# Get the AWS accountID
data "aws_caller_identity" "current" {
}


# Create S3 buckets for logging and tfstate
resource "aws_s3_bucket" "tflogs" {
  bucket = var.s3bucketlogs
  acl    = "log-delivery-write"

  tags = {
    Name        = var.s3bucketlogs
    "ManagedBy" = "terraform"
  }

  # Enable server-side encryption by default
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}

resource "aws_s3_bucket" "tfstate" {
  bucket = var.s3bucketstate

  tags = {
    Name        = var.s3bucketstate
    "ManagedBy" = "terraform"
  }

  logging {
    target_bucket = aws_s3_bucket.tflogs.id
    target_prefix = "log/"
  }

  versioning {
    enabled = true
  }

  lifecycle {
    prevent_destroy = true
  }

  # Enable server-side encryption by default
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}

resource "aws_s3_bucket_policy" "tfstate" {
  bucket = aws_s3_bucket.tfstate.id
  policy = <<POLICY
{
  "Statement":[
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Principal": {"AWS": ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]},
      "Resource": "arn:aws:s3:::${var.s3bucketstate}/*",
      "Sid": "AddUserPerms"
    }
  ],
  "Version": "2012-10-17"
}
POLICY

}

# Create DynamoDB table for locking and consistency checking
resource "aws_dynamodb_table" "terraform-dynamodb-table-slopedme" {
  name           = "terraform-dynamodb-table-slopedme"
  billing_mode   = "PAY_PER_REQUEST"
  read_capacity  = 0
  write_capacity = 0
  hash_key       = "LockID"

  attribute {
    name = "LockID"
    type = "S"
  }

  tags = {
    Name        = "terraform-dynamodb-table-slopedme"
    "ManagedBy" = "terraform"
  }
}

output "accountid" {
  value = data.aws_caller_identity.current.account_id
}