#
# Create an IAM user (and group) to use with GitHub Actions
#
######################
# Access keys
#
# For rotation purposes, there are two of these. Delete the oldest one, 
# add a new one (with a higher version number), and then update the output
#
# Possible futue improvement:
# We could specify a pgp_key attribute, and then the secret will be encrypted
# in both the state file and in the output. If we used the salt PGP key,
# no user would ever have to see the secret key.
resource "aws_iam_access_key" "github-actions-v1" {
  user = aws_iam_user.github-actions.name
}

resource "aws_iam_access_key" "github-actions-v2" {
  user = aws_iam_user.github-actions.name
}

output "access_keys" {
  value = {
    "current" = {
      "aws_access_key_id" : aws_iam_access_key.github-actions-v2.id
      "aws_secret_access_key" : aws_iam_access_key.github-actions-v2.secret
    },
    "previous" = {
      "aws_access_key_id" : aws_iam_access_key.github-actions-v1.id
      "aws_secret_access_key" : aws_iam_access_key.github-actions-v1.secret
    }
  }
  sensitive = true
}

######################
# The policy is attached to both the user and the instance profile
data "aws_iam_policy_document" "github-actions" {

  statement {
    sid = "1"

    actions = [
      "s3:PutObject",
      "s3:GetObject",
      "s3:ListBucketMultipartUploads",
      "kms:Decrypt",
      "s3:AbortMultipartUpload",
      "kms:GenerateDataKey",
      "s3:ListBucket",
      "s3:DeleteObject",
      "s3:ListMultipartUploadParts"
    ]

    resources = [
      aws_kms_key.bucketkey.arn,
      aws_s3_bucket.bucket.arn,
      "${aws_s3_bucket.bucket.arn}/*"
    ]
  }

}

resource "aws_iam_policy" "github-actions" {
  name        = "github-actions"
  path        = "/"
  description = "Policy to allow the github-actions to use the GH Actions S3 bucket and KMS"
  policy      = data.aws_iam_policy_document.github-actions.json
}

######################
# the user
#
# Note: CIS requires that policies _NOT_ be directly attached to a user. Users must
# be members of groups, and those groups can have policies.
resource "aws_iam_user" "github-actions" {
  name = "github-actions"
  path = "/instance/"

  tags = merge(local.standard_tags, var.tags)
}

# tfsec:ignore:aws-iam-enforce-mfa
resource "aws_iam_group" "github-actions" {
  name = "github-actions"
  path = "/instance/"
}

resource "aws_iam_user_group_membership" "github-actions" {
  user = aws_iam_user.github-actions.name

  groups = [aws_iam_group.github-actions.name]
}

resource "aws_iam_group_policy_attachment" "github-actions-group" {
  group      = aws_iam_group.github-actions.name
  policy_arn = aws_iam_policy.github-actions.arn
}