AWSTemplateFormatVersion: '2010-09-09'
Description: BIMI logo and PEM hosting — private S3 + CloudFront OAC (us-east-1 ACM for custom domain)

Parameters:
  DomainName:
    Type: String
    Description: Public hostname (e.g. bimi.example.com)
  HostedZoneId:
    Type: AWS::Route53::HostedZone::Id
    Description: Route 53 hosted zone for DomainName
  PriceClass:
    Type: String
    Default: PriceClass_100
    AllowedValues: [PriceClass_100, PriceClass_200, PriceClass_All]

Resources:
  BimiBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

  BimiOAC:
    Type: AWS::CloudFront::OriginAccessControl
    Properties:
      OriginAccessControlConfig:
        Name: !Sub '${AWS::StackName}-bimi-oac'
        OriginAccessControlOriginType: s3
        SigningBehavior: always
        SigningProtocol: sigv4

  BimiCertificate:
    Type: AWS::CertificateManager::Certificate
    Properties:
      DomainName: !Ref DomainName
      ValidationMethod: DNS
      DomainValidationOptions:
        - DomainName: !Ref DomainName
          HostedZoneId: !Ref HostedZoneId

  BimiDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: true
        IPV6Enabled: true
        Comment: BIMI logo and mark certificate
        PriceClass: !Ref PriceClass
        Aliases: [!Ref DomainName]
        Origins:
          - Id: bimi-s3
            DomainName: !GetAtt BimiBucket.RegionalDomainName
            OriginAccessControlId: !GetAtt BimiOAC.Id
            S3OriginConfig: {}
        DefaultCacheBehavior:
          TargetOriginId: bimi-s3
          ViewerProtocolPolicy: redirect-to-https
          AllowedMethods: [GET, HEAD, OPTIONS]
          CachedMethods: [GET, HEAD]
          Compress: true
          ForwardedValues:
            QueryString: false
            Cookies: { Forward: none }
          DefaultTTL: 86400
          MaxTTL: 604800
        ViewerCertificate:
          AcmCertificateArn: !Ref BimiCertificate
          SslSupportMethod: sni-only
          MinimumProtocolVersion: TLSv1.2_2021
        Restrictions:
          GeoRestriction:
            RestrictionType: none

  BimiBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref BimiBucket
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AllowCloudFrontOAC
            Effect: Allow
            Principal:
              Service: cloudfront.amazonaws.com
            Action: s3:GetObject
            Resource: !Sub '${BimiBucket.Arn}/*'
            Condition:
              StringEquals:
                AWS:SourceArn: !Sub 'arn:aws:cloudfront::${AWS::AccountId}:distribution/${BimiDistribution}'

  BimiAliasRecord:
    Type: AWS::Route53::RecordSet
    Properties:
      HostedZoneId: !Ref HostedZoneId
      Name: !Ref DomainName
      Type: A
      AliasTarget:
        DNSName: !GetAtt BimiDistribution.DomainName
        HostedZoneId: Z2FDTNDATAQYW2 # CloudFront
        EvaluateTargetHealth: false

Outputs:
  BucketName:
    Value: !Ref BimiBucket
  DistributionId:
    Value: !Ref BimiDistribution
  LogoUrl:
    Value: !Sub 'https://${DomainName}/logo.svg'
  PemUrl:
    Value: !Sub 'https://${DomainName}/certificate.pem'
