locals {
  bucket_name  = "xdr-${var.splunk_prefix}-${var.environment}-splunk-smartstore"
  accounts     = [var.aws_account_id]
  account_arns = [for a in local.accounts : "arn:${var.aws_partition}:iam::${a}:root"]
}

# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
resource "aws_s3_bucket" "bucket" {
  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
  # checkov:skip=CKV_AWS_144: Cross-region replication TODO

  bucket = local.bucket_name
  tags   = merge(local.standard_tags, var.tags)
}

resource "aws_s3_bucket_acl" "s3_acl_bucket" {
  bucket = aws_s3_bucket.bucket.id
  acl    = "private"
}

resource "aws_s3_bucket_versioning" "s3_version_bucket" {
  bucket = aws_s3_bucket.bucket.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_bucket" {
  bucket = aws_s3_bucket.bucket.id

  rule {
    id     = "INTELLIGENT_TIERING"
    status = "Enabled"

    abort_incomplete_multipart_upload {
      days_after_initiation = 2
    }

    transition {
      days          = 90
      storage_class = "INTELLIGENT_TIERING"
    }

    # Clean up old versions after a year
    # noncurrent_version_expiration {
    #  noncurrent_days = 365
    #}
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
  bucket = aws_s3_bucket.bucket.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.bucketkey.arn
      sse_algorithm     = "aws:kms"
    }
  }
}

resource "aws_s3_bucket_public_access_block" "public_access_block" {
  bucket                  = aws_s3_bucket.bucket.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true

  # Not technically dependent, but prevents a "Conflicting conditional operation" conflict.
  # See https://github.com/hashicorp/terraform-provider-aws/issues/7628
  depends_on = [aws_s3_bucket_policy.policy]
}

resource "aws_s3_bucket_policy" "policy" {
  bucket = aws_s3_bucket.bucket.id

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Id": "AllowThisAccount",
  "Statement": [
    {
      "Sid": "AccountAllow",
      "Effect": "Allow",
      "Principal": {
        "AWS": ${jsonencode(local.account_arns)}
      },
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "${aws_s3_bucket.bucket.arn}",
        "${aws_s3_bucket.bucket.arn}/*"
      ]
    }
  ]
}
POLICY
}

//AWS Provider outdated arguments <4.4.0
/*resource "aws_s3_bucket" "bucket" {
  bucket = local.bucket_name
  acl    = "private"

  versioning {
    enabled = true
  }

  tags = merge(local.standard_tags, var.tags)

  lifecycle_rule {
    id      = "INTELLIGENT_TIERING"
    enabled = true

    abort_incomplete_multipart_upload_days = 2

    transition {
      days          = 90
      storage_class = "INTELLIGENT_TIERING"
    }

    #    expiration {
    #      days = 365
    #    }
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = aws_kms_key.bucketkey.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}
*/