data "aws_caller_identity" "this" {}

resource "aws_kms_key" "ab-kms-key" {
  description             = "KMS key for aws backup"
  deletion_window_in_days = 10
  policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Id" : "awsbackup-service",
      "Statement" : [
        {
          "Sid" : "Enable IAM User Permissions",
          "Effect" : "Allow",
          "Principal" : {
            "AWS" : "arn:aws:iam::${data.aws_caller_identity.this.id}:root"
          },
          "Action" : "kms:*",
          "Resource" : "*"
        },
        {
          "Sid" : "Allow attachment of persistent resources",
          "Effect" : "Allow",
          "Principal" : "*",
          "Action" : [
            "kms:CreateGrant",
            "kms:ListGrants",
            "kms:RevokeGrant"
          ],
          "Resource" : "*",
          "Condition" : {
            "Bool" : {
              "kms:GrantIsForAWSResource" : "true"
            }
          }
        }
      ]
  })
}

resource "aws_kms_alias" "ab-kms-key-alias" {
  name          = "alias/awsbackup-kms-key"
  target_key_id = aws_kms_key.ab-kms-key.id
}