data "aws_iam_policy_document" "cloudtrail_bucket_policy" {
  statement {
    sid = "AWSCloudTrailAclCheck"

    principals {
      type        = "Service"
      identifiers = ["cloudtrail.amazonaws.com"]
    }

    actions = [
      "s3:GetBucketAcl",
    ]

    resources = [
      "arn:aws:s3:::${local.ct-bucket-name}",
    ]
  }

  statement {
    sid = "AWSCloudTrailWrite"

    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com", "cloudtrail.amazonaws.com"]
    }

    actions = [
      "s3:PutObject"
    ]

    resources = [
      "arn:aws:s3:::${local.ct-bucket-name}/*"
    ]
  }

  statement {
    sid = "ReadAccessForAccountOwner"

    principals {
      type        = "AWS"
      identifiers = [data.aws_caller_identity.this.account_id]
    }

    actions = [
      "s3:Get*"
    ]

    resources = [
      "arn:aws:s3:::${local.ct-bucket-name}",
      "arn:aws:s3:::${local.ct-bucket-name}/*"
    ]
  }

}

module ct-bucket {
  source = "../../storage/infra-s3-bucket"

  bucket-name        = local.ct-bucket-name
  bucket-policy-json = data.aws_iam_policy_document.cloudtrail_bucket_policy.json
  default-tags       = var.default-tags
}