# Terraform configuration to create a CloudFront distribution for an S3 bucket.

provider "aws" {
  region = "us-east-1"
}

# --- Random Suffix for Uniqueness ---
resource "random_pet" "suffix" {
  length = 2
}

# --- 1. Create S3 Bucket ---
resource "aws_s3_bucket" "s3_origin_bucket" {
  bucket = "my-tf-cf-s3-origin-${random_pet.suffix.id}"

  tags = {
    Name = "CloudFrontS3Origin"
  }
}

# --- 2. Create Origin Access Control (OAC) ---
resource "aws_cloudfront_origin_access_control" "s3_oac" {
  name                              = "MyTerraformCF_OAC"
  description                       = "OAC for S3 origin"
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "no-override"
  signing_protocol                  = "sigv4"
}

# --- 3. Update S3 Bucket Policy to allow OAC access ---
data "aws_iam_policy_document" "s3_policy" {
  statement {
    actions   = ["s3:GetObject"]
    resources = ["${aws_s3_bucket.s3_origin_bucket.arn}/*"]

    principals {
      type        = "Service"
      identifiers = ["cloudfront.amazonaws.com"]
    }

    condition {
      test     = "StringEquals"
      variable = "AWS:SourceArn"
      values   = [aws_cloudfront_distribution.s3_distribution.arn]
    }
  }
}

resource "aws_s3_bucket_policy" "s3_policy" {
  bucket = aws_s3_bucket.s3_origin_bucket.id
  policy = data.aws_iam_policy_document.s3_policy.json
}

# --- 4. Create CloudFront Distribution ---
resource "aws_cloudfront_distribution" "s3_distribution" {
  origin {
    domain_name              = aws_s3_bucket.s3_origin_bucket.bucket_regional_domain_name
    origin_id                = "S3Origin"
    origin_access_control_id = aws_cloudfront_origin_access_control.s3_oac.id
  }

  enabled             = true
  is_ipv6_enabled     = true
  comment             = "My Terraform CloudFront Distribution for S3"
  default_root_object = "index.html" # Optional: if you have an index.html

  default_cache_behavior {
    allowed_methods        = ["GET", "HEAD"]
    cached_methods         = ["GET", "HEAD"]
    target_origin_id       = "S3Origin"
    viewer_protocol_policy = "redirect-to-https"
    compress               = true

    forwarded_values {
      query_string = false
      cookies {
        forward = "none"
      }
    }
  }

  # PriceClass_100 is US, Europe, Asia, Africa, Middle East
  price_class = "PriceClass_100"

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }

  # Ensure bucket policy is applied before distribution is created
  depends_on = [aws_s3_bucket_policy.s3_policy]

  tags = {
    Name = "MyTerraformCloudFrontDistribution"
  }
}

# --- Outputs ---
output "cloudfront_domain_name" {
  value       = aws_cloudfront_distribution.s3_distribution.domain_name
  description = "The domain name of the CloudFront distribution."
}

output "s3_bucket_name" {
  value       = aws_s3_bucket.s3_origin_bucket.bucket
  description = "The name of the S3 bucket used as the CloudFront origin."
}