data "aws_iam_policy_document" "assume_role_policy" {
  statement {
    sid     = "AllowRoles"
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "AWS"
      identifiers = var.role_assumers
    }
  }
}

resource "aws_iam_role" "role" {
  name                  = local.fullname
  path                  = "/service/"
  force_detach_policies = true # causes "DeleteConflict" if not present

  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json

  tags = merge(local.standard_tags, var.tags)
}

# Appears the role can automatically create presigned URLs
#resource "aws_iam_role_policy_attachment" "policy_attach_presigned_url" {
#  count = var.allow_presigned ? 1 : 0
#
#  role = aws_iam_role.role.name
#  policy_arn = aws_iam_policy.policy_presigned_url.arn
#}
#
#resource "aws_iam_policy" "policy_presigned_url" {
#  count = var.allow_presigned ? 1 : 0
#
#  name_prefix  = var.name
#  path  = "/service/"
#  description = "Policy to allow signing of URLs for the ${local.fullname} bucket"
#  policy = data.aws_iam_policy_document.policy_doc_presigned_url.json
#}
#
#data "aws_iam_policy_document" "policy_doc_presigned_url" {
#  count = var.allow_presigned ? 1 : 0
#
#  statement {
#    sid = "TODO"
#    effect = "Allow"
#    actions = [
#      "s3:ListAllMyBuckets",
#    ]
#    resources = [ "*" ]
#  }
#}

resource "aws_iam_role_policy_attachment" "policy_attach" {
  role       = aws_iam_role.role.name
  policy_arn = aws_iam_policy.policy.arn
}

resource "aws_iam_policy" "policy" {
  name_prefix = var.name
  path        = "/service/"
  description = "Policy to allow use of the ${local.fullname} bucket"
  policy      = data.aws_iam_policy_document.policy_doc.json
}

data "aws_iam_policy_document" "policy_doc" {
  statement {
    sid     = "GeneralBucketAccess"
    effect  = "Allow"
    actions = [
      "s3:ListAllMyBuckets",
    ]
    resources = ["*"]
  }

  statement {
    sid    = "S3BucketAccess"
    effect = "Allow"
    actions = [
      "s3:GetLifecycleConfiguration",
      "s3:DeleteObjectVersion",
      "s3:ListBucketVersions",
      "s3:GetBucketLogging",
      "s3:RestoreObject",
      "s3:ListBucket",
      "s3:GetBucketVersioning",
      "s3:PutObject",
      "s3:GetObject",
      "s3:PutLifecycleConfiguration",
      "s3:GetBucketCORS",
      "s3:DeleteObject",
      "s3:GetBucketLocation",
      "s3:GetObjectVersion",
    ]
    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
    resources = [
      aws_s3_bucket.bucket.arn,
      "${aws_s3_bucket.bucket.arn}/*",
    ]
  }

  statement {
    sid    = "S3ReadOnlyBucketAccess"
    effect = "Allow"
    actions = [
      "s3:ListBucketVersions",
      "s3:ListBucket",
      "s3:GetBucketVersioning",
      "s3:GetObject",
      "s3:GetBucketCORS",
      "s3:GetBucketLocation",
      "s3:GetObjectVersion",
    ]
    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
    resources = [
      aws_s3_bucket.bucket.arn,
      "${aws_s3_bucket.bucket.arn}/*",
    ]
  }

  statement {
    sid    = "KMSKeyAccess"
    effect = "Allow"
    actions = [
      "kms:Decrypt",
      "kms:GenerateDataKeyWithoutPlaintext",
      "kms:Verify",
      "kms:GenerateDataKeyPairWithoutPlaintext",
      "kms:GenerateDataKeyPair",
      "kms:ReEncryptFrom",
      "kms:Encrypt",
      "kms:GenerateDataKey",
      "kms:ReEncryptTo",
      "kms:Sign",
    ]
    resources = [aws_kms_key.bucketkey.arn]
  }
}