# Prepares the S3 bucket for object storage
# tfsec:ignore:aws-s3-enable-bucket-logging - We should log, but we don't
resource "aws_s3_bucket" "state_storage" {
  # checkov:skip=CKV_AWS_18:checkov also things we should log.
  bucket_prefix = "${local.prefix}-"

  #logging {
  #  target_bucket = "target-bucket"
  #}

  tags = merge(local.tags, { Prefix = local.prefix })
}

resource "aws_s3_bucket_versioning" "state_storage" {
  bucket = aws_s3_bucket.state_storage.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "state_storage" {
  bucket = aws_s3_bucket.state_storage.bucket

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = "aws/s3" # Better to use a cmk
      sse_algorithm     = "aws:kms"
    }
  }
}

resource "aws_s3_bucket_acl" "state_storage" {
  bucket = aws_s3_bucket.state_storage.id
  acl    = "private"
}

resource "aws_s3_bucket_public_access_block" "state_storage" {
  bucket                  = aws_s3_bucket.state_storage.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

# Clean up incomplete uploads. These files aren't big enough to benefit from IA pricing
# and RRS is more expensive than standard.
resource "aws_s3_bucket_lifecycle_configuration" "state_storage" {
  bucket = aws_s3_bucket.state_storage.id

  rule {
    id     = "AbortIncomplete"
    status = "Enabled"
    abort_incomplete_multipart_upload {
      days_after_initiation = 7
    }
  }
}