Parameters:
  App:
    Type: String
    Description: Your application's name.
  Env:
    Type: String
    Description: The environment name your service, job, or workflow is being deployed to.
  Name:
    Type: String
    Description: Your workload's name.
Resources:
  {{logicalIDSafe .Name}}BucketAccessPolicy:
    Metadata:
      'aws:copilot:description': 'An IAM managed policy for your service to access the bucket of your environment'
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: !Sub
        - Grants CRUD access to the S3 bucket ${Bucket}
        - Bucket: { Fn::ImportValue: { Fn::Sub: "${App}-${Env}-{{logicalIDSafe .Name}}BucketName" }}
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: S3ObjectActions
            Effect: Allow
            Action:
              - s3:GetObject
              - s3:PutObject
              - s3:PutObjectACL
              - s3:PutObjectTagging
              - s3:DeleteObject
              - s3:RestoreObject
            Resource: !Sub
              - ${ BucketARN }/*
              - BucketARN: { Fn::ImportValue: { Fn::Sub: "${App}-${Env}-{{logicalIDSafe .Name}}BucketARN" }}
          - Sid: S3ListAction
            Effect: Allow
            Action: s3:ListBucket
            Resource:
              Fn::ImportValue: !Sub "${App}-${Env}-{{logicalIDSafe .Name}}BucketARN"

Outputs:
  {{envVarName .Name}}BucketName:
    # Injected as {{envVarName .Name | printf "%sBucketName" | toSnakeCase}} environment variable into your main container.
    Description: "The name of a user-defined bucket."
    Value: { Fn::ImportValue: { Fn::Sub: "${App}-${Env}-{{logicalIDSafe .Name}}BucketName" }}
  {{logicalIDSafe .Name}}BucketAccessPolicy:
    Description: "The IAM::ManagedPolicy to attach to the task role"
    Value: !Ref {{logicalIDSafe .Name}}BucketAccessPolicy