S3 Bucket Encryption

module "s3_encryption_key" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/kms-key/aws"
  version = "1.0.0"

  alias       = "alias/s3-bucket-encryption"
  description = "Encryption key for S3 bucket data at rest"
}

resource "aws_s3_bucket" "encrypted" {
  bucket = "my-encrypted-bucket"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "encrypted" {
  bucket = aws_s3_bucket.encrypted.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = module.s3_encryption_key.key_arn
      sse_algorithm     = "aws:kms"
    }
    bucket_key_enabled = true  # Reduces KMS costs
  }
}

output "bucket_name" {
  value = aws_s3_bucket.encrypted.id
}

output "encryption_key_arn" {
  value = module.s3_encryption_key.key_arn
}