module "instance_profile" {
  source         = "../../submodules/iam/base_instance_profile"
  prefix         = "xdr-phantom"
  aws_partition  = var.aws_partition
  aws_account_id = var.aws_account_id
}

# Phantom Specific Policy
#resource "aws_iam_policy" "phantom_instance_policy" {
#  name        = "phantom_instance_policy"
#  path        = "/launchroles/"
#  description = "This policy allows phantom-specific functions"
#  policy      = data.aws_iam_policy_document.phantom_instance_policy_doc.json
#}
#
#data "aws_iam_policy_document" "phantom_instance_policy_doc" {
#  # Allow copying to S3 for frozen
#  # Allow use of S3 for SmartStore
#  statement {
#    sid = "GeneralBucketAccess"
#    effect = "Allow"
#    actions = [
#      "s3:ListAllMyBuckets",
#    ]
#    resources = [ "*" ]
#  }
#
#  statement {
#    sid = "S3BucketAccess"
#    effect = "Allow"
#    actions = [
#      "s3:GetLifecycleConfiguration",
#      "s3:DeleteObjectVersion",
#      "s3:ListBucketVersions",
#      "s3:GetBucketLogging",
#      "s3:RestoreObject",
#      "s3:ListBucket",
#      "s3:GetBucketVersioning",
#      "s3:PutObject",
#      "s3:GetObject",
#      "s3:PutLifecycleConfiguration",
#      "s3:GetBucketCORS",
#      "s3:DeleteObject",
#      "s3:GetBucketLocation",
#      "s3:GetObjectVersion",
#    ]
#    resources = [ 
#      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen",
#      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen/*",
#      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore",
#      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore/*",
#    ]
#  }
#
#  statement {
#    sid = "S3ReadOnlyBucketAccess"
#    effect = "Allow"
#    actions = [
#      "s3:ListBucketVersions",
#      "s3:ListBucket",
#      "s3:GetBucketVersioning",
#      "s3:GetObject",
#      "s3:GetBucketCORS",
#      "s3:GetBucketLocation",
#      "s3:GetObjectVersion",
#    ]
#    resources = [ 
#      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-apps",
#      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-apps/*",
#    ]
#  }
#
#  statement {
#    sid = "KMSKeyAccess"
#    effect = "Allow"
#    actions = [
#      "kms:Decrypt",
#      "kms:GenerateDataKeyWithoutPlaintext",
#      "kms:Verify",
#      "kms:GenerateDataKeyPairWithoutPlaintext",
#      "kms:GenerateDataKeyPair",
#      "kms:ReEncryptFrom",
#      "kms:Encrypt",
#      "kms:GenerateDataKey",
#      "kms:ReEncryptTo",
#      "kms:Sign",
#    ]
#    resources = [ "*" ]
#  }      
#}
#
#resource "aws_iam_role_policy_attachment" "phantom_instance_policy_attach" {
#  role       = module.instance_profile.role_id
#  policy_arn = aws_iam_policy.phantom_instance_policy.arn
#}