module "instance_profile" {
  count = var.create_instance_profile ? 1 : 0
  source = "../../../submodules/iam/base_instance_profile"
  prefix = "splunk-sh"
  aws_partition = var.aws_partition
  aws_account_id = var.aws_account_id
}

data "aws_iam_policy_document" "splunk_sh_policy_doc" {
  count = var.create_instance_profile ? 1 : 0
  statement {
    sid    = "AllowAssumeRole"
    effect = "Allow"

    actions = [
      "sts:AssumeRole"
    ]

    resources = [
      "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:role/service/splunk_apps_s3"
    ]
  }
}

resource "aws_iam_policy" "splunk_sh_policy" {
  count = var.create_instance_profile ? 1 : 0
  name        = "splunk_sh"
  path        = "/"
  policy      = data.aws_iam_policy_document.splunk_sh_policy_doc[count.index].json
}

resource "aws_iam_role_policy_attachment" "splunk_sh_attach" {
  count = var.create_instance_profile ? 1 : 0
  role       = module.instance_profile[count.index].role_id
  policy_arn = aws_iam_policy.splunk_sh_policy[count.index].arn
}

#This policy needs to be create prior to creating the Salt Master
resource "aws_iam_role_policy_attachment" "splunk_sh_policy_attach_binaries" {
  count = var.create_instance_profile ? 1 : 0
  role       = module.instance_profile[count.index].role_id
  policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/launchroles/default_instance_s3_binaries"
}