# set permission for what AppRunner service can do
data "aws_iam_policy_document" "app_policy" {
  statement {
    actions = [
      "dynamodb:Scan",
      "dynamodb:PutItem",
      "dynamodb:DeleteItem",
    ]

    resources = [
      "arn:aws:dynamodb:${var.region}:${data.aws_caller_identity.current.account_id}:table/${var.app}"
    ]
  }
}

# creates an application role that the AppRunner service runs as
resource "aws_iam_role" "instance" {
  name               = "${var.app}-${var.region}-instance"
  assume_role_policy = data.aws_iam_policy_document.app_role_assume_role_policy.json
}

# assigns the app policy
resource "aws_iam_role_policy" "app_policy" {
  name   = "${var.app}-${var.region}"
  role   = aws_iam_role.instance.id
  policy = data.aws_iam_policy_document.app_policy.json
}

data "aws_caller_identity" "current" {}

# allow role to be assumed by AppRunner
data "aws_iam_policy_document" "app_role_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["tasks.apprunner.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "access" {
  name               = "${var.app}-${var.region}-access"
  assume_role_policy = data.aws_iam_policy_document.apprunner.json

  # workaround for https://github.com/hashicorp/terraform-provider-aws/issues/6566
  provisioner "local-exec" {
    command = "sleep 10"
  }
}

data "aws_iam_policy_document" "apprunner" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type = "Service"
      identifiers = [
        "build.apprunner.amazonaws.com",
        "tasks.apprunner.amazonaws.com",
      ]
    }
  }
}

resource "aws_iam_role_policy_attachment" "apprunner" {
  role       = aws_iam_role.access.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess"
}