#------------------------------------------------------------------------------------------
# A Read Only Developer.  Assumption is this is everyone's normal working
# role day-to-day in the AWS console.  When you need it, you then elevate
# to mdr_terraformer.
#
# This has the exact same permissions in the common services accounts as
# mdr_engineer_readonly, except the cross-domain trusts will be different
# so that someone with "developer" cannot assumerole into production accounts
#------------------------------------------------------------------------------------------

module "role-mdr_developer_readonly" {
  source = "./modules/saml_linked_role"

  name                  = "mdr_developer_readonly"
  account_friendly_name = aws_iam_account_alias.alias.account_alias
  path                  = "/user/"
  assume_role_policy    = data.aws_iam_policy_document.okta_saml_assume_role_policy.json
  okta_app_id           = data.okta_app.awsapp.id
}

resource "aws_iam_role_policy_attachment" "mdr_devloper_readonly_ViewOnlyAccess" {
  role       = module.role-mdr_developer_readonly.name
  policy_arn = "arn:${local.aws_partition}:iam::aws:policy/job-function/ViewOnlyAccess"
}

resource "aws_iam_role_policy_attachment" "mdr_developer_readonly_assumerole" {
  role       = module.role-mdr_developer_readonly.name
  policy_arn = module.standard_iam_policies.arns["mdr_readonly_assumerole"]
}