# VMRay gets access to read/write to its backup bucket and use its s3 key
module "instance_profile" {
  source         = "../../submodules/iam/base_instance_profile"
  prefix         = "xdr-vmray"
  aws_partition  = var.aws_partition
  aws_account_id = var.aws_account_id
}

// S3 is used for backups
data "aws_iam_policy_document" "policy_auth_s3" {
  statement {
    sid       = ""
    effect    = "Allow"
    resources = [aws_s3_bucket.storage.arn]

    actions = [
      "s3:ListBucket",
      "s3:ListBucketVersions",
    ]
  }

# tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
  statement {
    sid       = ""
    effect    = "Allow"
    resources = ["${aws_s3_bucket.storage.arn}/*"]

    actions = [
      "s3:PutObject",
      "s3:GetObject",
      "s3:GetObjectVersion",
    ]
  }
}

resource "aws_iam_policy" "auth_s3" {
  name   = "xdr-vmray-auth-s3"
  policy = data.aws_iam_policy_document.policy_auth_s3.json
}

resource "aws_iam_role_policy_attachment" "attach_auth_s3" {
  role       = module.instance_profile.role_id
  policy_arn = aws_iam_policy.auth_s3.arn
}

// Allow use of the key
# tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
data "aws_iam_policy_document" "policy_kms" {
  statement {
    sid       = "AllowKMSUse"
    effect    = "Allow"
    resources = [aws_kms_key.s3.arn]

    actions = [
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:DescribeKey"
    ]
  }
}

resource "aws_iam_policy" "auth_kms" {
  name   = "xdr-vmray-kms"
  policy = data.aws_iam_policy_document.policy_kms.json
}

resource "aws_iam_role_policy_attachment" "attach_kms" {
  role       = module.instance_profile.role_id
  policy_arn = aws_iam_policy.auth_kms.arn
}