data "aws_s3_bucket" "storage_bucket" {
  bucket = var.boot_bucket
}

data "aws_iam_policy_document" "boot" {
  statement {
    effect    = "Allow"
    actions   = ["s3:*", "s3-object-lambda:*"]
    resources = [
      "${data.aws_s3_bucket.storage_bucket.arn}/${var.boot_key}",
      "${data.aws_s3_bucket.storage_bucket.arn}/${var.boot_key}/*",
    ]
  }
}

resource "aws_iam_policy" "boot" {
  name        = "${var.boot_role}Policy"
  description = "The policy that manages the Gitea Boot."

  policy = data.aws_iam_policy_document.boot.json
}

module "boot_user" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-user"
  version = "5.52.2"

  create_iam_user_login_profile = false
  name                          = "${var.boot_role}User"
  password_reset_required       = false
  policy_arns                   = [aws_iam_policy.boot.arn]
}