# Assume role policy can be provided as-is, or built using the trusted-entity variable
locals {
  assume-role-policy = endswith(var.trusted-entity, ".com") ? jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect" : "Allow",
          "Principal" : {
            "Service" : [
              var.trusted-entity
            ]
          },
          "Action" : "sts:AssumeRole"
        }
      ]
    }
  ) : var.trusted-entity
}

resource "aws_iam_instance_profile" "ip" {
  count = var.create-instance-profile ? 1 : 0
  name  = "${var.role-name}-profile"
  role  = aws_iam_role.r.name
  path  = var.path
}

resource "aws_iam_role" "r" {
  name                  = var.role-name
  description           = var.description
  assume_role_policy    = local.assume-role-policy
  force_detach_policies = true
  path                  = var.path
}

resource "aws_iam_policy" "p" {
  for_each    = var.policies
  description = each.value.description
  name        = each.key
  policy      = each.value.policy
}

resource "aws_iam_role_policy_attachment" "pa" {
  for_each   = aws_iam_policy.p
  role       = aws_iam_role.r.name
  policy_arn = each.value.arn
}