init: copied modules from lawndale-infra

remote-state/bucket.tf

@@ -0,0 +1,55 @@
+resource "aws_kms_key" "this" {
+  description             = "Enryption key for S3 remote terraform state"
+  deletion_window_in_days = 30
+}
+
+data "aws_iam_policy_document" "force_secure_transport" {
+  statement {
+    sid     = "ForceSecureTransport"
+    actions = ["s3:*"]
+    effect  = "Deny"
+    resources = [
+      module.states_bucket.s3_bucket_arn,
+      "${module.states_bucket.s3_bucket_arn}/*"
+    ]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+  }
+}
+
+module "states_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+
+  bucket = local.bucket_name
+
+  versioning = {
+    enabled = true
+  }
+
+  server_side_encryption_configuration = {
+    rule = {
+      apply_server_side_encryption_by_default = {
+        kms_master_key_id = aws_kms_key.this.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
+  acl                     = "private"
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+
+  attach_policy = true
+  policy        = data.aws_iam_policy_document.force_secure_transport.json
+
+  create_bucket = true
+}