#------------------------------------------------------------------------------------------
# A Read Only Engineer.  Assumption is this is everyone's normal working
# role day-to-day in the AWS console.  When you need it, you then elevate
# to mdr_terraformer.
#
# Note this is NOT JUST READ ONLY ACCESS.  This should only be
# assigned to ENGINEERS who you expect will able to make changes
# as needed.  
#------------------------------------------------------------------------------------------

resource aws_iam_role "role-mdr_engineer_readonly" {
  name                  = "mdr_engineer_readonly"
  path                  = "/user/"
  assume_role_policy    = data.aws_iam_policy_document.non_saml_assume_role_policy.json
}

resource "aws_iam_role_policy_attachment" "mdr_engineer_readonly_ViewOnlyAccess" {
  role       = aws_iam_role.role-mdr_engineer_readonly.name
  policy_arn = "arn:${local.aws_partition}:iam::aws:policy/job-function/ViewOnlyAccess"
}

resource "aws_iam_role_policy_attachment" "mdr_engineer_readonly_assumerole" {
  role       = aws_iam_role.role-mdr_engineer_readonly.name
  policy_arn = module.standard_iam_policies.arns["mdr_readonly_assumerole"]
}