resource "aws_s3_bucket" "this" {
  bucket = var.bucket_name
}

resource "aws_s3_bucket_public_access_block" "block_public_access" {
  bucket = aws_s3_bucket.this.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

# Add SecureTransport restriction by default
data "aws_iam_policy_document" "bucket_policy" {
  source_policy_documents = [var.bucket_policy_json]

  statement {
    sid     = "AllowSSLRequestsOnly"
    actions = ["s3:*"]
    effect  = "Deny"
    principals {
      type = "*"
      identifiers = ["*"]
    }
    resources = [
      aws_s3_bucket.this.arn,
      "${aws_s3_bucket.this.arn}/*"
    ]
    condition {
      test     = "Bool"
      values   = [false]
      variable = "aws:SecureTransport"
    }
  }
}

resource "aws_s3_bucket_policy" "bucket_policy" {
  bucket = aws_s3_bucket.this.id
  # policy = var.bucket_policy_json
  policy = data.aws_iam_policy_document.bucket_policy.json
}

resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" {
  count  = var.enable_bucket_lifecycle ? 1 : 0
  bucket = aws_s3_bucket.this.id
  rule {
    id = "CurrentVersion"

    expiration {
      days = var.current_version_expiration_days
    }

    status = "Enabled"

    transition {
      days          = 15
      storage_class = "INTELLIGENT_TIERING"
    }
  }

  rule {
    id = "NonCurrentVersion"

    noncurrent_version_expiration {
      noncurrent_days = var.noncurrent_version_expiration_days
    }

    noncurrent_version_transition {
      noncurrent_days = 15
      storage_class   = "INTELLIGENT_TIERING"
    }

    status = var.enable_versioning ? "Enabled" : "Disabled"
  }
}


resource "aws_s3_bucket_intelligent_tiering_configuration" "intel_tiering_config" {
  bucket = aws_s3_bucket.this.id
  name   = "IntelligentTieringArchiveConfigurations"

  tiering {
    access_tier = "DEEP_ARCHIVE_ACCESS"
    days        = 180 # minimum
  }
  tiering {
    access_tier = "ARCHIVE_ACCESS"
    days        = 90
  }
}

resource "aws_s3_bucket_logging" "logging" {
  count         = var.enable_bucket_logging ? 1 : 0
  bucket        = aws_s3_bucket.this.id
  target_bucket = var.logging_bucket_id
  target_prefix = "s3-log/"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
  count  = var.enable_encryption ? 1 : 0
  bucket = aws_s3_bucket.this.id
  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = var.encryption_key_arn
      sse_algorithm     = length(var.encryption_key_arn) > 0 ? "aws:kms" : "AES256"
    }
    bucket_key_enabled = length(var.encryption_key_arn) > 0 ? true : false
  }
}

resource "aws_s3_bucket_versioning" "versioning" {
  count  = var.enable_versioning ? 1 : 0
  bucket = aws_s3_bucket.this.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_replication_configuration" "replication" {
  count  = var.enable_replication && var.enable_versioning ? 1 : 0
  role   = var.replication_role_arn
  bucket = aws_s3_bucket.this.id


  rule {
    id     = "replrule1"
    status = "Enabled"
    delete_marker_replication {
      status = "Enabled"
    }

    source_selection_criteria {
      replica_modifications {
        status = "Enabled"
      }
      sse_kms_encrypted_objects {
        status = "Enabled"
      }
    }

    destination {
      bucket        = var.replication_dest_bucket_name
      storage_class = "INTELLIGENT_TIERING"

      account = var.replication_destination_aws_account_id

      encryption_configuration {
        replica_kms_key_id = var.replication_destination_kms_key_arn
      }

      access_control_translation {
        owner = "Destination"
      }

      replication_time {
        status = "Enabled"
        time {
          minutes = 15
        }
      }

      metrics {
        status = "Enabled"
        event_threshold {
          minutes = 15
        }
      }
    }
  }
}