module "private_s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "mastodon-private-${random_pet.name.id}"

  versioning = {
    enabled = false
  }

}

data "aws_iam_policy_document" "private_s3" {
  statement {
    actions = [
      "s3:*"
    ]
    resources = [
      "${module.private_s3_bucket.s3_bucket_arn}",
      "${module.private_s3_bucket.s3_bucket_arn}/*"
    ]
  }
}

resource "aws_iam_policy" "private_s3" {
  name        = "${module.private_s3_bucket.s3_bucket_id}-access"
  policy      = data.aws_iam_policy_document.private_s3.json
  path        = "/"
  description = "permissions for mastodon private s3 bucket"
}

resource "aws_iam_role_policy_attachment" "private_s3" {
  role       = aws_iam_role.social.name
  policy_arn = aws_iam_policy.private_s3.arn
}