resource "aws_iam_role" "mediaconvert_role" {
  name = "humand-mediaconvert-role-${var.env}"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "mediaconvert.amazonaws.com"
        }
      }
    ]
  })

  tags = {
    Environment = var.env
    Service     = "mediaconvert"
  }
}

# IAM policy for MediaConvert to access S3 and CloudWatch
resource "aws_iam_role_policy" "mediaconvert_policy" {
  name = "humand-mediaconvert-policy-${var.env}"
  role = aws_iam_role.mediaconvert_role.id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = [
          "s3:GetObject",
          "s3:PutObject",
          "s3:ListBucket"
        ]
        Resource = [
          "arn:aws:s3:::${var.humand_multimedia_bucket}",
          "arn:aws:s3:::${var.humand_multimedia_bucket}/*"
        ]
      },
      {
        Effect = "Allow"
        Action = [
          "logs:CreateLogGroup",
          "logs:CreateLogStream",
          "logs:PutLogEvents"
        ]
        Resource = "arn:aws:logs:*:*:*"
      }
    ]
  })
}

# SSM Parameter to store the MediaConvert role ARN
resource "aws_ssm_parameter" "mediaconvert_role_arn" {
  name  = "/common/iam/mediaconvert/role-arn"
  type  = "SecureString"
  value = aws_iam_role.mediaconvert_role.arn
}