# Defines an IAM user that can only download ECR images, intended for
# use in POP nodes where we need containers, but won't necessarily have
# EC2 instance role credentials.  Maybe one day this goes to vault, I
# hope.   It would be nice.

# data "aws_iam_policy_document" "ecr_policy_pop" {
#   statement {
#     sid       = "AllowECRReadOnly"
#     effect    = "Allow"

#     actions   = [
#       "ecr:GetAuthorizationToken",
#       "ecr:BatchCheckLayerAvailability",
#       "ecr:GetDownloadUrlForLayer",
#       "ecr:GetRepositoryPolicy",
#       "ecr:DescribeRepositories",
#       "ecr:ListImages",
#       "ecr:DescribeImages",
#       "ecr:BatchGetImage"
#     ]
    
#     resources = [
#       "*"
#     ]

#   }
# }

# resource "aws_iam_policy" "ecr_policy_pop" {
#   name   = "ecr_policy_pop"
#   path   = "/"
#   policy = "${data.aws_iam_policy_document.ecr_policy_pop.json}"
# }

# resource "aws_iam_user" "pop_service_account" {
#   name = "svc-mdrpop"
#   path = "/service/"
# }

# resource "aws_iam_user_policy_attachment" "pop_service_account_1" {
#   user       = "${aws_iam_user.pop_service_account.name}"
#   policy_arn = "${aws_iam_policy.ecr_policy_pop.arn}"
# }


# resource "aws_iam_access_key" "pop_service_account" {
#   user    = "${aws_iam_user.pop_service_account.name}"
#   pgp_key = "${file("../00-organizations-and-iam/duane_waddle.pgp")}"
# }

# output "pop_service_account_key_id" {
#   value = "${aws_iam_access_key.pop_service_account.id}"
# }

# output "pop_service_account_secret" {
#   value = "${aws_iam_access_key.pop_service_account.encrypted_secret}"
# }