data "aws_iam_policy_document" "cloudtrail_bucket_policy" {
  statement {
    sid = "AWSCloudTrailAclCheck"

    principals {
      type        = "Service"
      identifiers = ["cloudtrail.amazonaws.com"]
    }

    actions = [
      "s3:GetBucketAcl",
    ]

    resources = [
      "arn:aws:s3:::${local.ct-bucket-name}",
    ]
  }

  statement {
    sid = "AWSCloudTrailWrite"

    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com", "cloudtrail.amazonaws.com"]
    }

    actions = [
      "s3:PutObject",
    ]

    resources = [
      "arn:aws:s3:::${local.ct-bucket-name}/*",
    ]
  }
}


resource "aws_s3_bucket" "ct-bucket" {
  bucket = local.ct-bucket-name
  policy               = join("", data.aws_iam_policy_document.cloudtrail_bucket_policy.*.json)
  versioning {
    enabled = false
  }
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = aws_kms_key.ctbucket-key.arn
        sse_algorithm = "aws:kms"
      }
    }
  }
  tags                 = var.default-tags

  lifecycle_rule {
    enabled = false
    transition {
      days = 30
      storage_class = "INTELLIGENT_TIERING"
    }
    expiration {
      days = 90
    }
  }
}


resource "aws_s3_bucket_public_access_block" "s3-public-access-settings" {
  bucket = aws_s3_bucket.ct-bucket.id

  block_public_acls   = true
  block_public_policy = true
  ignore_public_acls =  true
  restrict_public_buckets = true
}