data "aws_iam_policy_document" "instance_trust" {
	statement {
		effect = "Allow"
		actions = [
			"sts:AssumeRole"
		]
		principals {
			type = "Service"
			identifiers = [
				"ec2.amazonaws.com"
			]
		}
	}
}

resource "aws_iam_role" "management" {
	name = "${var.management_service_name}-role"
	assume_role_policy = "${data.aws_iam_policy_document.instance_trust.json}"
}

data "aws_iam_policy_document" "management" {
	statement {
		sid = "AWSControl"
		actions = [
			"autoscaling:*",
			"ec2:*",
			"elasticloadbalancing:*",
			"iam:PassRole",
			"iam:GetServerCertificate"
		]
		resources = [
			"*"
		]
	}
	statement {
		sid = "EventQueue"
		actions = [
			"sqs:*"
		]
		resources = [ "${aws_sqs_queue.management-events-queue.arn}" ]
	}
	statement {
		sid = "AlertTopic"
		actions = [
			"sns:*"
		]
		resources = [ "${aws_sns_topic.management-events.arn}" ]
	}
}

resource "aws_iam_policy" "management" {
	name = "${var.management_service_name}"
	description = "${var.management_service_name}"
	path = "/"
	policy = "${data.aws_iam_policy_document.management.json}"
}

resource "aws_iam_role_policy_attachment" "management" {
	role = "${aws_iam_role.management.id}"
	policy_arn = "${aws_iam_policy.management.arn}"
}

resource "aws_iam_instance_profile" "management" {
	name = "${var.management_service_name}-instance-profile"
	role = "${aws_iam_role.management.name}"
}