locals {
  account_arns = [
    for account in local.account_list :
    "arn:${var.aws_partition}:iam::${account}:root"
  ]
  terraformer_arns = [
    for account in local.account_list :
    "arn:${var.aws_partition}:iam::${account}:role/user/mdr_terraformer"
  ]

  user_arns = [
    "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws_services/codebuild_packer_role"
  ]

  # All users are also attachers
  attacher_arns = distinct(flatten([
    local.terraformer_arns,
    local.user_arns
  ]))

  all_keys = concat([module.shared_ami_key.key_arn], var.vmimport_extra_keys)

  buckets = [
    for bucket in concat([aws_s3_bucket.xdr-shared-amis.arn], var.vmimport_extra_buckets) :
    bucket
  ]
  bucket_contents = [
    for bucket in concat([aws_s3_bucket.xdr-shared-amis.arn], var.vmimport_extra_buckets) :
    "${bucket}/*"
  ]
  bucket_resources = concat(local.buckets, local.bucket_contents)
}

output "other" {
  value = local.account_arns
}

module "shared_ami_key" {
  source = "../../submodules/kms/ami-key"

  name           = "shared_ami_key"
  alias          = "alias/shared_ami_key"
  description    = "Key for encrypting the AMIs to be shared with other accounts."
  tags           = merge(local.standard_tags, var.tags)
  key_admin_arns = []
  key_user_arns  = local.user_arns
  #key_attacher_arns = local.account_arns
  key_attacher_arns = local.attacher_arns
  #key_attacher_arns = [ ]
  standard_tags       = local.standard_tags
  aws_account_id      = var.aws_account_id
  aws_partition       = var.aws_partition
  remote_account_arns = local.account_arns
}

# tfsec:ignore:aws-s3-block-public-acls 
# tfsec:ignore:aws-s3-specify-public-access-block
# tfsec:ignore:aws-s3-block-public-policy 
# tfsec:ignore:aws-s3-ignore-public-acls
# tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
# tfsec:ignore:aws-s3-enable-versioning versioning Suspended for this bucket
resource "aws_s3_bucket" "xdr-shared-amis" {
  # checkov:skip=CKV2_AWS_6: see tfsec S3 block policy
  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
  # checkov:skip=CKV_AWS_21: Versioning TODO
  # checkov:skip=CKV_AWS_144: Cross-region replication TODO
  # checkov:skip=CKV_AWS_145: Risk is low for AES-256 encryption

  bucket = var.ami_bucket_name
  tags   = merge(local.standard_tags, var.tags)
}

resource "aws_s3_bucket_acl" "s3_acl_xdr-shared-amis" {
  bucket = aws_s3_bucket.xdr-shared-amis.id
  acl    = "private"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_xdr-shared-amis" {
  bucket = aws_s3_bucket.xdr-shared-amis.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = module.shared_ami_key.key_arn
      sse_algorithm     = "aws:kms"
    }
  }
}

resource "aws_iam_role" "vmimport" {
  name               = "vmimport"
  description        = "Required role for importing AMIs from S3"
  assume_role_policy = <<EOF
{
   "Version": "2012-10-17",
   "Statement": [
    {
     "Effect": "Allow",
     "Principal": { "Service": "vmie.amazonaws.com" },
     "Action": "sts:AssumeRole",
     "Condition": {
      "StringEquals":{
         "sts:Externalid": "vmimport"
      }
     }
    }
   ]
}
EOF
}

resource "aws_iam_role_policy" "vmimport" {
  name   = "vmimport"
  role   = aws_iam_role.vmimport.id
  # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
  policy = <<EOF
{
  "Version":"2012-10-17",
  "Statement": [
    {
     "Sid": "AllowAccesstoImportsBucket", 
     "Effect": "Allow",
     "Action": [
      "s3:GetBucketLocation",
      "s3:GetObject",
      "s3:GetBucketAcl",
      "s3:ListBucket", 
      "s3:PutObject"
     ],
     "Resource": ${jsonencode(local.bucket_resources)}
    },
    {
      "Sid": "AllowAccesstodoImportExportActions",
      "Effect": "Allow",
      "Action": [
        "ec2:ModifySnapshotAttribute",
        "ec2:CopySnapshot",
        "ec2:RegisterImage",
        "ec2:Describe*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowAccesstotheKMSkey",
      "Effect": "Allow",
      "Action": [
        "kms:CreateGrant",
        "kms:Decrypt",
        "kms:DescribeKey",
        "kms:Encrypt",
        "kms:GenerateDataKey*",
        "kms:ReEncrypt*"
      ],
      "Resource": ${jsonencode(local.all_keys)}
    }
  ]
}
EOF
}

//AWS Provider outdated arguments <4.4.0
/*resource "aws_s3_bucket" "xdr-shared-amis" {
  bucket = var.ami_bucket_name
  acl  = "private"
  tags = merge(local.standard_tags, var.tags)

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = module.shared_ami_key.key_arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}
*/