s3.tf

# locals {
#   useAccessLogging = length(var.access_logging_bucket) > 0 ? [1] : []
# }

resource "aws_s3_bucket" "bucket" {
  bucket        = var.s3_bucket_name
  acl           = "private"
  force_destroy = true

  versioning {
    enabled = true
  }

  logging {
    target_bucket = var.s3_logging_bucket_name
    target_prefix = "${var.s3_logging_bucket_prefix}/"
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = aws_kms_key.kms_key.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }

  lifecycle_rule {
    id      = "delete"
    enabled = true

    expiration {
      days = 365
    }
  }

  tags = {
    Name = "${upper(var.project_name)} Inventory Report"
  }
}

resource "aws_s3_bucket_public_access_block" "bucket" {
  bucket = aws_s3_bucket.bucket.id

  block_public_acls       = true
  ignore_public_acls      = true
  block_public_policy     = true
  restrict_public_buckets = true
}

# Bucket Policy
resource "aws_s3_bucket_policy" "bucket_policy" {
  bucket = aws_s3_bucket.bucket.id
  policy = data.aws_iam_policy_document.bucket_policy_document.json
}



# Bucket Policy Document
data "aws_iam_policy_document" "bucket_policy_document" {
  depends_on = [
    aws_s3_bucket.bucket
  ]

  # Deny Cleartext (HTTP) Communication

  statement {
    actions = ["s3:*"]
    effect  = "Deny"
    resources = [
      "${aws_s3_bucket.bucket.arn}",
      "${aws_s3_bucket.bucket.arn}/*"
    ]
    condition {
      test     = "Bool"
      variable = "aws:SecureTransport"
      values   = ["false"]
    }
    principals {
      type        = "*"
      identifiers = ["*"]
    }
  }
}