# the 'splunk-addon-for-aws' role is created in all accounts via
# the base/account_standards module.
#
# Then, there is an instance profile (for use in the partition holding moose)
# and a user account (for use in the partion _not_ holding moose) that
# with keys for moose.
#
# That instance profile/user is allowed to assumerole into the
# 'splunk-addon-for-aws' role in the other accounts.

######################
# Access keys
#
# For rotation purposes, there are two of these. Delete the oldest one, 
# add a new one (with a higher version number), and then update the output
#
# Possible futue improvement:
# We could specify a pgp_key attribute, and then the secret will be encrypted
# in both the state file and in the output. If we used the salt PGP key,
# no user would ever have to see the secret key.
resource "aws_iam_access_key" "moose-hf-v1" {
  user = aws_iam_user.moose-hf.name
}

resource "aws_iam_access_key" "moose-hf-v2" {
  user = aws_iam_user.moose-hf.name
}

output "access_keys" {
  value = {
    "current" = {
      "aws_access_key_id" : aws_iam_access_key.moose-hf-v2.id
      "aws_secret_access_key" : aws_iam_access_key.moose-hf-v2.secret
    },
    "previous" = {
      "aws_access_key_id" : aws_iam_access_key.moose-hf-v1.id
      "aws_secret_access_key" : aws_iam_access_key.moose-hf-v1.secret
    }
  }
  sensitive = true
}

######################
# The policy is attached to both the user and the instance profile
# tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
resource "aws_iam_policy" "moose-hf" {
  name        = "moose-hf"
  path        = "/instance/"
  description = "Policy to allow the moose HF to assume roles"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
          "sts:AssumeRole",
          "logs:DescribeLogGroups",
          "logs:DescribeLogStreams",
          "logs:GetLogEvents"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}

######################
# The instance profile
resource "aws_iam_instance_profile" "moose-hf" {
  name = "moose-hf"
  role = aws_iam_role.moose-hf.name
}

resource "aws_iam_role" "moose-hf" {
  name = "moose-hf"
  path = "/instance/"

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
               "Service": "ec2.amazonaws.com"
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "moose-hf" {
  role       = aws_iam_role.moose-hf.name
  policy_arn = aws_iam_policy.moose-hf.arn
}

######################
# the user
#
# Note: CIS requires that policies _NOT_ be directly attached to a user. Users must
# be members of groups, and those groups can have policies.
resource "aws_iam_user" "moose-hf" {
  name = "moose-hf"
  path = "/instance/"

  tags = merge(local.standard_tags, var.tags)
}

# tfsec:ignore:aws-iam-enforce-mfa
resource "aws_iam_group" "moose-hf" {
  name = "moose-hf"
  path = "/instance/"
}

resource "aws_iam_user_group_membership" "moose-hf" {
  user = aws_iam_user.moose-hf.name

  groups = [aws_iam_group.moose-hf.name]
}

resource "aws_iam_group_policy_attachment" "moose-hf-group" {
  group      = aws_iam_group.moose-hf.name
  policy_arn = aws_iam_policy.moose-hf.arn
}