# -----------------------------------------------------------------------------------------------------------
# IAM Role for Redirect Lambda

data "aws_iam_policy_document" "lambda_redirect" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = [
        "edgelambda.amazonaws.com",
        "lambda.amazonaws.com"
      ]
    }
  }
}

resource "aws_iam_role" "lambda_redirect" {
  name = "${var.site}-lambda-redirect-role"
  assume_role_policy = data.aws_iam_policy_document.lambda_redirect.json

  tags = {
    Site = var.site
  }
}

#######################################################
# LOGGING POLICY

data "aws_iam_policy_document" "lambda_logging" {
  statement {
    actions = [
      "logs:CreateLogStream",
      "logs:PutLogEvents",
      "logs:CreateLogGroup"
    ]

    resources = [ "arn:aws:logs:*:*:*" ]
  }
}

resource "aws_iam_policy" "lambda_logging" {
  name        = "${var.site}_lambda_logging"
  path        = "/"
  description = "IAM policy for logging from a lambda"

  policy = data.aws_iam_policy_document.lambda_logging.json
}

resource "aws_iam_role_policy_attachment" "lambda_logs" {
  role       = aws_iam_role.lambda_redirect.name
  policy_arn = aws_iam_policy.lambda_logging.arn
}

#######################################################
# REPLICATION POLICY

# aws_iam_policy_document.lambda_replication
data "aws_iam_policy_document" "lambda_replication" {
  statement {
    actions = [
      "lambda:EnableReplication*",
    ]
    resources = [
      "*"
    ]
  }

  statement {
    actions = [
      "iam:CreateServiceLinkedRole"
    ]
    resources = [
      "arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents*"
    ]
    condition {
      test = "StringLike"
      variable = "iam:AWSServiceName"
      values = ["events.amazonaws.com"]
    }
  }
}

resource "aws_iam_policy" "lambda_replication" {
  name        = "${var.site}_lambda_replication"
  path        = "/"
  description = "IAM policy for replication by lambda@edge"

  policy = data.aws_iam_policy_document.lambda_replication.json
}

resource "aws_iam_role_policy_attachment" "lambda_replication" {
  role       = aws_iam_role.lambda_redirect.name
  policy_arn = aws_iam_policy.lambda_replication.arn
}