# Terraform, compulsary.
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.16.0"
    }
  }
  required_version = ">= 0.15"
}

# Providers!
# S3 Bucket in Ireland
provider "aws" {
  region = "eu-west-1"
}

# Global for Certificates
provider "aws" {
  region = "us-east-1"
  alias  = "global"
}

# Variables
variable "domainname" {
  type    = string
  default = "blog.ligthert.net"
}

#
# <S3
#

# Create a bucket
resource "aws_s3_bucket" "bucket" {
  bucket        = var.domainname
  force_destroy = true
}

# Place ACL on the bucket
resource "aws_s3_bucket_acl" "bucket_acl" {
  bucket = aws_s3_bucket.bucket.id
  acl    = "public-read"
}

# Enable the static file hosting
resource "aws_s3_bucket_website_configuration" "bucket_website" {
  bucket = aws_s3_bucket.bucket.bucket

  index_document {
    suffix = "index.html"
  }
  error_document {
    key = "error.html"
  }
}

# Give bucket a policy
resource "aws_s3_bucket_policy" "bucket_policy" {
  bucket = aws_s3_bucket.bucket.id
  policy = data.aws_iam_policy_document.bucket_policy_document.json
}

# Create a policy document
data "aws_iam_policy_document" "bucket_policy_document" {
  statement {
    sid    = "PublicReadGetObject"
    effect = "Allow"
    principals {
      type        = "AWS"
      identifiers = ["*"]
    }
    actions = ["s3:GetObject"]
    resources = [
      aws_s3_bucket.bucket.arn,
      "${aws_s3_bucket.bucket.arn}/*",
    ]
  }
}

#
# S3>
#

#
# <CloudFront
#

locals {
  s3_origin_id = "S3Origin"
}

resource "aws_cloudfront_origin_access_identity" "dafaim" {
  comment = "Manage access and identities."
}

resource "aws_cloudfront_distribution" "s3_distribution" {

  aliases = ["${var.domainname}"]
  comment = "A CloudFront distribution"

  default_cache_behavior {
    allowed_methods = ["GET", "HEAD", "OPTIONS"]
    cached_methods  = ["GET", "HEAD", "OPTIONS"]
    compress        = true
    default_ttl     = 3600
    forwarded_values {
      query_string = false
      cookies {
        forward = "none"
      }
    }
    max_ttl                = 86400
    target_origin_id       = local.s3_origin_id
    viewer_protocol_policy = "https-only"
  }
  default_root_object = "index.html"
  enabled             = true
  is_ipv6_enabled     = true

  ordered_cache_behavior {
    path_pattern     = "/*"
    allowed_methods  = ["GET", "HEAD", "OPTIONS"]
    cached_methods   = ["GET", "HEAD", "OPTIONS"]
    target_origin_id = local.s3_origin_id

    forwarded_values {
      query_string = false
      headers      = ["Origin"]

      cookies {
        forward = "none"
      }
    }

    default_ttl            = 86400
    max_ttl                = 31536000
    compress               = true
    viewer_protocol_policy = "https-only"
  }

  origin {
    domain_name = aws_s3_bucket.bucket.bucket_regional_domain_name
    origin_id   = local.s3_origin_id
    s3_origin_config {
      origin_access_identity = aws_cloudfront_origin_access_identity.dafaim.cloudfront_access_identity_path
    }
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  price_class = "PriceClass_All"
  viewer_certificate {
    acm_certificate_arn            = "arn:aws:acm:us-east-1:131289899509:certificate/affaa360-86e8-40e9-b008-e691e55646c8"
    cloudfront_default_certificate = false
    ssl_support_method             = "sni-only"
  }

}

#
# CloudFront>
#