# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
resource "aws_s3_bucket" "bucket" {
  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
  # checkov:skip=CKV_AWS_144: TODO: cross replication
  
  bucket = local.fullname
  tags   = merge(local.standard_tags, var.tags)
}

resource "aws_s3_bucket_versioning" "s3_version_bucket" {
  bucket = aws_s3_bucket.bucket.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_acl" "s3_acl_bucket" {
  bucket = aws_s3_bucket.bucket.id
  acl    = "private"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
  bucket = aws_s3_bucket.bucket.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.bucketkey.arn
      sse_algorithm     = "aws:kms"
    }
  }
}

resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_bucket" {
  bucket = aws_s3_bucket.bucket.id
  rule {
    id     = "INTELLIGENT_TIERING"
    status = "Enabled"
    filter {} # Required for noncurrent_version_expiration to work
    abort_incomplete_multipart_upload {
      days_after_initiation = 2
    }
    transition {
      days          = 30
      storage_class = "INTELLIGENT_TIERING"
    }
    noncurrent_version_expiration {
      # We always keep the current version and the previous version, and delete any other versions after 90 days
      newer_noncurrent_versions = 2
      noncurrent_days           = 90
    }
  }
}
resource "aws_s3_bucket_public_access_block" "public_access_block" {
  bucket                  = aws_s3_bucket.bucket.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true

  # Not technically dependent, but prevents a "Conflicting conditional operation" conflict.
  # See https://github.com/hashicorp/terraform-provider-aws/issues/7628
  depends_on = [aws_s3_bucket_policy.s3_bucket_policy]
}

data "aws_iam_policy_document" "s3_bucket_policy" {
  statement {
    sid    = "AccountAllow"
    effect = "Allow"

    resources = [
      aws_s3_bucket.bucket.arn,
      "${aws_s3_bucket.bucket.arn}/*",
    ]

    actions = [
      "s3:GetObject",
      "s3:ListBucket",
    ]

    principals {
      type        = "AWS"
      identifiers = local.principals
    }
  }
}

resource "aws_s3_bucket_policy" "s3_bucket_policy" {
  depends_on = [aws_iam_role.role] # 2022-04-22: FTD: Copied this across, but not sure why this dependency.

  bucket = aws_s3_bucket.bucket.id

  policy = data.aws_iam_policy_document.s3_bucket_policy.json
}

resource "aws_s3_bucket_cors_configuration" "s3_cors_config" {
  count = length(var.cors_rules) > 0 ? 1 : 0

  bucket                = aws_s3_bucket.bucket.id

  dynamic "cors_rule" {
    for_each = var.cors_rules
    iterator = each

    content {
      id              = try(each.value.id, null)
      allowed_methods = each.value.allowed_methods
      allowed_origins = each.value.allowed_origins
      allowed_headers = try(each.value.allowed_headers, null)
      expose_headers  = try(each.value.expose_headers, null)
      max_age_seconds = try(each.value.max_age_seconds, null)
    }
  }
}