"""
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0

Creates the Greengrass Policy for the IEP Edgde device.
"""

from constructs import Construct
from aws_cdk import (
    aws_iam as iam,    
    aws_iot as iot        
)

class GreengrassPolicy(Construct):
    def __init__(   self,
                    scope: Construct,
                    id: str,
                    edge_device_name: str,
                    sqs_inbound_queue_arn: str,
                    sqs_outbound_queue_arn: str,
                    sqs_receiver_queue_arn: str,
                    s3_dicom_bucket_arn: str,
                    s3_iot_artifacts_bucket_arn: str,
                     **kwargs) -> None :
        super().__init__(scope, id, **kwargs)  


        sqs_policy = iam.PolicyStatement(
                    effect=iam.Effect.ALLOW,
                    actions=[
                        "sqs:DeleteMessage",
                        "sqs:ReceiveMessage",
                        "sqs:SendMessage",
                        "sqs:GetQueueUrl",
                        "sqs:GetQueueAttributes",
                    ],
                    resources=[
                            sqs_inbound_queue_arn,
                            sqs_outbound_queue_arn,  
                            sqs_receiver_queue_arn
                            ]
                )
        s3_dicom_policy = iam.PolicyStatement(
                    effect=iam.Effect.ALLOW,
                    actions=[
                        "s3:PutObject",
                        "s3:GetObject",
                        "s3:ListBucket",
                        "s3:DeleteObject",
                    ],
                    resources=  [   s3_dicom_bucket_arn,
                                    s3_dicom_bucket_arn + "/*"
                                ]
                )
        s3_atifact_policy = iam.PolicyStatement(
                    effect=iam.Effect.ALLOW,
                    actions=[
                        "s3:GetObject",
                        "s3:ListBucket",
                    ],
                    resources=  [   s3_iot_artifacts_bucket_arn,
                                    s3_iot_artifacts_bucket_arn + "/*"
                                ]
                )
        kms_policy = iam.PolicyStatement(
                    effect=iam.Effect.ALLOW,
                    actions=[
                        "kms:Decrypt",
                        "kms:Encrypt",
                        "kms:GenerateDataKey",
                    ],
                    resources=  ["*"]
                )
        iot_access_policy = iam.PolicyStatement(
                    effect=iam.Effect.ALLOW,
                    actions=[
                        "logs:CreateLogGroup",
                        "logs:CreateLogStream",
                        "logs:PutLogEvents",
                        "logs:DescribeLogStreams",
                        "s3:GetBucketLocation"
                    ],
                    resources=  ["*"]
                )

        gg_policy = iam.ManagedPolicy(self, "IEP-GG-Policy", managed_policy_name=f"{edge_device_name}-GG-RoleAccess")
        gg_policy.add_statements(sqs_policy)
        gg_policy.add_statements(s3_dicom_policy)
        gg_policy.add_statements(s3_atifact_policy)
        gg_policy.add_statements(kms_policy)
        gg_policy.add_statements(iot_access_policy)

        greengrass_role = iam.Role(self, "IEP-GG-Role", assumed_by=iam.ServicePrincipal("credentials.iot.amazonaws.com"), role_name=f"{edge_device_name}-GG-Role")
        greengrass_role.add_managed_policy(gg_policy)

        greengrass_role_alias =  iot.CfnRoleAlias(self, "MyCfnRoleAlias",role_arn=greengrass_role.role_arn,role_alias=f"{edge_device_name}-GG-Role-Alias",credential_duration_seconds=3600)