restrict public access and add bucket encryption using cmk (#2525)

src/_nebari/stages/infrastructure/template/aws/modules/s3/main.tf

@@ -1,3 +1,8 @@
+resource "aws_kms_key" "main" {
+  description         = "KMS key for ${var.name}"
+  enable_key_rotation = true
+}
+
 resource "aws_s3_bucket" "main" {
   bucket = var.name
   acl    = var.public ? "public-read" : "private"
@@ -11,3 +16,22 @@ resource "aws_s3_bucket" "main" {
     Description = "S3 bucket for ${var.name}"
   }, var.tags)
 }
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "main" {
+  bucket = aws_s3_bucket.main.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.main.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "main" {
+  bucket                  = aws_s3_bucket.main.id
+  ignore_public_acls      = true
+  block_public_acls       = true
+  block_public_policy     = true
+  restrict_public_buckets = true
+}

src/_nebari/stages/terraform_state/template/aws/modules/terraform-state/main.tf

@@ -1,3 +1,7 @@
+resource "aws_kms_key" "tf-state-key" {
+  enable_key_rotation = true
+}
+
 resource "aws_s3_bucket" "terraform-state" {
   bucket = "${var.name}-terraform-state"
 
@@ -16,6 +20,25 @@ resource "aws_s3_bucket" "terraform-state" {
   }
 }
 
+resource "aws_s3_bucket_server_side_encryption_configuration" "terraform-state" {
+  bucket = aws_s3_bucket.terraform-state.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.tf-state-key.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "terraform-state" {
+  bucket                  = aws_s3_bucket.terraform-state.id
+  ignore_public_acls      = true
+  block_public_acls       = true
+  block_public_policy     = true
+  restrict_public_buckets = true
+}
+
 resource "aws_dynamodb_table" "terraform-state-lock" {
   name = "${var.name}-terraform-state-lock"