# Roles carried over from the tf11 code have been commented out but may
# need to be re-added.
#
# HOWEVER, it would be better to simply create an additional KMS key
# with the corresponding service. This key is available as a fallback,
# but better to create one per service.
resource "aws_kms_key" "key" {
  description         = var.description
  enable_key_rotation = true
  policy              = data.aws_iam_policy_document.kms_policy.json
  tags = merge(
    var.standard_tags,
    { "Name" = var.name },
    var.tags
  )
}

resource "aws_kms_alias" "alias" {
  name          = var.alias
  target_key_id = aws_kms_key.key.key_id
}

locals {
  iam_admins_legacy = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
  iam_admins_tf12 = [
    "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin",            # MDRAdmin as a break glass
    "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer" # Terraformer always gets full access
  ]
}

data "aws_iam_policy_document" "kms_policy" {
  policy_id = "${var.name}-policy"

  statement {
    sid    = "Enable IAM User Permissions"
    effect = "Allow"
    principals {
      type        = "AWS"
      identifiers = var.is_legacy ? local.iam_admins_legacy : local.iam_admins_tf12
    }
    actions   = ["kms:*"]
    resources = ["*"]
  }

  statement {
    sid    = "Allow access for Key Administrators"
    effect = "Allow"
    principals {
      type        = "AWS"
      identifiers = concat(var.key_admin_arns, ["arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer"])
    }

    actions = [
      "kms:Create*",
      "kms:Describe*",
      "kms:Enable*",
      "kms:List*",
      "kms:Put*",
      "kms:Update*",
      "kms:Revoke*",
      "kms:Disable*",
      "kms:Get*",
      "kms:Delete*",
      "kms:TagResource",
      "kms:UntagResource",
      "kms:ScheduleKeyDeletion",
      "kms:CancelKeyDeletion"
    ]
    resources = ["*"]
  }

  statement {
    sid    = "Allow use of the key"
    effect = "Allow"
    principals {
      type = "AWS"
      identifiers = concat(
        var.key_user_arns,
        ["arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
          "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
          "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/dlm-lifecycle-role"
        ]
      )
    }
    actions = [
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:DescribeKey"
    ]
    resources = ["*"]
  }

  statement {
    sid    = "Allow attachment of persistent resources"
    effect = "Allow"
    principals {
      type = "AWS"
      identifiers = concat(
        var.key_attacher_arns,
        [
          "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
          "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
          "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/dlm-lifecycle-role"
        ]
      )
    }
    actions = [
      "kms:CreateGrant",
      "kms:ListGrants",
      "kms:RevokeGrant"
    ]
    resources = ["*"]
    condition {
      test     = "Bool"
      variable = "kms:GrantIsForAWSResource"
      values   = ["true"]
    }
  }
}