# The moose splunk SH has additional permissions beyond the default instance
resource "aws_iam_instance_profile" "moose_splunk_sh_instance_profile" {
  count    = local.is_moose ? 1 : 0
  name     = "moose-splunk-sh-instance-profile"
  path     = "/instance/"
  role     = aws_iam_role.moose_splunk_sh_instance_role[count.index].name
}

resource "aws_iam_role" "moose_splunk_sh_instance_role" {
  count    = local.is_moose ? 1 : 0
  name     = "moose-splunk-sh-instance-role"
  path     = "/instance/"
  assume_role_policy = jsonencode(
  {   
    "Version": "2012-10-17",
    "Statement": [
      {   
        "Sid": "", 
        "Effect": "Allow",
        "Principal": {
          "Service": [
            "ec2.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
      }
    ]
  })
}

data "aws_iam_policy_document" "moose_splunk_sh_policy_doc" {
  count    = local.is_moose ? 1 : 0

  # Moose splunk SH can assumerole into the C2 and mdr-prod-root-ca accounts to run the ACM audit report
  statement {
    sid    = "AllowAssumeRole"
    effect = "Allow"

    actions = [
      "sts:AssumeRole"
    ]

    resources = [
      "arn:${var.aws_partition}:iam::*:role/service/run_audit_report_role"
    ]
  }

  # Moose splunk SH can grab the ACM audit reports
  statement {
    sid       = ""
    effect    = "Allow"
    resources = ["arn:${var.aws_partition}:s3:::xdr-ca-audit-reports"]

    actions = [
      "s3:ListBucket",
      "s3:ListBucketVersions",
    ]
  }

  statement {
    sid       = ""
    effect    = "Allow"
    resources = ["arn:${var.aws_partition}:s3:::xdr-ca-audit-reports/*"]

    actions = [
      "s3:GetObject",
      "s3:GetObjectVersion",
    ]
  }
}

resource "aws_iam_policy" "moose_splunk_sh_policy" {
  count    = local.is_moose ? 1 : 0
  name        = "moose_splunk_sh"
  path        = "/"
  policy      = data.aws_iam_policy_document.moose_splunk_sh_policy_doc[count.index].json
}

resource "aws_iam_role_policy_attachment" "moose_splunk_sh_attach" {
  count    = local.is_moose ? 1 : 0
  role       = aws_iam_role.moose_splunk_sh_instance_role[count.index].name
  policy_arn = aws_iam_policy.moose_splunk_sh_policy[count.index].arn
}

resource "aws_iam_role_policy_attachment" "moose_splunk_sh_AmazonEC2RoleforSSM" {
  count    = local.is_moose ? 1 : 0
  role       = aws_iam_role.moose_splunk_sh_instance_role[count.index].name
  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}

resource "aws_iam_role_policy_attachment" "moose_splunk_sh_policy_attach_tag_read" {
  count    = local.is_moose ? 1 : 0
  role       = aws_iam_role.moose_splunk_sh_instance_role[count.index].name
  policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/launchroles/default_instance_tag_read"
}

resource "aws_iam_role_policy_attachment" "moose_splunk_sh_policy_attach_cloudwatch" {
  count    = local.is_moose ? 1 : 0
  role       = aws_iam_role.moose_splunk_sh_instance_role[count.index].name
  policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/cloudwatch_events"
}

#This policy needs to be create prior to creating the Salt Master
resource "aws_iam_role_policy_attachment" "moose_splunk_sh_policy_attach_binaries" {
  count    = local.is_moose ? 1 : 0
  role       = aws_iam_role.moose_splunk_sh_instance_role[count.index].name
  policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/launchroles/default_instance_s3_binaries"
}