# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
resource "aws_s3_bucket" "tfstate" {
  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
  # checkov:skip=CKV_AWS_144: Cross-region replication TODO

  bucket     = var.bucket_name
  depends_on = [var.module_depends_on]
}

resource "aws_s3_bucket_acl" "s3_acl_tfstate" {
  bucket = aws_s3_bucket.tfstate.id
  acl    = "private"
}

resource "aws_s3_bucket_versioning" "s3_version_tfstate" {
  bucket = aws_s3_bucket.tfstate.id
  versioning_configuration {
    status = "Enabled"
  }
}
# FIXME: Does this keep a cross-account dependency?
#logging {
#target_bucket = "dps-s3-logs"
#target_prefix = "aws_terraform_s3_state_access_logs/"
#}

resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_tfstate" {
  bucket = aws_s3_bucket.tfstate.id

  rule {
    status = "Enabled"
    abort_incomplete_multipart_upload {
      days_after_initiation = 7
    }

    noncurrent_version_transition {
      noncurrent_days = 30
      storage_class   = "STANDARD_IA"
    }

    noncurrent_version_expiration {
      noncurrent_days = 730
    }
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_tfstate" {
  bucket = aws_s3_bucket.tfstate.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.tfstate.arn
      sse_algorithm     = "aws:kms"
    }
  }
}

resource "aws_s3_bucket_public_access_block" "tfstate" {
  bucket                  = aws_s3_bucket.tfstate.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

//AWS Provider outdated arguments <4.4.0
/*resource "aws_s3_bucket" "tfstate" {
  bucket = var.bucket_name
  acl    = "private"

  depends_on = [ var.module_depends_on ]

  versioning {
    enabled = true
  }

  # FIXME: Does this keep a cross-account dependency?
  #logging {
  #target_bucket = "dps-s3-logs"
  #target_prefix = "aws_terraform_s3_state_access_logs/"
  #}

  lifecycle_rule {
    enabled                                = true
    prefix                                 = ""
    abort_incomplete_multipart_upload_days = 7

    noncurrent_version_transition {
      days          = 30
      storage_class = "STANDARD_IA"
    }

    noncurrent_version_expiration {
      days = 730
    }
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = aws_kms_key.tfstate.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}
*/