#------------------------------------------------------------------------------------------
# A Read Only Engineer.  Assumption is this is everyone's normal working
# role day-to-day in the AWS console.  When you need it, you then elevate
# to mdr_terraformer.
#
# Note this is NOT JUST READ ONLY ACCESS.  This should only be
# assigned to ENGINEERS who you expect will able to make changes
# as needed.  
#------------------------------------------------------------------------------------------
data "aws_iam_policy_document" "mdr_engineer_readonly_assumerole" {
  statement {
    sid    = "AllowPassRoleForSpecificRoleTypes"
    effect = "Allow"
    actions = [
      "iam:PassRole",
    ]
    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
    resources = [
      "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
      "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
      "arn:${local.aws_partition}:iam::${local.aws_account}:role/aws_services/*",
      "arn:${local.aws_partition}:iam::${local.aws_account}:role/fargate/*",
    ]
  }

  statement {
    sid    = "AssumeThisRoleInOtherAccounts"
    effect = "Allow"
    actions = [
      "sts:AssumeRole"
    ]
    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
    resources = [
      "arn:${local.aws_partition}:iam::*:role/user/mdr_engineer_readonly",
      "arn:${local.aws_partition}:iam::*:role/user/mdr_developer_readonly",

      # Give a readonly engineer the ability if needed to elevate to terraformer
      # In order to make changes when needed.  
      "arn:${local.aws_partition}:iam::*:role/user/mdr_terraformer",

      # These two are the legacy roles in the older AWS accounts. 
      # Adding them in the hope we'll be able to get AssumeRole from
      # one central place to everything...
      "arn:${local.aws_partition}:iam::*:role/mdr_powerusers",
      "arn:${local.aws_partition}:iam::*:role/mdr_iam_admins",
    ]
  }
}

resource "aws_iam_policy" "mdr_engineer_readonly_assumerole" {
  name   = "mdr_engineer_readonly_assumerole"
  path   = "/user/"
  policy = data.aws_iam_policy_document.mdr_engineer_readonly_assumerole.json
}