data "aws_caller_identity" "current" {}

data "aws_iam_role" "kms_admin_role" {
  for_each = toset(var.kms_admin_roles)
  name     = each.value
}

data "aws_iam_role" "kms_usage_role" {
  for_each = toset(var.kms_usage_roles)
  name     = each.value
}

data "aws_iam_policy_document" "admin_kms_policy" {
  # checkov:skip=CKV_AWS_109: Not applicable
  # checkov:skip=CKV_AWS_111: Not applicable
  statement {
    sid = "Enable Owner account Root to have full access to the key"
    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
    }
    actions = [
      "kms:*",
    ]
    resources = ["*"]
  }

  statement {
    sid = "Allow access for Key Administrators"
    principals {
      type        = "AWS"
      identifiers = local.kms_admin_roles
    }
    actions = [
      "kms:Create*",
      "kms:Describe*",
      "kms:Enable*",
      "kms:List*",
      "kms:Put*",
      "kms:Update*",
      "kms:Revoke*",
      "kms:Disable*",
      "kms:Get*",
      "kms:Delete*",
      "kms:TagResource",
      "kms:UntagResource",
      "kms:ScheduleKeyDeletion",
      "kms:CancelKeyDeletion"
    ]
    resources = ["*"]
  }

  statement {
    sid = "Allow granting of the key to Key Administrators"
    principals {
      type        = "AWS"
      identifiers = local.kms_admin_roles
    }
    actions = [
      "kms:CreateGrant",
      "kms:ListGrants",
      "kms:RevokeGrant"
    ]
    resources = ["*"]
    condition {
      test     = "Bool"
      variable = "kms:GrantIsForAWSResource"
      values   = [true]
    }
  }

  dynamic "statement" {
    for_each = local.enable_cross_account_access
    content {
      sid = "Allow use of the key to the cross-account owners"
      principals {
        type        = "AWS"
        identifiers = local.kms_cross_account_roots
      }
      actions = [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ]
      resources = ["*"]
    }
  }

  dynamic "statement" {
    for_each = local.enable_cross_account_access
    content {
      sid = "Allow granting of the key to the cross-account owners"
      principals {
        type        = "AWS"
        identifiers = local.kms_cross_account_roots
      }
      actions = [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ]
      resources = ["*"]
      condition {
        test     = "Bool"
        variable = "kms:GrantIsForAWSResource"
        values   = [true]
      }
    }
  }
}