resource "aws_iam_role" "module_role" {
  name               = var.iam_role_name
  assume_role_policy = data.aws_iam_policy_document.trust_policy.json
}

data "aws_iam_policy_document" "trust_policy" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "Service"
      identifiers = var.assume_role_services
    }

    dynamic "principals" {
      for_each = length(var.assume_role_user_arn) > 0 ? [1] : []
      content {
        type        = "AWS"
        identifiers = var.assume_role_user_arn
      }
    }
  }
}

resource "aws_iam_role_policy" "extra_policies" {
  for_each = { for idx, policy in var.extra_policies : idx => policy }

  name   = each.value.name
  role   = aws_iam_role.module_role.name
  policy = jsonencode(each.value.policy)
}