From ae85be013450aa0608caddb05edb0c94e6cab11c Mon Sep 17 00:00:00 2001
From: Amanda Snyder <asnyder@tablexi.com>
Date: Mon, 10 Apr 2023 14:26:01 -0600
Subject: [PATCH 1/2] adding default encryption to s3 buckets for cloudtrail

---
 aws/cloudtrail/main.tf | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/aws/cloudtrail/main.tf b/aws/cloudtrail/main.tf
index b4fb204..1c89a77 100644
--- a/aws/cloudtrail/main.tf
+++ b/aws/cloudtrail/main.tf
@@ -16,6 +16,13 @@ resource "aws_s3_bucket" "logs" {
   acl           = "log-delivery-write"
 
   tags = var.tags
+
+  rule {
+    bucket_key_enabled = false
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
 }
 
 resource "aws_s3_bucket" "mod" {
@@ -29,6 +36,13 @@ resource "aws_s3_bucket" "mod" {
     target_bucket = aws_s3_bucket.logs.id
     target_prefix = var.name
   }
+
+  rule {
+    bucket_key_enabled = false
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
 }
 
 data "aws_iam_policy_document" "s3" {

From 8150e039b593331268849683bc71362d4cd04b4b Mon Sep 17 00:00:00 2001
From: Amanda Snyder <asnyder@tablexi.com>
Date: Mon, 10 Apr 2023 14:54:30 -0600
Subject: [PATCH 2/2] add missing sse

---
 aws/cloudtrail/main.tf | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/aws/cloudtrail/main.tf b/aws/cloudtrail/main.tf
index 1c89a77..34befa4 100644
--- a/aws/cloudtrail/main.tf
+++ b/aws/cloudtrail/main.tf
@@ -17,10 +17,12 @@ resource "aws_s3_bucket" "logs" {
 
   tags = var.tags
 
-  rule {
-    bucket_key_enabled = false
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
+  server_side_encryption_configuration {
+    rule {
+      bucket_key_enabled = false
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
     }
   }
 }
@@ -37,10 +39,12 @@ resource "aws_s3_bucket" "mod" {
     target_prefix = var.name
   }
 
-  rule {
-    bucket_key_enabled = false
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
+  server_side_encryption_configuration {
+    rule {
+      bucket_key_enabled = false
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
     }
   }
 }