# =============================================================================
# KMS Module — Customer-Managed Encryption Keys with Rotation
# =============================================================================

resource "aws_kms_key" "this" {
  for_each = var.keys

  description             = each.value.description
  deletion_window_in_days = each.value.deletion_window
  enable_key_rotation     = true  # Auto-rotate annually
  key_usage               = each.value.key_usage
  customer_master_key_spec = each.value.key_spec

  policy = each.value.policy

  tags = merge(var.tags, {
    Name = "${var.name}-${each.key}"
  })
}

resource "aws_kms_alias" "this" {
  for_each = var.keys

  name          = "alias/${var.name}-${each.key}"
  target_key_id = aws_kms_key.this[each.key].key_id
}