resource "aws_s3_bucket_ownership_controls" "ownership" {
  for_each = var.buckets

  bucket = aws_s3_bucket.bucket[each.key].id

  rule {
    object_ownership = each.value.object_ownership
  }
}

resource "aws_s3_bucket_public_access_block" "public_access_block" {
  for_each = {for bucket, value in var.buckets : bucket => value if value.public_access == true}
  
  bucket = aws_s3_bucket.bucket[each.key].id

  block_public_acls       = false
  block_public_policy     = false
  ignore_public_acls      = false
  restrict_public_buckets = false
}

resource "aws_s3_bucket_public_access_block" "private_access_block" {
  for_each = {for bucket, value in var.buckets : bucket => value if value.public_access == false}
  
  bucket = aws_s3_bucket.bucket[each.key].id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

resource "aws_s3_bucket_acl" "public_acl" {
  for_each = {for bucket, value in var.buckets : bucket => value if value.public_access == true}

  depends_on = [
    aws_s3_bucket_ownership_controls.ownership,
    aws_s3_bucket_public_access_block.public_access_block
  ]

  bucket = aws_s3_bucket.bucket[each.key].id
  acl    = "public-read"
}

resource "aws_s3_bucket_acl" "private_acl" {
  for_each = {for bucket, value in var.buckets : bucket => value if value.public_access == false}

  depends_on = [
    aws_s3_bucket_ownership_controls.ownership,
    aws_s3_bucket_public_access_block.private_access_block
  ]

  bucket = aws_s3_bucket.bucket[each.key].id
  acl    = "private"
}

resource "aws_s3_bucket_policy" "policy" {
  for_each = {for bucket, value in var.buckets : bucket => value if value.public_access == true}
  
  bucket = aws_s3_bucket.bucket[each.key].id

  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Action    = ["s3:GetObject"],
        Effect    = "Allow",
        Resource  = ["${aws_s3_bucket.bucket[each.key].arn}/*"],
        Principal = "*"
      }
    ]
  })
}