resource "aws_cloudwatch_log_group" "lambda" {
  name              = "/aws/lambda/${var.project}-processor"
  retention_in_days = 30
  tags              = local.tags
}

resource "aws_cloudwatch_log_group" "audit" {
  name              = "/aws/${var.project}/audit"
  retention_in_days = 365
  tags              = local.tags
}

resource "aws_lambda_function" "processor" {
  filename      = "${path.module}/../lambda/function.zip"
  function_name = "${var.project}-processor-${var.environment}"
  role          = aws_iam_role.lambda.arn
  handler       = "lambda_function.lambda_handler"
  runtime       = "python3.11"
  timeout       = 30
  memory_size   = 128

  kms_key_arn = local.kms_key_arn

  environment {
    variables = {
      DYNAMODB_TABLE = aws_dynamodb_table.metadata.name
      SNS_TOPIC_ARN  = aws_sns_topic.notifications.arn
      ENVIRONMENT    = var.environment
    }
  }

  tracing_config { mode = "Active" }

  tags = local.tags
}

resource "aws_lambda_permission" "s3_trigger" {
  statement_id  = "AllowExecutionFromS3"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.processor.function_name
  principal     = "s3.amazonaws.com"
  source_arn    = aws_s3_bucket.images.arn
}

resource "aws_s3_bucket_notification" "lambda_trigger" {
  bucket = aws_s3_bucket.images.id
  lambda_function {
    lambda_function_arn = aws_lambda_function.processor.arn
    events              = ["s3:ObjectCreated:*"]
    filter_prefix       = "uploads/"
  }
  depends_on = [aws_lambda_permission.s3_trigger]
}