resource "aws_iam_policy" "mdradmin_tfstate_setup" {
  name        = "mdradmmin_tfstate_setup"
  path        = "/bootstrap/"
  description = "Gives MDRAdmin account rights needed to set up tfstate management"
  policy      = data.aws_iam_policy_document.mdradmin_tfstate_setup.json
}

data "aws_iam_policy_document" "mdradmin_tfstate_setup" {
	# checkov:skip=CKV_AWS_111: see tfsec aws-iam-no-policy-wildcard ignore comment
  # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
  statement {
    sid     = "DynamoDBTablesAndLocking"
    actions = [
      "dynamodb:*"
    ]
    resources = [
      "arn:${local.aws_partition}:dynamodb:${local.aws_region}:${local.aws_account}:table/${var.lock_table_name}"
    ]
    condition {
      test     = "BoolIfExists"
      variable = "aws:MultiFactorAuthPresent"
      values = [
        true
      ]
    }
  }

  # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
  statement {
    sid     = "DynamoDBTablesAndLocking2"
    actions = [
      "dynamodb:ListTables"
    ]
    resources = [
      "arn:${local.aws_partition}:dynamodb:${local.aws_region}:${local.aws_account}:table/*"
    ]
    condition {
      test     = "BoolIfExists"
      variable = "aws:MultiFactorAuthPresent"
      values   = [
        true
      ]
    }
  }

  # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
  statement {
    sid     = "KMSKeyCreate"
    actions = [
      "kms:CreateAlias",
      "kms:CreateKey",
      "kms:List*",
      "kms:DeleteAlias",
      "kms:DeleteKey"
    ]

    # I wish I could scope this down to just specific keys
    # But I don't think it's possible
    resources = [
      "*"
    ]
    condition {
      test     = "BoolIfExists"
      variable = "aws:MultiFactorAuthPresent"
      values = [
        true
      ]
    }
  }

  # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
  statement {
    sid     = "S3ManageStateBucket"
    actions = [
      "s3:CreateBucket",
      "s3:DeleteBucket",
      "s3:ListBucket",
      "s3:Get*",
      "s3:Put*"
    ]
    resources = [
      "arn:${local.aws_partition}:s3:::${var.bucket_name}"
    ]
    condition {
      test     = "BoolIfExists"
      variable = "aws:MultiFactorAuthPresent"
      values = [
        true
      ]
    }
  }

  # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
  statement {
    sid     = "S3ObjectOperations"
    actions = [
      "s3:PutObject*",
      "s3:GetObject*",
      "s3:DeleteObject*"
    ]
    resources = [
      "arn:${local.aws_partition}:s3:::${var.bucket_name}/*"
    ]
    condition {
      test     = "BoolIfExists"
      variable = "aws:MultiFactorAuthPresent"
      values   = [
        true
      ]
    }
  }
}