#!/bin/bash

# Setup script for S3 backend and CloudFront logging
# This creates the necessary S3 buckets and DynamoDB table

AWS_REGION="us-east-1"
AWS_ACCOUNT_ID="535294143817"
STATE_BUCKET="aws-cf-terraform-state-${AWS_ACCOUNT_ID}"
LOGS_BUCKET="aws-cf-cloudfront-logs-${AWS_ACCOUNT_ID}"
DYNAMODB_TABLE="terraform-state-lock"

echo "Setting up S3 backend and CloudFront logging infrastructure..."

# Create S3 bucket for Terraform state
echo "Creating S3 bucket for Terraform state: ${STATE_BUCKET}"
aws s3api create-bucket \
    --bucket ${STATE_BUCKET} \
    --region ${AWS_REGION} \
    2>/dev/null || echo "State bucket already exists or error occurred"

# Enable versioning on state bucket
echo "Enabling versioning on state bucket..."
aws s3api put-bucket-versioning \
    --bucket ${STATE_BUCKET} \
    --versioning-configuration Status=Enabled

# Enable encryption on state bucket
echo "Enabling encryption on state bucket..."
aws s3api put-bucket-encryption \
    --bucket ${STATE_BUCKET} \
    --server-side-encryption-configuration '{
        "Rules": [
            {
                "ApplyServerSideEncryptionByDefault": {
                    "SSEAlgorithm": "AES256"
                }
            }
        ]
    }'

# Block public access on state bucket
echo "Blocking public access on state bucket..."
aws s3api put-public-access-block \
    --bucket ${STATE_BUCKET} \
    --public-access-block-configuration \
        "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

# Create S3 bucket for CloudFront logs
echo "Creating S3 bucket for CloudFront logs: ${LOGS_BUCKET}"
aws s3api create-bucket \
    --bucket ${LOGS_BUCKET} \
    --region ${AWS_REGION} \
    2>/dev/null || echo "Logs bucket already exists or error occurred"

# Set bucket ACL for CloudFront logging
echo "Setting ACL for CloudFront logs bucket..."
aws s3api put-bucket-acl \
    --bucket ${LOGS_BUCKET} \
    --grant-write 'URI="http://acs.amazonaws.com/groups/s3/LogDelivery"' \
    --grant-read-acp 'URI="http://acs.amazonaws.com/groups/s3/LogDelivery"'

# Add lifecycle policy to logs bucket (optional - delete old logs after 90 days)
echo "Adding lifecycle policy to logs bucket..."
aws s3api put-bucket-lifecycle-configuration \
    --bucket ${LOGS_BUCKET} \
    --lifecycle-configuration '{
        "Rules": [
            {
                "Id": "DeleteOldLogs",
                "Status": "Enabled",
                "Expiration": {
                    "Days": 90
                },
                "NoncurrentVersionExpiration": {
                    "NoncurrentDays": 30
                }
            }
        ]
    }'

# Create DynamoDB table for state locking
echo "Creating DynamoDB table for state locking: ${DYNAMODB_TABLE}"
aws dynamodb create-table \
    --table-name ${DYNAMODB_TABLE} \
    --attribute-definitions AttributeName=LockID,AttributeType=S \
    --key-schema AttributeName=LockID,KeyType=HASH \
    --provisioned-throughput ReadCapacityUnits=1,WriteCapacityUnits=1 \
    --region ${AWS_REGION} \
    2>/dev/null || echo "DynamoDB table already exists or error occurred"

echo ""
echo "✅ Backend setup complete!"
echo ""
echo "📦 S3 State Bucket: ${STATE_BUCKET}"
echo "📊 S3 Logs Bucket: ${LOGS_BUCKET}"
echo "🔒 DynamoDB Table: ${DYNAMODB_TABLE}"
echo ""
echo "Next steps:"
echo "1. Run: tofu init -migrate-state"
echo "2. Run: tofu apply to update CloudFront with logging"