provider "aws" {
  region = "us-east-2"
  profile = "default"
}

resource "aws_kms_key" "terraform_key" {
  description             = "This key is used to encrypt bucket objects"
  deletion_window_in_days = 10
}

resource "aws_kms_alias" "Terraform-Alias" {
  name = "alias/terraform"
  target_key_id = "${aws_kms_key.terraform_key.key_id}"
}

resource "aws_s3_bucket" "terraform_state" {
  bucket = "fcm-terraform-state"

  versioning {
    enabled = true
  }

  lifecycle {
    prevent_destroy = true
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${aws_kms_key.terraform_key.arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

resource "aws_s3_bucket_public_access_block" "keep_terraform_safe" {
  bucket = "${aws_s3_bucket.terraform_state.id}"

  block_public_acls = true
  block_public_policy = true
  ignore_public_acls = true
  restrict_public_buckets = true
}