resource "aws_kms_key" "this" {
  description             = "Enryption key for S3 remote terraform state"
  deletion_window_in_days = 30
}

data "aws_iam_policy_document" "force_secure_transport" {
  statement {
    sid     = "ForceSecureTransport"
    actions = ["s3:*"]
    effect  = "Deny"
    resources = [
      module.states_bucket.s3_bucket_arn,
      "${module.states_bucket.s3_bucket_arn}/*"
    ]
    condition {
      test     = "Bool"
      variable = "aws:SecureTransport"
      values   = ["false"]
    }
    principals {
      type        = "*"
      identifiers = ["*"]
    }
  }
}

module "states_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = local.bucket_name

  versioning = {
    enabled = true
  }

  server_side_encryption_configuration = {
    rule = {
      apply_server_side_encryption_by_default = {
        kms_master_key_id = aws_kms_key.this.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }

  acl                     = "private"
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true

  attach_policy = true
  policy        = data.aws_iam_policy_document.force_secure_transport.json

  create_bucket = true
}