resource "aws_s3_bucket" "s3_bucket" {
  bucket = "mastodon-${random_pet.name.id}"
}

resource "aws_s3_bucket_ownership_controls" "s3_bucket" {
  bucket = aws_s3_bucket.s3_bucket.id
  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}

resource "aws_s3_bucket_public_access_block" "s3_bucket" {
  bucket = aws_s3_bucket.s3_bucket.id

  block_public_acls       = false
  block_public_policy     = false
  ignore_public_acls      = false
  restrict_public_buckets = false
}

resource "aws_s3_bucket_acl" "s3_bucket" {
  depends_on = [
    aws_s3_bucket_public_access_block.s3_bucket,
    aws_s3_bucket_ownership_controls.s3_bucket,
  ]

  bucket = aws_s3_bucket.s3_bucket.id
  acl    = "public-read"
}

resource "aws_iam_access_key" "s3" {
  user    = aws_iam_user.s3.name
}

resource "aws_iam_user" "s3" {
  name = "mastodon-s3-${random_pet.name.id}"
  path = "/system/"
}

resource "aws_iam_user_policy" "s3" {
  name = "${aws_s3_bucket.s3_bucket.id}-access"
  user = aws_iam_user.s3.name

  policy      = data.aws_iam_policy_document.s3.json
}

data "aws_iam_policy_document" "s3" {
  statement {
    actions = [
      "s3:*"
    ]
    resources = [
      "${aws_s3_bucket.s3_bucket.arn}",
      "${aws_s3_bucket.s3_bucket.arn}/*"
    ]
  }
}

resource "local_file" "s3_secret" {
  filename = ".s3_secret"
  content  = "${aws_iam_access_key.s3.secret}\n"
}

resource "local_file" "s3_id" {
  filename = ".s3_id"
  content  = "${aws_iam_access_key.s3.id}\n"
}