#Codebuild artifacts by rule must be encrypted by a KMS key
# using the default aws/s3 key doesn't work with cross-account access
resource "aws_kms_key" "s3_codebuild" {
  description             = "Codebuild ${var.name}"
  enable_key_rotation     = true
  policy                  = data.aws_iam_policy_document.codebuild_kms_key_encryption_policy.json
}

resource "aws_kms_alias" "codebuilt-artifacts" {
  name          = "alias/codebuild-${var.name}"
  target_key_id = aws_kms_key.s3_codebuild.key_id
}


data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {
  #policy_id = "key-consolepolicy-3"
  statement {
    sid = "Enable IAM User Permissions"
    effect = "Allow"
    principals {
      type = "AWS"
      identifiers = [ 
        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
        "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin"
        ]
    }
    actions   = [ "kms:*" ]
    resources = [ "*" ]
  }

  statement {
    sid = "Allow access for Key Administrators"
    effect = "Allow"
    principals {
      type = "AWS"
      identifiers = [
        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
      ]
    }

    actions = [
      "kms:Create*",
      "kms:Describe*",
      "kms:Enable*",
      "kms:List*",
      "kms:Put*",
      "kms:Update*",
      "kms:Revoke*",
      "kms:Disable*",
      "kms:Get*",
      "kms:Delete*",
      "kms:TagResource",
      "kms:UntagResource",
      "kms:ScheduleKeyDeletion",
      "kms:CancelKeyDeletion"
    ]
    resources = [ "*" ]
  }

  statement {
    sid =  "Allow use of the key"
    effect = "Allow"
    principals {
      type = "AWS"
      identifiers = [
        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/msoc-default-instance-role"
      ]
    }
    actions = [
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:DescribeKey"
    ]
    resources = [ "*" ]
  }

  statement  {
    sid = "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3"
    effect = "Allow"
    principals {
      type = "AWS"
      identifiers = [ "*" ]
    }
    actions = [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ]
    resources = [ "*" ]

    condition {
      test = "StringEquals"
      variable = "kms.ViaService"
      values = [ "s3.${var.aws_region}.amazonaws.com" ]
    }

    condition {
      test = "StringEquals"
      variable = "kms.CallerAccount"
      values = [ var.aws_account_id ]
    }
  }

  statement  {
    sid = "Allow access from the codebuild role"
    effect = "Allow"
    principals {
      type = "AWS"
    
      identifiers = [ 
        aws_iam_role.codebuild_service_role.arn,
      ]
    }
    actions = [
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:DescribeKey"
    ]
    resources = [ "*" ]
  }
  
  statement {
    sid = "Allow attachment of persistent resources"
    effect = "Allow"
    principals {
      type = "AWS"
      identifiers = [
        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/msoc-default-instance-role"
      ]
    }
    actions = [
      "kms:CreateGrant",
      "kms:ListGrants",
      "kms:RevokeGrant"
    ]
    resources = [ "*" ]
    condition {
      test = "Bool"
      variable =  "kms:GrantIsForAWSResource"
      values = [ "true" ]
      }
    }
}