#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#  SPDX-License-Identifier: Apache-2.0

import aws_cdk
from aws_cdk import aws_iam as iam
from constructs import Construct, DependencyGroup

from idea.infrastructure.install.constants import RES_ECR_REPO_NAME_SUFFIX
from idea.infrastructure.install.installer_permissions.create_permissions import (
    CreatePermissions,
)
from idea.infrastructure.install.installer_permissions.delete_permissions import (
    DeletePermissions,
)
from idea.infrastructure.install.installer_permissions.update_permissions import (
    UpdatePermissions,
)


class Permissions(Construct):
    def __init__(
        self,
        scope: Construct,
        id: str,
        dependency_group: DependencyGroup,
        environment_name: str,
    ):
        super().__init__(scope, id)
        self.environment_name = environment_name
        # TODO: Split role into separate Install/Delete/Update roles to allow for finer grained permissions
        self.pipeline_role = iam.Role(
            self,
            "PipelineRole",
            assumed_by=self.get_principal(),
            role_name=f"Admin-{environment_name}-{aws_cdk.Aws.REGION}-PipelineRole",
        )

        statements = (
            CreatePermissions(environment_name).get_permissions()
            + DeletePermissions(environment_name).get_permissions()
            + UpdatePermissions(environment_name).get_permissions()
        )

        for statement in statements:
            self.pipeline_role.add_to_policy(statement)

        dependency_group.add(self.pipeline_role)

    def get_principal(self) -> iam.ServicePrincipal:
        return iam.ServicePrincipal(
            "ecs-tasks.amazonaws.com",
            conditions={
                "ArnLike": {
                    "aws:SourceArn": f"arn:{aws_cdk.Aws.PARTITION}:ecs:{aws_cdk.Aws.REGION}:{aws_cdk.Aws.ACCOUNT_ID}:*"
                },
                "StringEquals": {"aws:SourceAccount": aws_cdk.Aws.ACCOUNT_ID},
            },
        )