# Criação da chave KMS para criptografia do bucket
resource "aws_kms_key" "dev_dejo_node" {
  description             = "KMS key to encrypt S3 bucket objects for ${local.base_name}"
  deletion_window_in_days = 7
  enable_key_rotation     = true

  tags = merge(
    local.default_tags,
    {
      Name = "${local.base_name}-bucket-key"
    }
  )
}

# Alias para facilitar referência à chave KMS
resource "aws_kms_alias" "dev_dejo_node" {
  name          = local.kms_key_name
  target_key_id = aws_kms_key.dev_dejo_node.key_id
}

# Bucket S3 criptografado com KMS
module "s3_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "~> 4.0"

  bucket     = local.s3.bucket
#  acl        = local.s3.acl
  versioning = local.s3.versioning

  server_side_encryption_configuration = {
    rule = {
      apply_server_side_encryption_by_default = {
        kms_master_key_id = aws_kms_key.dev_dejo_node.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }

  tags = local.default_tags
}