data "aws_caller_identity" "current" {}

resource "aws_s3_bucket" "b" {
  bucket = "tf-test-bucket"
  acl    = "private"
}

resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
      },
      "Effect": "Allow"
    }
  ]
}
EOF
}

data "aws_iam_policy_document" "test_policy" {
  statement {
    actions = [
      "s3:ListBucket",
    ]
    resources = [
        aws_s3_bucket.b.arn,
    ]
  }
}

resource "aws_iam_policy" "test_policy" {
  name   = "test_policy"
  path   = "/"
  policy = data.aws_iam_policy_document.test_policy.json
}

resource "aws_iam_role_policy_attachment" "test-attach" {
  role       = aws_iam_role.test_role.name
  policy_arn = aws_iam_policy.test_policy.arn
}

output "role_arn" {
  value = aws_iam_role.test_role.arn
}
output "bucket" {
  value = aws_s3_bucket.b.id
}