resource "aws_iam_role" "phantom_s3_role" {
  name = "phantom_s3"
  path  = "/service/"
  force_detach_policies = true # causes "DeleteConflict" if not present

  # the extra_trusted_salt variable allows the addition of additional
  # trusted sources, such as the dev salt master (for dev environments)
  # and developer users.
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:role/instance/xdr-phantom-instance-role"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF

  tags = merge(var.standard_tags, var.tags)
}

resource "aws_iam_role_policy_attachment" "phantom_s3_policy_attach" {
  role = aws_iam_role.phantom_s3_role.name
  policy_arn = aws_iam_policy.phantom_s3_policy.arn
}

resource "aws_iam_policy" "phantom_s3_policy" {
  name  = "phantom_s3_policy"
  path  = "/service/"
  description = "Policy which allows phantom to read/write to the S3 bucket"
  policy = data.aws_iam_policy_document.phantom_s3_policy_doc.json
}

data "aws_iam_policy_document" "phantom_s3_policy_doc" {
  statement {
    sid = "GeneralBucketAccess"
    effect = "Allow"
    actions = [
      "s3:ListAllMyBuckets",
      "s3:HeadBucket",
    ]
    resources = [ "*" ]
  }

  statement {
    sid = "S3BucketAccess"
    effect = "Allow"
    actions = [
      "s3:GetLifecycleConfiguration",
      "s3:DeleteObjectVersion",
      "s3:ListBucketVersions",
      "s3:GetBucketLogging",
      "s3:RestoreObject",
      "s3:ListBuckets",
      "s3:ListObjects",
      "s3:ListObjectsV2",
      "s3:GetBucketVersioning",
      "s3:PutObject",
      "s3:GetObject",
      "s3:PutLifecycleConfiguration",
      "s3:GetBucketCORS",
      "s3:DeleteObject",
      "s3:GetBucketLocation",
      "s3:GetObjectVersion",
    ]
    resources = [
      aws_s3_bucket.bucket.arn,
      "${aws_s3_bucket.bucket.arn}/*",
    ]
  }

  statement {
    sid = "S3ReadOnlyBucketAccess"
    effect = "Allow"
    actions = [
      "s3:ListBucketVersions",
      "s3:ListBuckets",
      "s3:GetBucketVersioning",
      "s3:GetObject",
      "s3:GetBucketCORS",
      "s3:GetBucketLocation",
      "s3:GetObjectVersion",
    ]
    resources = [
      aws_s3_bucket.bucket.arn,
      "${aws_s3_bucket.bucket.arn}/*",
    ]
  }

  statement {
    sid = "KMSKeyAccess"
    effect = "Allow"
    actions = [
      "kms:Decrypt",
      "kms:GenerateDataKeyWithoutPlaintext",
      "kms:Verify",
      "kms:GenerateDataKeyPairWithoutPlaintext",
      "kms:GenerateDataKeyPair",
      "kms:ReEncryptFrom",
      "kms:Encrypt",
      "kms:GenerateDataKey",
      "kms:ReEncryptTo",
      "kms:Sign",
    ]
    resources = [ aws_kms_key.bucketkey.arn ]
  }  
}