# --------------------------------
# IAM users for content maintenance
resource "aws_iam_user" "website-content-maintenance-cicd-users" {
  count = "${length(var.envs)}"

  name          = "website-content-maintenance-cicd-user-${element(var.envs, count.index)}"
  force_destroy = true
}

# --------------------------------
# IAM group
data "aws_iam_policy_document" "website-content-maintenance-cicd-group-policies" {
  count = "${length(var.envs)}"

  statement {
    actions = [
      "s3:*",
    ]

    resources = [
      "${element(aws_s3_bucket.website-content.*.arn, count.index)}/",
      "${element(aws_s3_bucket.website-content.*.arn, count.index)}/*",
    ]

    condition {
      test     = "IpAddress"
      variable = "aws:SourceIp"

      values = [
        "192.0.2.0/24",    # Office
        "198.51.100.0/24", # VPN
        "203.0.113.0/24",  # IDC
      ]
    }
  }

  statement {
    actions = ["cloudfront:CreateInvalidation"]

    resources = ["*"]
  }
}

resource "aws_iam_policy" "website-content-maintenance-cicd-group-policies" {
  count = "${length(var.envs)}"

  name   = "website-content-maintenance-cicd-group-policy-${element(var.envs, count.index)}"
  policy = "${element(data.aws_iam_policy_document.website-content-maintenance-cicd-group-policies.*.json, count.index)}"
}

resource "aws_iam_group" "website-content-maintenance-cicd-groups" {
  count = "${length(var.envs)}"

  name = "website-content-maintenance-cicd-group-${element(var.envs, count.index)}"
}

resource "aws_iam_group_policy_attachment" "website-content-maintenance-cicd-group-attachments" {
  count = "${length(var.envs)}"

  group      = "${element(aws_iam_group.website-content-maintenance-cicd-groups.*.name, count.index)}"
  policy_arn = "${element(aws_iam_policy.website-content-maintenance-cicd-group-policies.*.arn, count.index)}"
}

resource "aws_iam_group_membership" "website-content-maintenance-cicd-group-memberships" {
  count = "${length(var.envs)}"

  name  = "website-content-maintenance-cicd-group-membership-${element(var.envs, count.index)}"
  group = "${element(aws_iam_group.website-content-maintenance-cicd-groups.*.name, count.index)}"

  users = [
    "${element(aws_iam_user.website-content-maintenance-cicd-users.*.name, count.index)}",
  ]
}