terraform {
  required_version = ">= 1.5.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.0"
    }
  }
}

provider "aws" {
  region = var.aws_region
}

variable "aws_region" {
  description = "AWS region used by the provider. IAM is global, but AWS still requires a provider region."
  type        = string
  default     = "us-east-1"
}

variable "user_name" {
  description = "IAM user name for Watchmen's AWS Access Keys credential mode."
  type        = string
  default     = "watchmen-scanner"
}

variable "extra_policy_arns" {
  description = "Additional AWS managed policy ARNs to attach to the Watchmen scanner user."
  type        = list(string)
  default     = []
}

variable "tags" {
  description = "Common tags applied to created resources."
  type        = map(string)
  default = {
    managed_by = "terraform"
    app        = "watchmen"
    purpose    = "cloud-scanner-access"
  }
}

locals {
  scanner_policy_arns = toset(concat([
    "arn:aws:iam::aws:policy/ReadOnlyAccess",
    "arn:aws:iam::aws:policy/SecurityAudit",
    "arn:aws:iam::aws:policy/IAMReadOnlyAccess",
  ], var.extra_policy_arns))
}

resource "aws_iam_user" "watchmen_scanner" {
  name = var.user_name
  path = "/service/watchmen/"
  tags = var.tags
}

resource "aws_iam_user_policy_attachment" "watchmen_scanner" {
  for_each = local.scanner_policy_arns

  user       = aws_iam_user.watchmen_scanner.name
  policy_arn = each.value
}

data "aws_iam_policy_document" "watchmen_extra_read" {
  statement {
    sid = "ReadLambdaFunctionUrls"
    actions = [
      "lambda:ListFunctionUrlConfigs",
    ]
    resources = ["*"]
  }

  statement {
    sid = "ReadLambdaCloudWatchLogs"
    actions = [
      "logs:DescribeLogGroups",
      "logs:DescribeLogStreams",
      "logs:FilterLogEvents",
    ]
    resources = ["*"]
  }
}

resource "aws_iam_user_policy" "watchmen_extra_read" {
  name   = "watchmen-extra-read"
  user   = aws_iam_user.watchmen_scanner.name
  policy = data.aws_iam_policy_document.watchmen_extra_read.json
}

resource "aws_iam_access_key" "watchmen_scanner" {
  user = aws_iam_user.watchmen_scanner.name
}

output "access_key_id" {
  description = "Paste this into Watchmen Settings -> Cloud Credentials -> AWS -> Access keys."
  value       = aws_iam_access_key.watchmen_scanner.id
  sensitive   = true
}

output "secret_access_key" {
  description = "Paste this into Watchmen Settings -> Cloud Credentials -> AWS -> Access keys."
  value       = aws_iam_access_key.watchmen_scanner.secret
  sensitive   = true
}

output "user_name" {
  description = "IAM user configured for Watchmen scanning."
  value       = aws_iam_user.watchmen_scanner.name
}
