data "aws_s3_bucket" "storage_bucket" {
  bucket = var.boot_bucket
}

data "aws_iam_policy_document" "gitea_bool_policy" {
  statement {
    effect    = "Allow"
    actions   = ["s3:*", "s3-object-lambda:*"]
    resources = ["${data.aws_s3_bucket.storage_bucket.arn}/${var.boot_key}"]
  }
}

resource "aws_iam_policy" "gitea_boot_policy" {
  name        = "${var.boot_role}Policy"
  description = "The policy that manages the Gitea Boot."

  policy = data.aws_iam_policy_document.gitea_bool_policy.json
}

resource "aws_iam_user" "gitea_boot_user" {
  name = "${var.boot_role}User"
}

resource "aws_iam_user_policy_attachment" "attachment" {
  user       = aws_iam_user.gitea_boot_user.name
  policy_arn = aws_iam_policy.gitea_boot_policy.arn
}

resource "aws_iam_access_key" "gitea_boot_key" {
  user = aws_iam_user.gitea_boot_user.name
}