terraform {
  backend "s3" {
    bucket = "terraform.grimoire"
    key    = "bliki.tfstate"
    region = "ca-central-1"
  }
}

provider "aws" {
  region = "ca-central-1"
}

# CloudFront needs certificates in us-east-1.
provider "aws" {
  alias  = "cloudfront"
  region = "us-east-1"
}

resource "aws_s3_bucket" "bliki" {
  bucket = "grimoire.ca"

  tags = {
    Project = "bliki"
  }
}

resource "aws_s3_bucket_website_configuration" "bliki" {
  bucket = aws_s3_bucket.bliki.id

  index_document {
    suffix = "index.html"
  }
}

resource "aws_s3_bucket_policy" "bliki" {
  bucket = aws_s3_bucket.bliki.id
  policy = <<POLICY
{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Principal": "*",
      "Action": ["s3:GetObject"],
      "Resource": ["${aws_s3_bucket.bliki.arn}/*"]
    }
  ]
}
POLICY

}

resource "aws_acm_certificate" "bliki" {
  provider = aws.cloudfront

  # There's a circular dependency between the zone, the distribution, and the
  # cert here. Rather than trying to figure out how to make Terraform solve it,
  # hard-code the domain name.
  domain_name = "grimoire.ca"

  validation_method = "DNS"

  tags = {
    Project = "bliki"
  }
}

resource "aws_route53_record" "bliki_validation" {
  for_each = {
    for dvo in aws_acm_certificate.bliki.domain_validation_options :
      dvo.domain_name => {
        name   = dvo.resource_record_name
        record = dvo.resource_record_value
        type   = dvo.resource_record_type
      }
  }

  zone_id = data.aws_route53_zone.grimoire_ca.zone_id

  ttl  = 60
  name = each.value.name
  type = each.value.type

  records = [
    each.value.record,
  ]
}

data "aws_route53_zone" "grimoire_ca" {
  name = "grimoire.ca"
}