# tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
data "aws_iam_policy_document" "policy_portal_data_sync_lambda" {
	# checkov:skip=CKV_AWS_111: see tfsec aws-iam-no-policy-wildcard ignore comment
  statement {
    effect  = "Allow"
    actions = [
      "ec2:CreateNetworkInterface",
      "logs:CreateLogStream",
      "ec2:DescribeNetworkInterfaces",
      "logs:DescribeLogStreams",
      "ec2:DeleteNetworkInterface",
      "logs:PutRetentionPolicy",
      "logs:CreateLogGroup",
      "logs:PutLogEvents",
      "sqs:ListQueues"
    ]
    resources = ["*"]
  }

  # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
  statement {
    effect  = "Allow"
    actions = [
      "sqs:*",
    ]
    resources = [
      aws_sqs_queue.sqs_queue.arn,
      aws_sqs_queue.sqs_queue_dlq.arn
    ]
  }

  statement {
    effect = "Allow"
    actions = [
      "kms:GenerateDataKey",
      "kms:Decrypt"
    ]
    resources = [
      aws_kms_key.sqs_key.arn
    ]
  }
}

resource "aws_iam_policy" "policy_portal_data_sync_lambda" {
  name        = "policy_portal_data_sync_lambda"
  path        = "/"
  policy      = data.aws_iam_policy_document.policy_portal_data_sync_lambda.json
  description = "IAM policy for portal_data_sync_lambda"
}

resource "aws_iam_role" "portal_lambda_role" {
  name               = "portal-data-sync-lambda-role"
  assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
    { 
    "Sid": "",
    "Effect": "Allow",
    "Principal": {
        "Service": [
        "lambda.amazonaws.com"
        ]
    },
    "Action": "sts:AssumeRole"
    }
]
}
EOF
}

resource "aws_iam_role_policy_attachment" "lambda_role" {
  role       = aws_iam_role.portal_lambda_role.name
  policy_arn = aws_iam_policy.policy_portal_data_sync_lambda.arn
}