feat: enable encryption

aws/policies/pulumi.json

@@ -10,6 +10,7 @@
         "s3:List*",
         "s3:PutBucketPublicAccessBlock",
         "s3:PutBucketPolicy",
+        "s3:PutEncryptionConfiguration",
         "s3:DeleteBucketPolicy"
       ],
       "Resource": [

src/aws/resources/files-bucket.ts

@@ -6,16 +6,52 @@ export const createFilesBucket = () => {
   const bucket = new aws.s3.Bucket('files.pedaki.fr', {
     bucket: 'files.pedaki.fr',
     acl: 'private',
+    serverSideEncryptionConfiguration: {
+      rule: {
+        applyServerSideEncryptionByDefault: {
+          sseAlgorithm: 'aws:kms',
+        },
+        bucketKeyEnabled: true,
+      },
+    },
   });
 
-  const publicAccessBlock = new aws.s3.BucketPublicAccessBlock('publicAccessBlock', {
+  const publicAccessBlock = new aws.s3.BucketPublicAccessBlock('files.pedaki.fr-publicAccessBlock', {
     bucket: bucket.id,
     blockPublicAcls: true,
     blockPublicPolicy: true,
     ignorePublicAcls: true,
     restrictPublicBuckets: true,
   });
 
+  const policy = new aws.s3.BucketPolicy(
+    'files-bucket-policy',
+    {
+      bucket: bucket.id,
+      policy: bucket.arn.apply(arn =>
+        JSON.stringify({
+          // all files should be encrypted
+          Version: '2012-10-17',
+          Statement: [
+            {
+              Sid: 'DenyUnEncryptedObjectUploads',
+              Effect: 'Deny',
+              Principal: '*',
+              Action: 's3:PutObject',
+              Resource: `${arn}/*`,
+              Condition: {
+                StringNotEquals: {
+                  's3:x-amz-server-side-encryption': 'aws:kms',
+                },
+              },
+            },
+          ],
+        }),
+      ),
+    },
+    { dependsOn: [publicAccessBlock] },
+  );
+
   const record = new cloudflare.Record('files.pedaki.fr', {
     name: 'files',
     type: 'CNAME',

src/aws/resources/static-bucket.ts

@@ -7,7 +7,7 @@ export const createStaticBucket = () => {
     bucket: 'static.pedaki.fr',
   });
 
-  const publicAccessBlock = new aws.s3.BucketPublicAccessBlock('publicAccessBlock', {
+  const publicAccessBlock = new aws.s3.BucketPublicAccessBlock('static.pedaki.fr-publicAccessBlock', {
     bucket: bucket.id,
     blockPublicAcls: false,
     blockPublicPolicy: false,
@@ -16,7 +16,7 @@ export const createStaticBucket = () => {
   });
 
   const _ = new aws.s3.BucketPolicy(
-    'bucket-policy',
+    'static-bucket-policy',
     {
       bucket: bucket.id,
       policy: bucket.arn.apply(arn =>