include "root" {
  path = find_in_parent_folders()
}

terraform {
  source = "${get_repo_root()}//modules/aws-iam"
}

dependency "eks" {
  config_path = "../eks"

  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
  mock_outputs = {
    cluster_oidc_issuer_url = "https://oidc.eks.us-east-2.amazonaws.com/id/FAKEIDENTIFIERXXXXXXXXXXXXXXXXXX"
  }
}

locals {
  config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))

  env                  = local.config_vars.locals.environment
  service_account_name = local.config_vars.locals.aws_load_balancer_service_account_name
  namespace            = local.config_vars.locals.aws_load_balancer_namespace
  iam_role_prefix      = local.config_vars.locals.aws_load_balancer_iam_role_prefix
}

generate = local.config_vars.generate

inputs = {
  iam_roles = {
    "${local.iam_role_prefix}${title(local.env)}" = {
      assume_role_policy = {
        Version = "2012-10-17",
        Statement = [
          {
            Effect = "Allow",
            Principal = {
              Federated = "arn:aws:iam::${get_aws_account_id()}:oidc-provider/${replace("${dependency.eks.outputs.cluster_oidc_issuer_url}", "https://", "")}"
            },
            Action = "sts:AssumeRoleWithWebIdentity",
            Condition = {
              StringEquals = {
                "${replace("${dependency.eks.outputs.cluster_oidc_issuer_url}", "https://", "")}:aud" : "sts.amazonaws.com",
                "${replace("${dependency.eks.outputs.cluster_oidc_issuer_url}", "https://", "")}:sub" : "system:serviceaccount:${local.namespace}:${local.service_account_name}"
              }
            }
        }]
      }
      policy = jsondecode(file("policy.json"))
      tags   = {}
    }
  }
}