---

- block:

    # ============================================================
    - name: set connection information for all tasks
      set_fact:
        aws_connection_info: &aws_connection_info
          aws_access_key: "{{ aws_access_key }}"
          aws_secret_key: "{{ aws_secret_key }}"
          security_token: "{{ security_token }}"
          region: "{{ aws_region }}"
      no_log: true

    # ============================================================
    - name: Create simple s3_bucket
      s3_bucket:
        name: "{{ resource_prefix }}-testbucket-ansible"
        state: present
        <<: *aws_connection_info
      register: output

    - assert:
        that:
          - output.changed
          - output.name == '{{ resource_prefix }}-testbucket-ansible'
          - not output.requester_pays

    # ============================================================
    - name: Try to update the same bucket with the same values
      s3_bucket:
        name: "{{ resource_prefix }}-testbucket-ansible"
        state: present
        <<: *aws_connection_info
      register: output

    - assert:
        that:
          - not output.changed
          - output.name == '{{ resource_prefix }}-testbucket-ansible'
          - not output.requester_pays

    # ============================================================
    - name: Delete s3_bucket
      s3_bucket:
        name: "{{ resource_prefix }}-testbucket-ansible"
        state: absent
        <<: *aws_connection_info
      register: output

    - assert:
        that:
          - output.changed

    # ============================================================
    - name: Set bucket_name variable to be able to use it in lookup('template')
      set_fact:
        bucket_name: "{{ resource_prefix }}-testbucket-ansible-complex"

    - name: Create more complex s3_bucket
      s3_bucket:
        name: "{{ resource_prefix }}-testbucket-ansible-complex"
        state: present
        policy: "{{ lookup('template','policy.json') }}"
        requester_pays: yes
        versioning: yes
        tags:
          example: tag1
          another: tag2
        <<: *aws_connection_info
      register: output

    - assert:
        that:
          - output.changed
          - output.name == '{{ resource_prefix }}-testbucket-ansible-complex'
          - output.requester_pays
          - output.versioning.MfaDelete == 'Disabled'
          - output.versioning.Versioning == 'Enabled'
          - output.tags.example == 'tag1'
          - output.tags.another == 'tag2'
          - output.policy.Statement[0].Action == 's3:GetObject'
          - output.policy.Statement[0].Effect == 'Allow'
          - output.policy.Statement[0].Principal == '*'
          - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*'
          - output.policy.Statement[0].Sid == 'AddPerm'

    # ============================================================
    - name: Try to update the same complex s3_bucket
      s3_bucket:
        name: "{{ resource_prefix }}-testbucket-ansible-complex"
        state: present
        policy: "{{ lookup('template','policy.json') }}"
        requester_pays: yes
        versioning: yes
        tags:
          example: tag1
          another: tag2
        <<: *aws_connection_info
      register: output

    - assert:
        that:
          - not output.changed

    # ============================================================
    - name: Update bucket policy
      s3_bucket:
        name: "{{ resource_prefix }}-testbucket-ansible-complex"
        state: present
        policy: "{{ lookup('template','policy-updated.json') }}"
        requester_pays: yes
        versioning: yes
        tags:
          example: tag1
          another: tag2
        <<: *aws_connection_info
      register: output

    - assert:
        that:
          - output.changed
          - output.policy.Statement[0].Action == 's3:GetObject'
          - output.policy.Statement[0].Effect == 'Deny'
          - output.policy.Statement[0].Principal == '*'
          - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*'
          - output.policy.Statement[0].Sid == 'AddPerm'

    # ============================================================
    - name: Update attributes for s3_bucket
      s3_bucket:
        name: "{{ resource_prefix }}-testbucket-ansible-complex"
        state: present
        policy: "{{ lookup('template','policy.json') }}"
        requester_pays: no
        versioning: no
        tags:
          example: tag1-udpated
          another: tag2
        <<: *aws_connection_info
      register: output

    - assert:
        that:
          - output.changed
          - output.name == '{{ resource_prefix }}-testbucket-ansible-complex'
          - not output.requester_pays
          - output.versioning.MfaDelete == 'Disabled'
          - output.versioning.Versioning == 'Suspended'
          - output.tags.example == 'tag1-udpated'
          - output.tags.another == 'tag2'
          - output.policy.Statement[0].Action == 's3:GetObject'
          - output.policy.Statement[0].Effect == 'Allow'
          - output.policy.Statement[0].Principal == '*'
          - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*'
          - output.policy.Statement[0].Sid == 'AddPerm'


    # ============================================================
    - name: Delete s3_bucket
      s3_bucket:
        name: "{{ resource_prefix }}-testbucket-ansible-complex"
        state: absent
        <<: *aws_connection_info
      register: output

    - assert:
        that:
          - output.changed

    # ============================================================
    - name: Create bucket with dot in name
      s3_bucket:
        name: "{{ resource_prefix }}.testbucket.ansible"
        state: present
        <<: *aws_connection_info
      register: output

    - assert:
        that:
          - output.changed
          - output.name == '{{ resource_prefix }}.testbucket.ansible'

    - name: Delete s3_bucket
      s3_bucket:
        name: "{{ resource_prefix }}.testbucket.ansible"
        state: absent
        <<: *aws_connection_info
      register: output

    - assert:
        that:
          - output.changed

  # ============================================================
  always:
    - name: Ensure all buckets are deleted
      s3_bucket:
        name: "{{item}}"
        state: absent
        <<: *aws_connection_info
      with_items:
        - "{{ resource_prefix }}-testbucket-ansible"
        - "{{ resource_prefix }}-testbucket-ansible-complex"
        - "{{ resource_prefix }}.testbucket.ansible"