resource "aws_s3_bucket" "state" {
  #checkov:skip=CKV_AWS_144 - No needed cross-region replication enabled
  #checkov:skip=CKV_AWS_21 - No needed versioning enabled
  #checkov:skip=CKV_AWS_18 - No needed access log enabled
  #checkov:skip=CKV_AWS_145 - S3 default encryption enabled
  #checkov:skip=CKV2_AWS_61 - No needed lifecycle configuration
  #checkov:skip=CKV2_AWS_62 - No needed notification
  
  bucket = "${data.aws_caller_identity.current.account_id}-${var.application_name}-tfstate"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "state" {
  bucket = aws_s3_bucket.state.bucket

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "AES256"
    }
  }
}

resource "aws_s3_bucket_public_access_block" "state" {
  bucket = aws_s3_bucket.state.id
  block_public_acls   = true
  block_public_policy = true
  ignore_public_acls = true
  restrict_public_buckets = true
}




output "state_bucket" {
  value = aws_s3_bucket.state.arn
}