module "aws_iam_role_core" {
  providers = { aws = aws.core }
  source    = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-role?depth=1&ref=1.0.0"

  name = var.name
  policy_statements = jsonencode(concat(
    [
      { # Read and Write access on the repository's own tofu state
        Action = [
          "s3:GetObject",
          "s3:PutObject",
        ]
        Effect   = "Allow"
        Resource = "arn:aws:s3:::adyxax-tofu-states/repositories/${var.name}"
      },
      { # Read Write Delete access on the dynamoDB locks
        Action = [
          "dynamodb:DeleteItem",
          "dynamodb:GetItem",
          "dynamodb:PutItem",
        ]
        Effect = "Allow"
        Resource = format(
          "arn:aws:dynamodb:eu-west-3:*:table/tofu-states",
        )
      },
    ],
    jsondecode(var.core_policy_statements),
  ))
}

module "aws_iam_role_test" {
  providers = { aws = aws.tests }
  source    = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-role?depth=1&ref=1.1.0"

  name              = var.name
  policy_statements = var.tests_policy_statements
}

module "aws_iam_user" {
  providers = { aws = aws.root }
  source    = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-user?depth=1&ref=1.0.0"

  assume_role_account_names = ["core", "tests"]
  name                      = var.name
}