data "aws_iam_policy_document" "instance_trust" {
	statement {
		effect = "Allow"
		actions = [
			"sts:AssumeRole"
		]
		principals {
			type = "Service"
			identifiers = [
				"ec2.amazonaws.com"
			]
		}
	}
}

resource "aws_iam_role" "default" {
	name = "${var.module}${length(var.stack) > 0 ? "-" : ""}${var.stack}-role"
	assume_role_policy = "${data.aws_iam_policy_document.instance_trust.json}"
}

data "aws_iam_policy_document" "default" {
	statement {
		effect = "Allow"
		actions = ["${var.iam_allow_actions}"]
		resources = ["*"]
	}
}

resource "aws_iam_policy" "default" {
	name = "${var.module}${length(var.stack) > 0 ? "-" : ""}${var.stack}"
	description = "specific policy for ${var.module}${length(var.stack) > 0 ? "-" : ""}${var.stack}"
	policy = "${data.aws_iam_policy_document.default.json}"
}

resource "aws_iam_role_policy_attachment" "default" {
	role = "${aws_iam_role.default.id}"
	policy_arn = "${aws_iam_policy.default.arn}"
}

resource "aws_iam_role_policy_attachment" "extra" {
	count = "${length(var.iam_policy_arns)}"
	role = "${aws_iam_role.default.id}"
	policy_arn = "${element(var.iam_policy_arns, count.index)}"
}

resource "aws_iam_instance_profile" "default" {
	name = "${var.module}${length(var.stack) > 0 ? "-" : ""}${var.stack}-instance-profile"
	role = "${aws_iam_role.default.name}"
}