module "iam-group" {
  source = "../modules/security_identity_compliance/iam-group"

  iam-group-name        = "ViewOnlyUsers001"
  iam-group-policy      = ""
  iam-group-policy-name = ""
  managed-policy-arns   = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
}

module "iam-group2" {
  source = "../modules/security_identity_compliance/iam-group"

  iam-group-name        = "ViewOnlyAndS3Admin001"
  iam-group-policy      = data.aws_iam_policy_document.user-policy.json
  iam-group-policy-name = "S3AdminPermissions"
  managed-policy-arns   = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
}

module "iam-user1" {
  source = "../modules/security_identity_compliance/iam-user"

  iam-user-name       = "JohnNotInGroup"
  create-access-key   = true
  create-password     = true
  managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
}

module "iam-user2" {
  source = "../modules/security_identity_compliance/iam-user"

  iam-user-name        = "PeterInGroup"
  iam-user-policy      = data.aws_iam_policy_document.user-policy.json
  iam-user-policy-name = "S3AdminPermissions"
  create-access-key    = false
  create-password      = false
  managed-policy-arns  = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
  add-to-groups        = [module.iam-group.iam-group-name]
}

module "IamReadOnlyRole" {
  source         = "../modules/security_identity_compliance/iam-role-v2"
  role-name      = "MyReadonlyRole"
  trusted-entity = "ec2.amazonaws.com"
  description    = "IAM role with read only access. Data decryption is denied"
  path           = "/Management/"
  policies = {
    DenyDataAccess = {
      description = "Block data access by denying kms decryption"
      policy = jsonencode(
        {
          Version = "2012-10-17"
          Statement = [
            {
              Sid      = "DenyKMSDecrypt"
              Effect   = "Deny"
              Action   = "kms:Decrypt"
              Resource = "*"
              Condition = {
                StringNotLike = {
                  "kms:EncryptionContext:aws:cloudtrail:arn" = "arn:aws:cloudtrail:*:*:trail/*"
                  "kms:EncryptionContext:aws:logs:arn"       = "arn:aws:logs:*:*:log-group:*"
                }
              }
            }
          ]
        }
      )
    }
  }
}

resource "aws_iam_role_policy_attachment" "IamReadOnlyRole" {
  role       = module.IamReadOnlyRole.name
  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}

data "aws_iam_policy_document" "user-policy" {
  statement {
    sid = "s3admin"

    actions = [
      "s3:*"
    ]

    effect    = "Allow"
    resources = ["*"]
  }
}

output "iam-user1-arn" {
  value = module.iam-user1.iam-user-arn
}

output "iam-user2-arn" {
  value = module.iam-user2.iam-user-arn
}

output "iam-user1-access-key" {
  value = module.iam-user1.iam-user-access-key
}

output "iam-user1-secret-location" {
  value = module.iam-user1.iam-user-secret-arn
}