terraform {
  backend "s3" {
    bucket = "terraform.grimoire"
    key    = "bliki.tfstate"
    region = "ca-central-1"
  }
}

provider "aws" {
  region = "ca-central-1"
}

# CloudFront needs certificates in us-east-1.
provider "aws" {
  alias  = "cloudfront"
  region = "us-east-1"
}

resource "aws_s3_bucket" "bliki" {
  bucket = "grimoire.ca"

  website {
    index_document = "index.html"
  }

  tags = {
    Project = "bliki"
  }
}

resource "aws_s3_bucket_policy" "bliki" {
  bucket = aws_s3_bucket.bliki.id
  policy = <<POLICY
{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Principal": "*",
      "Action": ["s3:GetObject"],
      "Resource": ["${aws_s3_bucket.bliki.arn}/*"]
    }
  ]
}
POLICY

}

resource "aws_acm_certificate" "bliki" {
  provider = aws.cloudfront

  # There's a circular dependency between the zone, the distribution, and the
  # cert here. Rather than trying to figure out how to make Terraform solve it,
  # hard-code the domain name.
  domain_name = "grimoire.ca"

  validation_method = "DNS"

  tags = {
    Project = "bliki"
  }
}

resource "aws_route53_record" "bliki_validation" {
  zone_id = data.aws_route53_zone.grimoire_ca.zone_id
  ttl = 60
  name = aws_acm_certificate.bliki.domain_validation_options[0].resource_record_name
  type = aws_acm_certificate.bliki.domain_validation_options[0].resource_record_type
  records = [
    aws_acm_certificate.bliki.domain_validation_options[0].resource_record_value,
  ]
}

resource "aws_cloudfront_distribution" "bliki" {
  provider = aws.cloudfront

  enabled = true
  is_ipv6_enabled = true

  aliases = ["grimoire.ca"]

  default_root_object = "index.html"

  price_class = "PriceClass_100"

  origin {
    origin_id = "bliki"

    # Use the website endpoint, not the bucket endpoint, to get / -> /index.html
    # translation through S3's website config.
    domain_name = aws_s3_bucket.bliki.website_endpoint

    custom_origin_config {
      http_port = 80
      https_port = 443

      # Because the origin is a non-URL-safe bucket name, S3's default TLS
      # config doesn't apply. Since we can't provide our own cert, force HTTP.
      origin_protocol_policy = "http-only"
      origin_ssl_protocols = ["TLSv1.2"]
    }
  }

  default_cache_behavior {
    target_origin_id = "bliki"

    allowed_methods = ["GET", "HEAD", "OPTIONS"]
    cached_methods = ["GET", "HEAD"]
    viewer_protocol_policy = "redirect-to-https"

    compress = true

    min_ttl = 0
    default_ttl = 900
    max_ttl = 3600

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    acm_certificate_arn = aws_acm_certificate.bliki.arn
    ssl_support_method = "sni-only"
    minimum_protocol_version = "TLSv1"
  }

  tags = {
    Project = "bliki"
  }
}

resource "aws_route53_record" "bliki_ip4" {
  zone_id = data.aws_route53_zone.grimoire_ca.zone_id
  name = ""
  type = "A"

  alias {
    name = aws_cloudfront_distribution.bliki.domain_name
    zone_id = aws_cloudfront_distribution.bliki.hosted_zone_id

    evaluate_target_health = false
  }
}

resource "aws_route53_record" "bliki_ip6" {
  zone_id = data.aws_route53_zone.grimoire_ca.zone_id
  name = ""
  type = "AAAA"

  alias {
    name = aws_cloudfront_distribution.bliki.domain_name
    zone_id = aws_cloudfront_distribution.bliki.hosted_zone_id

    evaluate_target_health = false
  }
}

data "aws_route53_zone" "grimoire_ca" {
  name = "grimoire.ca"
}