data "aws_cloudfront_cache_policy" "caching_optimized" {
  name = "Managed-CachingOptimized"
}

locals {
  cloudfront_s3_origin_id = "S3-${aws_s3_bucket.created.id}"
}

resource "aws_cloudfront_distribution" "created" {
  enabled             = true
  is_ipv6_enabled     = true
  aliases             = [var.domain_name]
  default_root_object = var.aws_cloudfront_default_root_object
  price_class         = var.aws_cloudfront_price_class
  http_version        = "http2and3"
  origin {
    domain_name              = aws_s3_bucket.created.bucket_regional_domain_name
    origin_id                = local.cloudfront_s3_origin_id
    origin_access_control_id = aws_cloudfront_origin_access_control.s3_access.id
  }
  default_cache_behavior {
    allowed_methods        = ["GET", "HEAD", "OPTIONS"]
    cached_methods         = ["GET", "HEAD"]
    cache_policy_id        = data.aws_cloudfront_cache_policy.caching_optimized.id
    target_origin_id       = local.cloudfront_s3_origin_id
    viewer_protocol_policy = "redirect-to-https"
    compress               = true
  }
  restrictions {
    geo_restriction {
      restriction_type = "none"
      locations        = []
    }
  }
  viewer_certificate {
    acm_certificate_arn      = aws_acm_certificate.created.arn
    minimum_protocol_version = var.aws_cloudfront_minimum_protocol_version
    ssl_support_method       = "sni-only"
  }

  depends_on = [aws_acm_certificate_validation.created]
}

resource "aws_cloudfront_origin_access_control" "s3_access" {
  name                              = "S3_${aws_s3_bucket.created.id}"
  description                       = "S3:${aws_s3_bucket.created.id}"
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "always"
  signing_protocol                  = "sigv4"
}