module "instance_profile" {
  source         = "../../../submodules/iam/base_instance_profile"
  prefix         = "xdr-hf"
  aws_partition  = var.aws_partition
  aws_account_id = var.aws_account_id
}

resource "aws_iam_policy" "instance_policy" {
  name        = "hf_instance_policy"
  path        = "/launchroles/"
  description = "This policy allows hf-specific functions"
  policy      = data.aws_iam_policy_document.instance_policy_doc.json
}

data "aws_iam_policy_document" "instance_policy_doc" {
  statement {
    sid    = "AllowAssumeRoleToSplunkApps"
    effect = "Allow"

    actions = [
      "sts:AssumeRole"
    ]

    resources = [
      "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/service/splunk-apps-s3"
    ]
  }
}

resource "aws_iam_role_policy_attachment" "hf_instance_policy_attach" {
  role       = module.instance_profile.role_id
  policy_arn = aws_iam_policy.instance_policy.arn
}