Multi-Region Key

# Primary key in the main region
module "primary_key" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/kms-key/aws"
  version = "1.0.0"

  alias       = "alias/multi-region-primary"
  description = "Primary multi-region encryption key"

  # Note: multi_region must be enabled in the module
  # This example shows the conceptual pattern
}

# Create replica key in secondary region
provider "aws" {
  alias  = "replica"
  region = "eu-west-1"
}

resource "aws_kms_replica_key" "replica" {
  provider = aws.replica

  primary_key_arn         = module.primary_key.key_arn
  description             = "Replica encryption key in EU"
  deletion_window_in_days = 30
}

resource "aws_kms_alias" "replica" {
  provider = aws.replica

  name          = "alias/multi-region-replica"
  target_key_id = aws_kms_replica_key.replica.key_id
}

# S3 bucket with cross-region replication using multi-region key
resource "aws_s3_bucket" "primary" {
  bucket = "primary-encrypted-bucket"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "primary" {
  bucket = aws_s3_bucket.primary.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = module.primary_key.key_arn
      sse_algorithm     = "aws:kms"
    }
  }
}

output "primary_key_arn" {
  value = module.primary_key.key_arn
}

output "replica_key_arn" {
  value = aws_kms_replica_key.replica.arn
}