resource "aws_s3_bucket" "tfstate" {
  bucket = var.bucket_name
  acl    = "private"

  depends_on = [ var.module_depends_on ]

  versioning {
    enabled = true
  }

  # FIXME: Does this keep a cross-account dependency?
  #logging {
  #target_bucket = "dps-s3-logs"
  #target_prefix = "aws_terraform_s3_state_access_logs/"
  #}

  lifecycle_rule {
    enabled                                = true
    prefix                                 = ""
    abort_incomplete_multipart_upload_days = 7

    noncurrent_version_transition {
      days          = 30
      storage_class = "STANDARD_IA"
    }

    noncurrent_version_expiration {
      days = 730
    }
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = aws_kms_key.tfstate.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

resource "aws_s3_bucket_public_access_block" "tfstate" {
  bucket                  = aws_s3_bucket.tfstate.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}