locals {
  # Technically, we don't need these in ARN format, but it makes updates slightly clearer
  xdr_accounts = [ for a in var.account_list: "arn:${var.aws_partition}:iam::${a}:root" ]
  extra_accounts = [ for a in var.extra_accounts: "arn:${var.aws_partition}:iam::${a}:root" ]
  accounts = concat(local.xdr_accounts, local.extra_accounts)
}

resource "aws_s3_bucket" "bucket" {
  bucket = var.name
  acl    = "private"

  versioning {
    enabled = false
  }

  tags = merge(var.standard_tags, var.tags)

  # FIXME: Does this keep a cross-account dependency?
  #logging {
  #  target_bucket = "dps-s3-logs"
  #  target_prefix = "aws_terraform_s3_state_access_logs/"
  #}

  lifecycle_rule {
    enabled                                = true
    prefix                                 = ""
    abort_incomplete_multipart_upload_days = 7

    expiration {
      days                         = 0
      expired_object_delete_marker = false
    }
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = var.encryption == "SSE-KMS" ? aws_kms_key.bucketkey[0].arn : null
        sse_algorithm     = var.encryption == "SSE-KMS" ? "aws:kms" : "AES256"
      }
    }
  }

}

resource "aws_s3_bucket_public_access_block" "public_access_block" {
  bucket                  = aws_s3_bucket.bucket.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

data "aws_iam_policy_document" "s3" {
  statement {
    sid    = "AccountAllow"
    effect = "Allow"

    resources = [
      "${aws_s3_bucket.bucket.arn}",
      "${aws_s3_bucket.bucket.arn}/*",
    ]

    actions = [
      "s3:GetObject",
      "s3:ListBucket",
    ]

    principals {
      type        = "AWS"
      identifiers = local.accounts
    }
  }
}

resource "aws_s3_bucket_policy" "policy" {
  bucket = aws_s3_bucket.bucket.id

  policy = data.aws_iam_policy_document.s3.json
}