/*
 AWS Config Service
 If config is already enabled, import it with
 terraform import aws_config_configuration_recorder.config-recorder default
*/

data aws_caller_identity this {}

resource "aws_iam_service_linked_role" "config" {
  aws_service_name = "config.amazonaws.com"
}

resource "aws_config_configuration_recorder" "config-recorder" {
  name     = "${local.resource-prefix}-awsconfig"
  role_arn = aws_iam_service_linked_role.config.arn

  recording_group {
    all_supported                 = true
    include_global_resource_types = true
  }
}

resource "aws_config_delivery_channel" "config-delivery-channel" {
  name           = "${local.resource-prefix}-configdeliverychannel"
  s3_bucket_name = module.config-bucket.bucket-name

  depends_on = [aws_config_configuration_recorder.config-recorder]
}

resource "aws_config_configuration_recorder_status" "main" {
  name       = aws_config_configuration_recorder.config-recorder.name
  is_enabled = true
  depends_on = [aws_config_delivery_channel.config-delivery-channel]
}

######## Config Bucket - Policy ########

module config-bucket {
  source = "../../storage/infra-s3-bucket"

  application = var.application
  aws-region-short = var.aws-region-short
  bucket-name = "${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}"
  add-random-suffix = false
  bucket-policy-json = data.aws_iam_policy_document.config_bucket_policy.json
  customer-name = var.customer-name
  default-tags = var.default-tags
  environment = var.environment
  project = var.project
}

data "aws_iam_policy_document" "config_bucket_policy" {

  statement {
    sid = "AWSConfigBucketPermissionsCheck"

    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com"]
    }

    actions = [
      "s3:GetBucketAcl",
    ]

    resources = [
      "arn:aws:s3:::${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
    ]
  }

  statement {
    sid = "AWSConfigBucketExistenceCheck"

    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com"]
    }

    actions = [
      "s3:ListBucket",
    ]

    resources = [
      "arn:aws:s3:::${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
    ]
  }

  statement {
    sid = "AWSConfigBucketDelivery"

    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com"]
    }

    actions = [
      "s3:PutObject",
    ]

    resources = [
      "arn:aws:s3:::${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}/*",
    ]

    condition {
      test     = "StringEquals"
      variable = "s3:x-amz-acl"

      values = [
        "bucket-owner-full-control",
      ]
    }
  }
}