# Disable warnings about MFA delete and IAM access analyzer (currently cannot support them)
# kics-scan disable=c5b31ab9-0f26-4a49-b8aa-4cc064392f4d,e592a0c5-5bdb-414c-9066-5dba7cdea370

# Bucket to actually store artifacts
resource "aws_s3_bucket" "s3_bucket" {
  bucket = var.bucket

  tags = {
    Name        = "Orchard S3 Provisioning Bucket"
    Environment = var.environment
  }
}

# Control public access
resource "aws_s3_bucket_public_access_block" "s3_bucket_public_access_block" {
  bucket = aws_s3_bucket.s3_bucket.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

/*
  Our lifecycle rule is as follows:
   - Standard storage
   -> OneZone IA storage after 30 days
   -> Glacier storage after 180 days
*/
resource "aws_s3_bucket_lifecycle_configuration" "s3_bucket_lifecycle_configuration" {
  bucket = aws_s3_bucket.s3_bucket.id

  rule {
    id = "Standard to OneZone"

    filter {}

    status = "Enabled"

    transition {
      days          = 30
      storage_class = "ONEZONE_IA"
    }
  }

  rule {
    id = "OneZone to Glacier"

    filter {}

    status = "Enabled"

    transition {
      days          = 180
      storage_class = "GLACIER"
    }
  }
}

# Enable versioning but without MFA delete enabled
resource "aws_s3_bucket_versioning" "s3_bucket_versioning" {
  bucket = aws_s3_bucket.s3_bucket.id

  versioning_configuration {
    status = "Enabled"
  }
}

# Give preference to the bucket owner
resource "aws_s3_bucket_ownership_controls" "s3_bucket_ownership_controls" {
  bucket = aws_s3_bucket.s3_bucket.id

  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}

# Set access control list to private
resource "aws_s3_bucket_acl" "s3_bucket_acl" {
  depends_on = [aws_s3_bucket_ownership_controls.s3_bucket_ownership_controls]

  bucket = aws_s3_bucket.s3_bucket.id
  acl    = var.acl
}

# Bucket for logging
resource "aws_s3_bucket" "logging" {
  bucket = "orchard-logging-bucket"

  tags = {
    Name        = "Orchard S3 Logging Bucket"
    Environment = var.environment
  }
}

# Versioning for the logging bucket
resource "aws_s3_bucket_versioning" "orchard_logging_bucket_versioning" {
  bucket = aws_s3_bucket.logging.id

  versioning_configuration {
    status = "Enabled"
  }
}

# Policies for the main s3 bucket and the logging bucket
resource "aws_s3_bucket_policy" "s3_bucket_https_policy" {
  bucket = aws_s3_bucket.s3_bucket.id
  policy = data.aws_iam_policy_document.s3_reject_https_policy.json
}
resource "aws_s3_bucket_policy" "logging_policy" {
  bucket = aws_s3_bucket.logging.bucket
  policy = data.aws_iam_policy_document.logging_bucket_policy.json
} 

# Set up the logging bucket with folders with logs for both buckets
resource "aws_s3_bucket_logging" "s3_bucket_logging" {
  bucket = aws_s3_bucket.s3_bucket.bucket

  target_bucket = aws_s3_bucket.logging.bucket
  target_prefix = "s3_log/"
  target_object_key_format {
    partitioned_prefix {
      partition_date_source = "EventTime"
    }
  }
}
resource "aws_s3_bucket_logging" "logging_bucket_logging" {
  bucket = aws_s3_bucket.logging.bucket

  target_bucket = aws_s3_bucket.logging.bucket
  target_prefix = "log/"
  target_object_key_format {
    partitioned_prefix {
      partition_date_source = "EventTime"
    }
  }
}