data "aws_s3_bucket" "bucket" {
  for_each = toset(var.buckets)

  bucket = each.value
}

resource "aws_s3_bucket_policy" "policy" {
  for_each = toset(var.buckets)

  bucket = data.aws_s3_bucket.bucket[each.value].id

  policy = jsonencode({
    "Version" = "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement" = [
      {
        "Sid"       = "AllowCloudFrontServicePrincipal"
        "Effect"    = "Allow",
        "Principal" = {
          "Service" = "cloudfront.amazonaws.com"
        },
        "Action"    = "s3:GetObject",
        "Resource"  = "${data.aws_s3_bucket.bucket[each.value].arn}/*",
        "Condition" = {
          "StringEquals" = {
            "AWS:SourceArn": "arn:aws:cloudfront::508259851457:distribution/${aws_cloudfront_distribution.distribution[each.value].id}"
          }
        }
      }
    ]
  })
}