/* 
Configuration of S3 bucket for certs and replay
storage. Uses server side encryption to secure
session replays and SSL certificates.
*/
// S3 bucket for cluster storage
resource "aws_s3_bucket" "storage" {
  bucket        = "${var.instance_name}-${var.environment}"
  acl           = "private"
  force_destroy = var.instance_termination_protection ? false : true # reverse of termination protection, destroy if no termination protection

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = aws_kms_key.s3.arn
        sse_algorithm = "aws:kms"
      }
    }
  }
}

resource "aws_s3_bucket_public_access_block" "awsconfig_bucket_block_public_access" {
  block_public_acls       = true
  block_public_policy     = true
  bucket                  = aws_s3_bucket.storage.id
  ignore_public_acls      = true
  restrict_public_buckets = true
}