xinau/main.tf

## main.tf
variable bucket {
  description = "AWS S3 bucket name to use for state storage"
  type = string
}

variable dynamodb_table {
  description = "AWS DynamoDB table name to use for state locking"
  type        = string
}

variable encrypt {
  description = "(Not Used) AWS S3 bucket enable Server-Side Encryption"
  default     = true
  type        = bool
}

variable region {
  description = "AWS Region name of the S3 bucket"
  type        = string
}

data "aws_canonical_user_id" "current" {}

data "aws_iam_policy_document" "terraform_state" {
  statement {
    effect = "Deny"

    principals {
      identifiers = ["*"]
      type        = "AWS"
    }

    actions = [
      "s3:PutObject",
    ]

    resources = [
      "arn:aws:s3:::${var.bucket}/*",
    ]

    condition {
      test     = "StringNotEquals"
      variable = "s3:x-amz-server-side-encryption"

      values = [
        "AES256",
      ]
    }
  }

  statement {
    effect = "Deny"

    principals {
      identifiers = ["*"]
      type        = "AWS"
    }

    actions = [
      "s3:PutObject",
    ]

    resources = [
      "arn:aws:s3:::${var.bucket}/*",
    ]

    condition {
      test     = "Null"
      variable = "s3:x-amz-server-side-encryption"

      values = [
        "true",
      ]
    }
  }
}

locals {
  bucket_logs = "${var.bucket}-logs"
}

resource "aws_dynamodb_table" "terraform_state_lock" {
  name         = var.dynamodb_table
  billing_mode = "PAY_PER_REQUEST"
  hash_key     = "LockID"

  attribute {
    name = "LockID"
    type = "S"
  }

  server_side_encryption {
    enabled = true
  }
}

resource "aws_s3_bucket" "terraform_state_logs" {
  bucket        = local.bucket_logs
  acl           = "log-delivery-write"
  force_destroy = false
  region        = var.region

  lifecycle_rule {
    enabled = true
    id      = "log"
    prefix  = "log/"

    transition {
      days          = 30
      storage_class = "STANDARD_IA"
    }
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }

  versioning {
    enabled = true
  }
}

resource "aws_s3_bucket" "terraform_state" {
  bucket        = var.bucket
  acl           = "private"
  force_destroy = false
  policy        = data.aws_iam_policy_document.terraform_state.json
  region        = var.region

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }

  logging {
    target_bucket = aws_s3_bucket.terraform_state_logs.id
    target_prefix = "log/"
  }

  versioning {
    enabled = true
  }
}
	variable bucket {
	description = "AWS S3 bucket name to use for state storage"
	type = string
	}

	variable dynamodb_table {
	description = "AWS DynamoDB table name to use for state locking"
	type = string
	}

	variable encrypt {
	description = "(Not Used) AWS S3 bucket enable Server-Side Encryption"
	default = true
	type = bool
	}

	variable region {
	description = "AWS Region name of the S3 bucket"
	type = string
	}

	data "aws_canonical_user_id" "current" {}

	data "aws_iam_policy_document" "terraform_state" {
	statement {
	effect = "Deny"

	principals {
	identifiers = ["*"]
	type = "AWS"
	}

	actions = [
	"s3:PutObject",
	]

	resources = [
	"arn:aws:s3:::${var.bucket}/*",
	]

	condition {
	test = "StringNotEquals"
	variable = "s3:x-amz-server-side-encryption"

	values = [
	"AES256",
	]
	}
	}

	statement {
	effect = "Deny"

	principals {
	identifiers = ["*"]
	type = "AWS"
	}

	actions = [
	"s3:PutObject",
	]

	resources = [
	"arn:aws:s3:::${var.bucket}/*",
	]

	condition {
	test = "Null"
	variable = "s3:x-amz-server-side-encryption"

	values = [
	"true",
	]
	}
	}
	}

	locals {
	bucket_logs = "${var.bucket}-logs"
	}

	resource "aws_dynamodb_table" "terraform_state_lock" {
	name = var.dynamodb_table
	billing_mode = "PAY_PER_REQUEST"
	hash_key = "LockID"

	attribute {
	name = "LockID"
	type = "S"
	}

	server_side_encryption {
	enabled = true
	}
	}

	resource "aws_s3_bucket" "terraform_state_logs" {
	bucket = local.bucket_logs
	acl = "log-delivery-write"
	force_destroy = false
	region = var.region

	lifecycle_rule {
	enabled = true
	id = "log"
	prefix = "log/"

	transition {
	days = 30
	storage_class = "STANDARD_IA"
	}
	}

	server_side_encryption_configuration {
	rule {
	apply_server_side_encryption_by_default {
	sse_algorithm = "AES256"
	}
	}
	}

	versioning {
	enabled = true
	}
	}

	resource "aws_s3_bucket" "terraform_state" {
	bucket = var.bucket
	acl = "private"
	force_destroy = false
	policy = data.aws_iam_policy_document.terraform_state.json
	region = var.region

	server_side_encryption_configuration {
	rule {
	apply_server_side_encryption_by_default {
	sse_algorithm = "AES256"
	}
	}
	}

	logging {
	target_bucket = aws_s3_bucket.terraform_state_logs.id
	target_prefix = "log/"
	}

	versioning {
	enabled = true
	}
	}