# local development
resource "aws_s3_bucket" "strapi_uploads_local" {
  bucket = "mareshq-strapi-uploads-local"

  tags = {
    Name        = "mareshq-strapi-uploads-local"
    Environment = "local"
    ManagedBy   = "Terraform"
    For         = "cms.mareshq.com"
  }
}

resource "aws_s3_bucket_ownership_controls" "strapi_uploads_local" {
  bucket = aws_s3_bucket.strapi_uploads_local.id

  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}

resource "aws_s3_bucket_public_access_block" "strapi_uploads_local" {
  bucket = aws_s3_bucket.strapi_uploads_local.id

  block_public_acls       = false
  block_public_policy     = true
  ignore_public_acls      = false
  restrict_public_buckets = true
}

resource "aws_s3_bucket_cors_configuration" "strapi_uploads_local" {
  bucket = aws_s3_bucket.strapi_uploads_local.id

  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["GET"]
    allowed_origins = ["*"]
    expose_headers  = []
    max_age_seconds = 3000
  }
}

resource "aws_iam_user" "strapi_uploads_local" {
  name = "mareshq-strapi-uploads-local"

  tags = {
    Name        = "gitlab-backup"
    Environment = "production"
    ManagedBy   = "Terraform"
    For         = "cms.mareshq.com"
  }
}

resource "aws_iam_user_policy" "strapi_uploads_local" {
  name = "mareshq-strapi-uploads-local"
  user = aws_iam_user.strapi_uploads_local.name

  policy = data.aws_iam_policy_document.strapi_uploads_local.json
}

resource "aws_iam_access_key" "strapi_uploads_local" {
  user = aws_iam_user.strapi_uploads_local.name
}

output "strapi_uploads_local_credentials" {
  value = {
    access_key = aws_iam_access_key.strapi_uploads_local.id
    secret_key = aws_iam_access_key.strapi_uploads_local.secret
  }
  sensitive = true
}

data "aws_iam_policy_document" "strapi_uploads_local" {
  version = "2012-10-17"

  statement {
    effect = "Allow"
    actions = [
      "s3:AbortMultipartUpload",
      "s3:GetBucketAcl",
      "s3:GetBucketLocation",
      "s3:GetObject",
      "s3:GetObjectAcl",
      "s3:ListBucketMultipartUploads",
      "s3:PutObject",
      "s3:PutObjectAcl",
      "s3:DeleteObject",
    ]
    resources = ["arn:aws:s3:::mareshq-strapi-uploads-local/*"]
  }

  statement {
    effect = "Allow"
    actions = [
      "s3:GetBucketLocation",
      "s3:ListAllMyBuckets"
    ]
    resources = ["*"]
  }

  statement {
    effect = "Allow"
    actions = [
      "s3:ListBucket"
    ]
    resources = ["arn:aws:s3:::mareshq-strapi-uploads-local"]
  }
}

# live environment

resource "aws_s3_bucket" "strapi_uploads_live" {
  bucket = "mareshq-strapi-uploads-live"

  tags = {
    Name        = "mareshq-strapi-uploads-live"
    Environment = "live"
    ManagedBy   = "Terraform"
    For         = "cms.mareshq.com"
  }
}

resource "aws_s3_bucket_ownership_controls" "strapi_uploads_live" {
  bucket = aws_s3_bucket.strapi_uploads_live.id

  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}

resource "aws_s3_bucket_public_access_block" "strapi_uploads_live" {
  bucket = aws_s3_bucket.strapi_uploads_live.id

  block_public_acls       = false
  block_public_policy     = true
  ignore_public_acls      = false
  restrict_public_buckets = true
}

resource "aws_s3_bucket_cors_configuration" "strapi_uploads_live" {
  bucket = aws_s3_bucket.strapi_uploads_live.id

  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["GET"]
    allowed_origins = ["*"]
    expose_headers  = []
    max_age_seconds = 3000
  }
}

resource "aws_iam_user" "strapi_uploads_live" {
  name = "mareshq-strapi-uploads-live"

  tags = {
    Name        = "gitlab-backup"
    Environment = "production"
    ManagedBy   = "Terraform"
    For         = "cms.mareshq.com"
  }
}

resource "aws_iam_user_policy" "strapi_uploads_live" {
  name = "mareshq-strapi-uploads-live"
  user = aws_iam_user.strapi_uploads_live.name

  policy = data.aws_iam_policy_document.strapi_uploads_live.json
}

resource "aws_iam_access_key" "strapi_uploads_live" {
  user = aws_iam_user.strapi_uploads_live.name
}

output "strapi_uploads_live_credentials" {
  value = {
    access_key = aws_iam_access_key.strapi_uploads_live.id
    secret_key = aws_iam_access_key.strapi_uploads_live.secret
  }
  sensitive = true
}

data "aws_iam_policy_document" "strapi_uploads_live" {
  version = "2012-10-17"

  statement {
    effect = "Allow"
    actions = [
      "s3:AbortMultipartUpload",
      "s3:GetBucketAcl",
      "s3:GetBucketLocation",
      "s3:GetObject",
      "s3:GetObjectAcl",
      "s3:ListBucketMultipartUploads",
      "s3:PutObject",
      "s3:PutObjectAcl",
      "s3:DeleteObject",
    ]
    resources = ["arn:aws:s3:::mareshq-strapi-uploads-live/*"]
  }

  statement {
    effect = "Allow"
    actions = [
      "s3:GetBucketLocation",
      "s3:ListAllMyBuckets"
    ]
    resources = ["*"]
  }

  statement {
    effect = "Allow"
    actions = [
      "s3:ListBucket"
    ]
    resources = ["arn:aws:s3:::mareshq-strapi-uploads-live"]
  }
}