locals {
  services = {
    "CloudWatch"	: "cloudwatch",
    "CloudTrail"	: "cloudtrail",
    "Logs"			: "logs",
	"S3"			: "s3",
	"Ec2"			: "ec2",
	"Sqs"			: "sqs"
  }
}

resource "aws_iam_policy" "read_only" {
  for_each = local.services

  name   = "${each.key}_ReadOnly_Access"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "${each.value}:List*",
          "${each.value}:Get*",
          "${each.value}:Describe*"
        ],
        Effect   = "Allow",
        Resource = "*"
      }
    ]
  })
}

resource "aws_iam_policy" "full_access" {
  for_each = local.services

  name   = "${each.key}_Full_Access"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "${each.value}:*"
        ],
        Effect   = "Allow",
        Resource = "*"
      }
    ]
  })
}

resource "aws_iam_group" "read_only" {
  for_each = local.services

  name   = "${each.key}_ReadOnly_Access_Group"
}

resource "aws_iam_group_policy_attachment" "read_only" {
  for_each = aws_iam_group.read_only

  group      = each.value.name
  policy_arn = aws_iam_policy.read_only[each.key].arn
}

resource "aws_iam_group" "full_access" {
  for_each = local.services

  name   = "${each.key}_Full_Access_Group"
}

resource "aws_iam_group_policy_attachment" "full_access" {
  for_each = aws_iam_group.full_access

  group      = each.value.name
  policy_arn = aws_iam_policy.full_access[each.key].arn
}