#############################
# GitHub Enterprise instance profile
#
# Includes policies for GitHub Enterprise:
#  * Same policies as the default instance profile
module "instance_profile" {
  source         = "../../submodules/iam/base_instance_profile"
  prefix         = "xdr-github"
  aws_partition  = var.aws_partition
  aws_account_id = var.aws_account_id
}

# GitHub Enterprise Specific Policy
resource "aws_iam_policy" "github_instance_policy" {
  name        = "github_instance_policy"
  path        = "/launchroles/"
  description = "This policy allows github-specific functions"
  policy      = data.aws_iam_policy_document.github_instance_policy_doc.json
}

data "aws_iam_policy_document" "github_instance_policy_doc" {
  # checkov:skip=CKV_AWS_111: see tfsec aws-iam-no-policy-wildcard ignore comment
  # Allow using S3 for GH Actions
  statement {
    sid    = "GeneralBucketAccess"
    effect = "Allow"
    actions = [
      "s3:ListAllMyBuckets",
    ]
    resources = ["*"]
  }

  statement {
    sid    = "S3BucketAccess"
    effect = "Allow"
    actions = [
      "s3:PutObject",
      "s3:GetObject",
      "s3:ListBucketMultipartUploads",
      "s3:ListMultipartUploadParts",
      "s3:AbortMultipartUpload",
      "s3:DeleteObject",
      "s3:ListBucket",
      #      "s3:GetLifecycleConfiguration",
      #      "s3:DeleteObjectVersion",
      #      "s3:ListBucketVersions",
      #      "s3:GetBucketLogging",
      #      "s3:RestoreObject",
      #      "s3:GetBucketVersioning",
      #      "s3:PutLifecycleConfiguration",
      #      "s3:GetBucketCORS",
      #      "s3:GetBucketLocation",
      #      "s3:GetObjectVersion",
    ]
    resources = [
      "arn:${var.aws_partition}:s3:::xdr-github-enterprise-${var.environment}-github-actions",
      "arn:${var.aws_partition}:s3:::xdr-github-enterprise-${var.environment}-github-actions/*",
    ]
  }

  statement {
    sid    = "KMSKeyAccess"
    effect = "Allow"
    actions = [
      "kms:Decrypt",
      "kms:GenerateDataKeyWithoutPlaintext",
      "kms:Verify",
      "kms:GenerateDataKeyPairWithoutPlaintext",
      "kms:GenerateDataKeyPair",
      "kms:ReEncryptFrom",
      "kms:Encrypt",
      "kms:GenerateDataKey",
      "kms:ReEncryptTo",
      "kms:Sign",
    ]
    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
    resources = ["*"]
  }
}

resource "aws_iam_role_policy_attachment" "github_instance_policy_attach" {
  role       = module.instance_profile.role_id
  policy_arn = aws_iam_policy.github_instance_policy.arn
}