resource "aws_iam_role" "ecs_task" {
  name  = "${local.environment_name}-EcsTaskRole"

  assume_role_policy = jsonencode({
    Version   = "2012-10-17"
    Statement = [
      {
        Action    = "sts:AssumeRole"
        Effect    = "Allow"
        Sid       = ""
        Principal = {
          Service = "ecs-tasks.amazonaws.com"
        }
      }
    ]
  })

  inline_policy {
    name    = "AllowSecretsAccessForHffEntryFormsApiTasks"
    policy  = jsonencode({
      Version   = "2012-10-17"
      Statement = [
        {
          Effect    = "Allow"
          Action    = [
            "secretsmanager:GetSecretValue",
            "kms:Decrypt"
          ]
          Resource  = [
            aws_secretsmanager_secret.hff_entry_forms_api.arn
          ]
        }
      ]
    })
  }

  inline_policy {
    name    = "AllowAccessToEcrForHffEntryFormsApiTasks"
    policy  = jsonencode({
      Version   = "2012-10-17"
      Statement = [
        {
          Effect    = "Allow"
          Action    = [
            "ecr:GetAuthorizationToken"
          ]
          Resource  = [ "*" ]
        },
        {
          Effect    = "Allow"
          Action    = [
            "ecr:BatchGetImage",
            "ecr:BatchCheckLayerAvailability",
            "ecr:DescribeImages",
            "ecr:GetDownloadUrlForLayer"
          ]
          Resource  = [
            var.ecr_repo.arn
          ]
        }
      ]
    })
  }

  tags = {
    Name        = "HffEntryForms-EcsTaskRole"
    Environment = local.environment_name
  }
}