feat: add KMS key resources and update S3 encryption configuration

Introduce separate AWS KMS keys for ECR viewer and logging buckets and update their server-side encryption rules accordingly.

Author: alismx

s3.tf

@@ -1,3 +1,11 @@
+resource "aws_kms_key" "ecr_viewer" {
+  enable_key_rotation = true
+}
+
+resource "aws_kms_key" "logging" {
+  enable_key_rotation = true
+}
+
 resource "aws_s3_bucket" "ecr_viewer" {
   bucket        = local.s3_viewer_bucket_name
   force_destroy = true
@@ -18,7 +26,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "ecr_viewer" {
   bucket = aws_s3_bucket.ecr_viewer.bucket
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "aws:kms"
+      kms_master_key_id = aws_kms_key.ecr_viewer.arn
+      sse_algorithm     = "aws:kms"
     }
   }
 }
@@ -55,7 +64,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "logging" {
   bucket = aws_s3_bucket.logging.bucket
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "aws:kms"
+      kms_master_key_id = aws_kms_key.logging.arn
+      sse_algorithm     = "aws:kms"
     }
   }
 }