data "aws_iam_policy_document" "bucket_access_policy" {
  statement {
    actions   = [ "s3:GetObject" ]
    effect    = "Allow"
    resources = [ "${var.artifact_bucket.arn}/${var.environment}/webroot/*" ]

    principals {
      type        = "AWS"
      identifiers = [ aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn ]
    }
  }

  statement {
    actions   = [ "s3:ListBucket" ]
    effect    = "Allow"
    resources = [ var.artifact_bucket.arn ]

    principals {
      type        = "AWS"
      identifiers = [ aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn ]
    }
  }
}

output "oai_access_policy" {
 value = data.aws_iam_policy_document.bucket_access_policy
}

resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
  comment = "OAI for HFF Entry Forms {$var.environment} environment."
}

resource "aws_cloudfront_distribution" "s3_distribution" {
  origin {
    domain_name = var.artifact_bucket.bucket_regional_domain_name
    origin_id   = "S3-HffEntryForms-${var.environment}"
    origin_path = "/${var.environment}/webroot"

    s3_origin_config {
      origin_access_identity = aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path
    }
  }

  enabled             = true
  is_ipv6_enabled     = true
  comment             = "HFF Entry Forms ${var.environment} distribution."
  default_root_object = "/index.html"

  logging_config {
    include_cookies = false
    bucket          = var.artifact_bucket.bucket_domain_name
    prefix          = "${var.environment}/logs/cloudfront"
  }

  aliases = [local.app_domain_name]

  default_cache_behavior {
    allowed_methods   = ["GET", "HEAD", "OPTIONS"]
    cached_methods    = ["GET", "HEAD", "OPTIONS"]
    target_origin_id  = "S3-HffEntryForms-${var.environment}"

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    min_ttl                 = 0
    default_ttl             = 60 * 60 * 24 * 365  # cache for a year
    max_ttl                 = 60 * 60 * 24 * 365  # cache for a year
    compress                = true
    viewer_protocol_policy  = "redirect-to-https"
  }

  custom_error_response {
    error_code          = 404
    response_code       = 200
    response_page_path  = "/index.html"
  }

  price_class = "PriceClass_100" # US and Canada only

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }
  tags = {
    Environment = local.environment_name
  }

  viewer_certificate {
    # TODO
    acm_certificate_arn = var.cloudfront_certificate_arn
    ssl_support_method  = "sni-only"
  }
}