terraform {
  required_version = ">= 1.8.7"
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = ">= 5.82.2"
    }
  }
  backend "local" {
    # path = pathexpand("~/Backups/tfstate/cloudflare.tfstate")
  }
}

provider "aws" {
    region = "us-east-1"
}

resource "aws_iam_user" "vault_user" {
    name = "vault-unseal-user"
}

resource "aws_iam_user" "sops_user" {
    name = "sops-user"
}

resource "aws_iam_access_key" "vault_user_key" {
    user = aws_iam_user.vault_user.name
}

resource "aws_iam_access_key" "sops_user_key" {
    user = aws_iam_user.sops_user.name
}

resource "aws_kms_key" "vault" {
    description                 = "Hashicorp Vault auto unseal key"
    key_usage                   = "ENCRYPT_DECRYPT"
    customer_master_key_spec    = "SYMMETRIC_DEFAULT"
    deletion_window_in_days     = 30
    is_enabled                  = true
    multi_region                = false
    enable_key_rotation         = false
}

resource "aws_kms_key" "sops" {
    description                 = "SOPS operational key"
    key_usage                   = "ENCRYPT_DECRYPT"
    customer_master_key_spec    = "SYMMETRIC_DEFAULT"
    deletion_window_in_days     = 30
    is_enabled                  = true
    multi_region                = false
    enable_key_rotation         = false
}

resource "aws_kms_alias" "vault" {
    name          = "alias/hashicorp-vault-unseal"
    target_key_id = aws_kms_key.vault.key_id
}
resource "aws_kms_alias" "sops" {
    name          = "alias/sops"
    target_key_id = aws_kms_key.vault.key_id
}

resource "aws_iam_user_policy" "vault_policy" {
    name = "vault-unseal-policy"
    user = aws_iam_user.vault_user.name
    policy = jsonencode(
        {
            Version = "2012-10-17"
            Statement = [
                {
                    Effect = "Allow"
                    Action = [
                        "kms:Decrypt",
                        "kms:DescribeKey",
                        "kms:Encrypt"
                    ]
                    Resource = aws_kms_key.vault.arn
                }
            ]
        }
    )
}

resource "aws_iam_user_policy" "sops_policy" {
    name = "sops-policy"
    user = aws_iam_user.sops_user.name
    policy = jsonencode(
        {
            Version = "2012-10-17"
            Statement = [
                {
                    Effect = "Allow"
                    Action = [
                        "kms:Decrypt",
                        "kms:DescribeKey",
                        "kms:Encrypt"
                    ]
                    Resource = aws_kms_key.sops.arn
                }
            ]
        }
    )
}

output "vault_access_key_id" {
    value = aws_iam_access_key.vault_user_key.id
}

output "vault_secret_access_key" {
    value = nonsensitive(aws_iam_access_key.vault_user_key.secret)
}

output "vault_kms_key_id" {
    value = aws_kms_key.vault.key_id
}

output "sops_access_key_id" {
    value = aws_iam_access_key.sops_user_key.id
}

output "sops_secret_access_key" {
    value = nonsensitive(aws_iam_access_key.sops_user_key.secret)
}

output "sops_kms_key_id" {
    value = aws_kms_key.sops.key_id
}