module "iam-group" {
  source = "../../modules/security_identity_compliance/iam-group"

  iam-group-name        = "ViewOnlyUsers001"
  iam-group-policy      = ""
  iam-group-policy-name = ""
  managed-policy-arns   = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
}

module "iam-group2" {
  source = "../../modules/security_identity_compliance/iam-group"

  iam-group-name        = "ViewOnlyAndS3Admin001"
  iam-group-policy      = data.aws_iam_policy_document.user-policy.json
  iam-group-policy-name = "S3AdminPermissions"
  managed-policy-arns   = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
}

module "iam-user1" {
  source = "../../modules/security_identity_compliance/iam-user"

  iam-user-name       = "JohnNotInGroup"
  create-access-key   = true
  create-password     = true
  managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
}

module "iam-user2" {
  source = "../../modules/security_identity_compliance/iam-user"

  iam-user-name        = "PeterInGroup"
  iam-user-policy      = data.aws_iam_policy_document.user-policy.json
  iam-user-policy-name = "S3AdminPermissions"
  create-access-key    = false
  create-password      = false
  managed-policy-arns  = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
  add-to-groups        = [module.iam-group.iam-group-name]
}

data "aws_iam_policy_document" "user-policy" {
  statement {
    sid = "s3admin"

    actions = [
      "s3:*"
    ]

    effect    = "Allow"
    resources = ["*"]
  }
}

output "iam-user1-arn" {
  value = module.iam-user1.iam-user-arn
}

output "iam-user2-arn" {
  value = module.iam-user2.iam-user-arn
}

output "iam-user1-access-key" {
  value = module.iam-user1.iam-user-access-key
}

output iam-user1-secret-location {
  value = module.iam-user1.iam-user-secret-arn
}