module "instance_profile" {
  source         = "../../../submodules/iam/base_instance_profile"
  prefix         = "xdr-idx"
  aws_partition  = var.aws_partition
  aws_account_id = var.aws_account_id
}

# Indexer Specific Policy
resource "aws_iam_policy" "instance_policy_idx" {
  name        = "idx_instance_policy"
  path        = "/launchroles/"
  description = "This policy allows indexer-specific functions"
  policy      = data.aws_iam_policy_document.instance_policy_doc_idx.json
}

data "aws_iam_policy_document" "instance_policy_doc_idx" {
  # Allow copying to S3 for frozen
  # Allow use of S3 for SmartStore
  statement {
    sid    = "GeneralBucketAccess"
    effect = "Allow"
    actions = [
      "s3:ListAllMyBuckets",
    ]
    resources = ["*"]
  }

  statement {
    sid    = "S3BucketAccess"
    effect = "Allow"
    actions = [
      "s3:GetLifecycleConfiguration",
      "s3:DeleteObjectVersion",
      "s3:ListBucketVersions",
      "s3:GetBucketLogging",
      "s3:RestoreObject",
      "s3:ListBucket",
      "s3:GetBucketVersioning",
      "s3:PutObject",
      "s3:GetObject",
      "s3:PutLifecycleConfiguration",
      "s3:GetBucketCORS",
      "s3:DeleteObject",
      "s3:GetBucketLocation",
      "s3:GetObjectVersion",
    ]
    resources = [
      "arn:${var.aws_partition}:s3:::xdr-${var.prefix}-${var.environment}-splunk-frozen",
      "arn:${var.aws_partition}:s3:::xdr-${var.prefix}-${var.environment}-splunk-frozen/*",
      "arn:${var.aws_partition}:s3:::xdr-${var.prefix}-${var.environment}-splunk-smartstore",
      "arn:${var.aws_partition}:s3:::xdr-${var.prefix}-${var.environment}-splunk-smartstore/*",
    ]
  }

  statement {
    sid    = "KMSKeyAccess"
    effect = "Allow"
    actions = [
      "kms:Decrypt",
      "kms:GenerateDataKeyWithoutPlaintext",
      "kms:Verify",
      "kms:GenerateDataKeyPairWithoutPlaintext",
      "kms:GenerateDataKeyPair",
      "kms:ReEncryptFrom",
      "kms:Encrypt",
      "kms:GenerateDataKey",
      "kms:ReEncryptTo",
      "kms:Sign",
    ]
    resources = ["*"]
  }

  statement {
    sid    = "AllowAssumeRoleToSplunkApps"
    effect = "Allow"

    actions = [
      "sts:AssumeRole"
    ]

    resources = [
      "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/service/splunk-apps-s3"
    ]
  }
}

resource "aws_iam_role_policy_attachment" "indexer_instance_policy_attach_idx" {
  role       = module.instance_profile.role_id
  policy_arn = aws_iam_policy.instance_policy_idx.arn
}