ELBAccessLogsBucketPolicy:
  Type: AWS::S3::BucketPolicy
  Condition: CreateALB
  DependsOn: ELBAccessLogsBucket
  Properties:
    Bucket: !Ref ELBAccessLogsBucket
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Action:
            - s3:PutObject
          Effect: Allow
          Resource:
            - !Join
              - ''
              - - 'arn:'
                - !Ref AWS::Partition
                - ':s3:::'
                - !Ref ELBAccessLogsBucket
                {{- if .Prefix }}
                - '/'
                - {{.Prefix }}
                {{- end }}
                - '/AWSLogs/'
                - !Ref AWS::AccountId
                - '/*'
          Principal:
            AWS: !Join [ "", [ !Sub 'arn:${AWS::Partition}:iam::', !FindInMap [ RegionalConfigs, !Ref 'AWS::Region', ElbAccountId ], ":root" ] ]
ELBAccessLogsBucket:
  Metadata:
    "aws:copilot:description": "A S3 bucket for the Load Balancer's access logs"
  Type: AWS::S3::Bucket
  Condition: CreateALB
  Properties:
    VersioningConfiguration:
      Status: Enabled
    BucketEncryption:
      ServerSideEncryptionConfiguration:
        - ServerSideEncryptionByDefault:
            SSEAlgorithm: AES256 
    PublicAccessBlockConfiguration:
      BlockPublicAcls: true
      BlockPublicPolicy: true
      IgnorePublicAcls: true
      RestrictPublicBuckets: true