  #     kms_key           = aws_kms_key.athena.arn
-  #   }
+  encryption_configuration {
+    encryption_option = "SSE_KMS"
+    kms_key           = aws_kms_key.athena.arn
+  }
 
   force_destroy = true
 }
diff --git a/terraform/account-wide-infrastructure/modules/glue/kms.tf b/terraform/account-wide-infrastructure/modules/glue/kms.tf
@@ -0,0 +1,7 @@
+resource "aws_kms_key" "glue" {
+}
+
+resource "aws_kms_alias" "glue" {
+  name          = "alias/${var.name_prefix}-glue"
+  target_key_id = aws_kms_key.glue.key_id
+}
diff --git a/terraform/account-wide-infrastructure/modules/glue/s3.tf b/terraform/account-wide-infrastructure/modules/glue/s3.tf
@@ -31,6 +31,17 @@ resource "aws_s3_bucket_policy" "source-data-bucket" {
   })
 }
 
+resource "aws_s3_bucket_server_side_encryption_configuration" "source-data-bucket" {
+  bucket = aws_s3_bucket.source-data-bucket.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.glue.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
 resource "aws_s3_bucket_public_access_block" "source-data-bucket-public-access-block" {
   bucket = aws_s3_bucket.source-data-bucket.id
 
@@ -74,6 +85,17 @@ resource "aws_s3_bucket_policy" "target-data-bucket" {
   })
 }
 
+resource "aws_s3_bucket_server_side_encryption_configuration" "target-data-bucket" {
+  bucket = aws_s3_bucket.target-data-bucket.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.glue.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
 resource "aws_s3_bucket_public_access_block" "target-data-bucket-public-access-block" {
   bucket = aws_s3_bucket.target-data-bucket.id
 
@@ -116,6 +138,17 @@ resource "aws_s3_bucket_policy" "code-bucket" {
   })
 }
 
+resource "aws_s3_bucket_server_side_encryption_configuration" "code-bucket" {
+  bucket = aws_s3_bucket.code-bucket.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.glue.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
 resource "aws_s3_bucket_public_access_block" "code-bucket-public-access-block" {
   bucket = aws_s3_bucket.code-bucket.id
 
