data "aws_iam_policy_document" "policy_document" {
  statement {
    effect = "Allow"
    actions = [
      "ec2:CreateNetworkInterface",
      "logs:CreateLogStream",
      "ec2:DescribeNetworkInterfaces",
      "logs:DescribeLogStreams",
      "ec2:DeleteNetworkInterface",
      "logs:PutRetentionPolicy",
      "logs:CreateLogGroup",
      "logs:PutLogEvents",
    ]
    resources = ["*"]
  }
  statement {
    effect = "Allow"
    actions = [ "s3:*", ]
    resources = [ 
    "arn:${var.aws_partition}:s3:::${aws_s3_bucket.bucket.arn}",
    "arn:${var.aws_partition}:s3:::${aws_s3_bucket.bucket.arn}/*",
    ]
  }
}

resource "aws_iam_policy" "policy" {
  name        = "threatq_data_sync_lambda"
  path        = "/"
  policy      = data.aws_iam_policy_document.policy_document.json
  description = "IAM policy for threatq_data_sync_lambda"
}

resource "aws_iam_role" "role" {
  name     = "threatq-data-sync-lambda-role"
  assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
    { 
    "Sid": "",
    "Effect": "Allow",
    "Principal": {
        "Service": [
        "lambda.amazonaws.com"
        ]
    },
    "Action": "sts:AssumeRole"
    }
]
}
EOF
}

resource "aws_iam_role_policy_attachment" "policy_attachment" {
  role       = aws_iam_role.role.name
  policy_arn = aws_iam_policy.policy.arn
}