resource "aws_iam_role" "ec2_instance_role" {
  assume_role_policy = <<EOT
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOT

  name = "${var.project_name}-${var.stack_name}-ec2InstanceRole"
}

resource "aws_iam_role_policy_attachment" "instance_role" {
  role       = "${aws_iam_role.ec2_instance_role.name}"
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
}

resource "aws_iam_instance_profile" "instance_profile" {
  name = "${var.project_name}-${var.stack_name}-ec2InstanceProfile"
  role = "${aws_iam_role.ec2_instance_role.name}"
}

# IAM TeamCity ECS User
resource "aws_iam_policy" "server" {
  name        = "${var.project_name}-${var.stack_name}-server"
  path        = "/"
  description = "Policy for ${var.project_name}-${var.stack_name}"

  policy = <<EOT
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ecs:RegisterTaskDefinition",
                "ecs:ListClusters",
                "ecs:DescribeContainerInstances",
                "ecs:ListTaskDefinitions",
                "ecs:ListTasks",
                "ecs:DescribeTaskDefinition",
                "cloudwatch:GetMetricStatistics"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "ecs:DescribeClusters",
                "ecs:StopTask",
                "ecs:ListContainerInstances"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:ecs:${var.aws_region}:*:cluster/${var.project_name}-${var.stack_name}"
        },
        {
            "Action": [
                "ecs:RunTask"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:ecs:${var.aws_region}:*:task-definition/${var.project_name}-agent-${var.stack_name}:*"
            ]
        },
        {
            "Action": [
                "ecs:StopTask",
                "ecs:DescribeTasks"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:ecs:${var.aws_region}:*:task/*"
        }
    ]
}
EOT
}

resource "aws_iam_user" "server" {
  name = "${var.project_name}-${var.stack_name}-server"
}

resource "aws_iam_user_policy_attachment" "server-ecs" {
  policy_arn = "${aws_iam_policy.server.arn}"
  user       = "${aws_iam_user.server.name}"
}

resource "aws_iam_access_key" "server" {
  user = "${aws_iam_user.server.name}"
}

resource "aws_iam_role" "sns-lambda" {
  assume_role_policy = <<EOT
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
              "Service": "autoscaling.amazonaws.com"
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
EOT

  name = "${var.project_name}-${var.stack_name}-sns-lambda"
}

resource "aws_iam_role_policy" "sns-lambda" {
  name = "${var.project_name}-${var.stack_name}-sns-lambda"
  role = "${aws_iam_role.sns-lambda.id}"

  policy = <<EOT
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:SendMessage",
                "sqs:GetQueueUrl",
                "sns:Publish"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
EOT
}

resource "aws_iam_role" "lambda-ecs-asg" {
  name = "${var.project_name}-${var.stack_name}-lambda-ecs-asg"

  assume_role_policy = <<EOT
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
              "Service": "lambda.amazonaws.com"
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
EOT
}

resource "aws_iam_role_policy" "lambda-ecs-asg" {
  name = "${var.project_name}-${var.stack_name}-ecs-asg"
  role = "${aws_iam_role.lambda-ecs-asg.id}"

  policy = <<EOT
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "autoscaling:CompleteLifecycleAction",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeHosts",
                "ecs:ListContainerInstances",
                "ecs:SubmitContainerStateChange",
                "ecs:SubmitTaskStateChange",
                "ecs:DescribeContainerInstances",
                "ecs:UpdateContainerInstancesState",
                "ecs:ListTasks",
                "ecs:DescribeTasks",
                "sns:Publish",
                "sns:ListSubscriptions"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
EOT
}

resource "aws_iam_role" "lambda-ecs-unprotect-asg" {
  name = "${var.project_name}-${var.stack_name}-lambda-ecs-unprotect-asg"

  assume_role_policy = <<EOT
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
              "Service": "lambda.amazonaws.com"
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
EOT
}

resource "aws_iam_role_policy" "lambda-ecs-unprotect-asg" {
  name = "${var.project_name}-${var.stack_name}-ecs-unprotect-asg"
  role = "${aws_iam_role.lambda-ecs-unprotect-asg.id}"

  policy = <<EOT
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "autoscaling:SetInstanceProtection",
                "autoscaling:DescribeAutoScalingInstances",
                "ecs:ListContainerInstances",
                "ecs:DescribeContainerInstances",
                "ecs:UpdateContainerInstancesState"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
EOT
}