/**
* # S3LbAccessLog
* Module to create s3 bucket for LB access logging. Bucket policy is automatically set
*/

resource "aws_s3_bucket" "this" {
  bucket        = var.bucket_name
  force_destroy = true
}

resource "aws_s3_bucket_public_access_block" "block_public_access" {
  bucket = aws_s3_bucket.this.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

# Add SecureTransport restriction by default
data "aws_region" "this" {}

data "aws_iam_policy_document" "bucket_policy" {
  # Regions created before 2022
  dynamic "statement" {
    for_each = can(var.region_account_map[data.aws_region.this.id]) ? [1] : []
    content {
      sid     = "AllowLbWrite_Pre2022Region"
      actions = ["s3:PutObject", "s3:GetBucketAcl"]
      effect  = "Allow"
      principals {
        identifiers = [
          var.region_account_map[data.aws_region.this.id]
        ]
        type = "AWS"
      }
      resources = [
        aws_s3_bucket.this.arn,
        "${aws_s3_bucket.this.arn}/*"
      ]
    }
  }

  # regions created after 2022
  dynamic "statement" {
    for_each = can(var.region_account_map[data.aws_region.this.id]) ? [] : [1]
    content {
      sid     = "AllowLbWrite_Post2022Region"
      actions = ["s3:PutObject", "s3:GetBucketAcl"]
      effect  = "Allow"
      principals {
        identifiers = ["logdelivery.elasticloadbalancing.amazonaws.com"]
        type        = "Service"
      }
      resources = [
        aws_s3_bucket.this.arn,
        "${aws_s3_bucket.this.arn}/*"
      ]
    }
  }

  statement {
    sid     = "AllowSSLRequestsOnly"
    actions = ["s3:*"]
    effect  = "Deny"
    principals {
      type        = "*"
      identifiers = ["*"]
    }
    resources = [
      aws_s3_bucket.this.arn,
      "${aws_s3_bucket.this.arn}/*"
    ]
    condition {
      test     = "Bool"
      values   = [false]
      variable = "aws:SecureTransport"
    }
  }
}

# Sets up bucket policy referencing AWS doc
# https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html
resource "aws_s3_bucket_policy" "bucket_policy" {
  bucket = aws_s3_bucket.this.id
  policy = data.aws_iam_policy_document.bucket_policy.json
}

# Sets up bucket retention
resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" {
  count  = var.enable_bucket_lifecycle ? 1 : 0
  bucket = aws_s3_bucket.this.id
  rule {
    id = "ExpireAfterRetention"

    filter {}

    expiration {
      days = var.current_version_expiration_days
    }

    status = "Enabled"
  }
}

# Enable encryption by default
resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
  bucket = aws_s3_bucket.this.id
  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = var.encryption_key_arn
      sse_algorithm     = length(var.encryption_key_arn) > 0 ? "aws:kms" : "AES256"
    }
    bucket_key_enabled = length(var.encryption_key_arn) > 0 ? true : false
  }
}