# Contains roles used for gathering inventory across AWS accounts
# These roles are assumed into from the salt-master instance in order to
# gather data about the instances.
#
# This is a low risk policy that provides view only access to select
# services.

locals {
  # Trust these ARNs:
  #
  #   Commercial - Trust the user in C2
  #   GovCloud   - Trust the role in C2
  #
  #   Test       - Trust both prod and test C2 arns
  #   Prod       - Trust only the prod C2 arns
  #
  #   Note: No support for the legacy salt master is included. The
  #         new govcloud salt masters will be 100% repsonsible for
  #         the inventory.
  trusted_arns_map = {
    "test" = {
      "aws" = [
        "arn:aws:iam::045312110490:user/instance/salt-master", # mdr-prod-c2
        "arn:aws:iam::816914342178:user/instance/salt-master", # mdr-test-c2
      ],
      "aws-us-gov" = [
        "arn:aws-us-gov:iam::721817724804:role/salt-master-instance-role", # mdr-prod-c2-gov
        "arn:aws-us-gov:iam::738800754746:role/salt-master-instance-role", # mdr-test-c2-gov
      ]
    },
    "prod" = {
      "aws" = [
        "arn:aws:iam::045312110490:user/instance/salt-master", # mdr-prod-c2
      ],
      "aws-us-gov" = [
        "arn:aws-us-gov:iam::721817724804:role/salt-master-instance-role", # mdr-prod-c2-gov
      ]
    },
    "common" = {
      "aws" = [
        "arn:aws:iam::045312110490:user/instance/salt-master", # mdr-prod-c2
      ],
      "aws-us-gov" = [
        "arn:aws-us-gov:iam::721817724804:role/salt-master-instance-role", # mdr-prod-c2-gov
      ]
    }
  }
  trusted_arns = local.trusted_arns_map[var.environment][var.aws_partition]
}

resource "aws_iam_role" "salt_master_inventory_role" {
  depends_on            = [aws_iam_user.salt-master]
  name                  = "salt-master-inventory-role"
  path                  = "/service/"
  force_detach_policies = true # causes "DeleteConflict" if not present

  # the extra_trusted_salt variable allows the addition of additional
  # trusted sources, such as the dev salt master (for dev environments)
  # and developer users.
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": ${jsonencode(local.trusted_arns)}
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "salt_master_inventory_policy_attach" {
  role       = aws_iam_role.salt_master_inventory_role.name
  policy_arn = aws_iam_policy.salt_master_inventory_policy.arn
}

resource "aws_iam_policy" "salt_master_inventory_policy" {
  name        = "salt-master-inventory-policy"
  path        = "/service/"
  description = "Policy which allows the salt master to perform inventory."
  policy      = data.aws_iam_policy_document.salt_master_inventory_policy_doc.json
}

data "aws_iam_policy_document" "salt_master_inventory_policy_doc" {
  statement {
    sid     = "DescribeAllAssets"
    effect  = "Allow"
    actions = [
      "ec2:DescribeInstances",
      "ec2:DescribeRegions",
      "rds:DescribeDBInstances",
      "rds:ListTagsForResource"
    ]
    # tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
    resources = ["*"]
  }
}