data "aws_organizations_organization" "main" {}

resource "aws_iam_role" "main" {
  assume_role_policy = jsonencode({
    Statement = {
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
        AWS = format(
          "arn:aws:iam::%s:root",
          data.aws_organizations_organization.main.master_account_id,
        )
      }
    }
    Version = "2012-10-17"
  })
  name = var.name
}

resource "aws_iam_role_policy" "main" {
  name = var.name
  policy = jsonencode({
    Statement = concat(
      [
        { # Read only access to the role's IAM objects
          Action = [
            "iam:Get*",
            "iam:List*",
          ]
          Effect = "Allow"
          Resource = [
            aws_iam_role.main.arn,
            "arn:aws:iam::*:policy/${var.name}",
          ]
        },
        { # Describe the organization
          Action   = "organizations:DescribeOrganization"
          Effect   = "Allow"
          Resource = "*"
        }
      ],
      jsondecode(var.policy_statements),
    )
    Version = "2012-10-17"
  })
  role = aws_iam_role.main.id
}