root_encryption.tf

locals {
  e2e_testing_role_arns = local.environment == "prod" ? [] : [module.tdr_configuration.terraform_config[local.environment]["e2e_testing_role_arn"]]
}

module "s3_external_kms_key" {
  source   = "./da-terraform-modules/kms"
  key_name = "tdr-s3-external-kms-${local.environment}"
  tags     = local.common_tags
  default_policy_variables = {
    user_roles = concat([
      module.notification_lambda.notifications_lambda_role_arn[0],
      module.consignment_export_task_role.role.arn,
      local.dr2_copy_files_role,
    ], local.aws_sso_export_bucket_access_roles, local.standard_export_bucket_read_access_roles, local.judgment_export_bucket_read_access_roles)
    ci_roles = [local.assume_role]
    service_details = [
      {
        service_name : "cloudwatch"
        service_source_account : data.aws_caller_identity.current.account_id
      }
    ]
  }
}

module "sns_external_kms_key" {
  source   = "./da-terraform-modules/kms"
  key_name = "tdr-sns-external-kms-${local.environment}"
  tags     = local.common_tags
  default_policy_variables = {
    user_roles = [module.consignment_export_task_role.role.arn]
    ci_roles   = [local.assume_role]
    service_details = [
      {
        service_name : "sns"
        service_source_account : data.aws_caller_identity.current.account_id
      }
    ]
  }
}

module "s3_internal_kms_key" {
  source   = "./da-terraform-modules/kms"
  key_name = "tdr-s3-internal-kms-${local.environment}"
  tags     = local.common_tags
  default_policy_variables = {
    user_roles = concat([
      module.yara_av_v2.lambda_role_arn,
      module.file_upload_data.lambda_role_arn,
      module.consignment_export_task_role.role.arn,
      module.draft_metadata_validator_lambda.lambda_role_arn,
      module.frontend.task_role_arn,
      module.draft_metadata_checks.step_function_role_arn,
      module.aws_guard_duty_s3_malware_scan_role.role_arn
    ], local.aws_sso_internal_bucket_access_roles, local.e2e_testing_role_arns)
    ci_roles = [local.assume_role]
    service_details = [
      {
        service_name : "cloudwatch"
        service_source_account : data.aws_caller_identity.current.account_id
      }
    ]
  }
}

module "s3_upload_kms_key" {
  source   = "./da-terraform-modules/kms"
  key_name = "tdr-s3-upload-kms-${local.environment}"
  tags     = local.common_tags
  default_policy_variables = {
    user_roles = concat([
      module.yara_av_v2.lambda_role_arn,
      module.file_upload_data.lambda_role_arn,
      module.file_format_v2.lambda_role_arn,
      module.checksum_v2.lambda_role_arn,
      module.aws_guard_duty_s3_malware_scan_role.role_arn
    ], local.aws_sso_internal_bucket_access_roles)
    ci_roles = [local.assume_role]
    service_details = [
      {
        service_name : "cloudwatch"
        service_source_account : data.aws_caller_identity.current.account_id
      }
    ]
    cloudfront_distributions = [module.cloudfront_upload.cloudfront_arn]
  }
}