data "aws_caller_identity" "current" {}

locals {
  s3_bucket_key = format("arn:aws:s3:::%s/%s/%s", var.aws_s3_bucket_store.bucket_name, trimsuffix(var.aws_s3_bucket_store.bucket_path, "/"), var.aws_s3_bucket_store.zip_file_name)
}

resource "aws_iam_role_policy" "additional_policy" {
  name   = "additional_policy"
  role   = module.main.iam_role.id
  policy = data.aws_iam_policy_document.additional_policy.json
}

data "aws_iam_policy_document" "additional_policy" {
  statement {
    sid = "AllowToPullFromSourceS3BucketSpecificArtifact"
    actions = [
      "s3:GetObject"
    ]
    resources = [
      local.s3_bucket_key
    ]
  }
  statement {
    sid = "AllowToInitiateAndExecuteManualDeployment"
    actions = [
      "amplify:StartDeployment",
      "amplify:CreateDeployment"
    ]
    resources = [
      format("arn:aws:amplify:%s:%s:apps/%s/branches/%s/deployments/start", var.aws_s3_bucket_store.region, data.aws_caller_identity.current.account_id, var.aws_amplify_app.id, var.aws_amplify_app.deployment_name),
      format("arn:aws:amplify:%s:%s:apps/%s/branches/%s/*", var.aws_s3_bucket_store.region, data.aws_caller_identity.current.account_id, var.aws_amplify_app.id, var.aws_amplify_app.deployment_name)
    ]
  }
}