v1alpha1

type AWSIAMConfiguration struct {
	metav1.TypeMeta `json:",inline"`

	Spec AWSIAMConfigurationSpec `json:"spec,omitempty"`
}

type AWSIAMConfigurationSpec struct {
	// NamePrefix will be prepended to every AWS IAM role, user and policy created by clusterawsadm. Defaults to "".
	NamePrefix string `json:"namePrefix,omitempty"`

	// NameSuffix will be appended to every AWS IAM role, user and policy created by clusterawsadm. Defaults to
	// ".cluster-api-provider-aws.sigs.k8s.io".
	NameSuffix *string `json:"nameSuffix,omitempty"`

	// ControlPlane controls the configuration of the AWS IAM role for a Kubernetes cluster's control plane nodes.
	ControlPlane ControlPlane `json:"controlPlane,omitempty"`

	// ClusterAPIControllers controls the configuration of an IAM role and policy specifically for Kubernetes Cluster API Provider AWS.
	ClusterAPIControllers ClusterAPIControllers `json:"clusterAPIControllers,omitempty"`

	// Nodes controls the configuration of the AWS IAM role for all nodes in a Kubernetes cluster.
	Nodes Nodes `json:"nodes,omitempty"`

	// BootstrapUser contains a list of elements that is specific
	// to the configuration and enablement of an IAM user.
	BootstrapUser BootstrapUser `json:"bootstrapUser,omitempty"`

	// StackName defines the name of the AWS CloudFormation stack.
	StackName string `json:"stackName,omitempty"`

	// Region controls which region the control-plane is created in if not specified on the command line or
	// via environment variables.
	Region string `json:"region,omitempty"`

	// EKS controls the configuration related to EKS. Settings in here affect the control plane
	// and nodes roles
	EKS *EKSConfig `json:"eks,omitempty"`

	// EventBridge controls configuration for consuming EventBridge events
	EventBridge *EventBridgeConfig `json:"eventBridge,omitempty"`

	// Partition is the AWS security partition being used. Defaults to "aws"
	Partition string `json:"partition,omitempty"`

	// SecureSecretsBackend, when set to parameter-store will create AWS Systems Manager
	// Parameter Storage policies. By default or with the value of secrets-manager,
	// will generate AWS Secrets Manager policies instead.
	// +kubebuilder:validation:Enum=secrets-manager;ssm-parameter-store
	SecureSecretsBackends []infrav1.SecretBackend `json:"secureSecretBackends,omitempty"`
}

type AWSIAMRoleSpec struct {
	// Disable if set to true will not create the AWS IAM role. Defaults to false.
	Disable bool `json:"disable"` // default: false

	// ExtraPolicyAttachments is a list of additional policies to be attached to the IAM role.
	ExtraPolicyAttachments []string `json:"extraPolicyAttachments,omitempty"`

	// ExtraStatements are additional IAM statements to be included inline for the role.
	ExtraStatements []iamv1.StatementEntry `json:"extraStatements,omitempty"`

	// TrustStatements is an IAM PolicyDocument defining what identities are allowed to assume this role.
	// See "sigs.k8s.io/cluster-api-provider-aws/v2/cmd/clusterawsadm/api/iam/v1beta1" for more documentation.
	TrustStatements []iamv1.StatementEntry `json:"trustStatements,omitempty"`

	// Tags is a map of tags to be applied to the AWS IAM role.
	Tags infrav1.Tags `json:"tags,omitempty"`
}

type BootstrapUser struct {

	// Enable controls whether or not a bootstrap AWS IAM user will be created.
	// This can be used to scope down the initial credentials used to bootstrap the
	// cluster.
	// Defaults to false.
	Enable bool `json:"enable"`

	// UserName controls the username of the bootstrap user. Defaults to
	// "bootstrapper.cluster-api-provider-aws.sigs.k8s.io"
	UserName string `json:"userName,omitempty"`

	// GroupName controls the group the user will belong to. Defaults to
	// "bootstrapper.cluster-api-provider-aws.sigs.k8s.io"
	GroupName string `json:"groupName,omitempty"`

	// ExtraPolicyAttachments is a list of additional policies to be attached to the IAM user.
	ExtraPolicyAttachments []string `json:"extraPolicyAttachments,omitempty"`

	// ExtraGroups is a list of groups to add this user to.
	ExtraGroups []string `json:"extraGroups,omitempty"`

	// ExtraStatements are additional AWS IAM policy document statements to be included inline for the user.
	ExtraStatements []iamv1.StatementEntry `json:"extraStatements,omitempty"`

	// Tags is a map of tags to be applied to the AWS IAM user.
	Tags infrav1.Tags `json:"tags,omitempty"`
}

type ClusterAPIControllers struct {
	AWSIAMRoleSpec `json:",inline"`
	// AllowedEC2InstanceProfiles controls which EC2 roles are allowed to be
	// consumed by Cluster API when creating an ec2 instance. Defaults to
	// *.<suffix>, where suffix is defaulted to .cluster-api-provider-aws.sigs.k8s.io
	AllowedEC2InstanceProfiles []string `json:"allowedEC2InstanceProfiles,omitempty"`
}

type ControlPlane struct {
	AWSIAMRoleSpec `json:",inline"`

	// DisableClusterAPIControllerPolicyAttachment, if set to true, will not attach the AWS IAM policy for Cluster
	// API Provider AWS to the control plane role. Defaults to false.
	DisableClusterAPIControllerPolicyAttachment bool `json:"disableClusterAPIControllerPolicyAttachment,omitempty"`

	// DisableCloudProviderPolicy if set to true, will not generate and attach the AWS IAM policy for the AWS Cloud Provider.
	DisableCloudProviderPolicy bool `json:"disableCloudProviderPolicy"`

	// EnableCSIPolicy if set to true, will generate and attach the AWS IAM policy for the EBS CSI Driver.
	EnableCSIPolicy bool `json:"enableCSIPolicy"`
}

type EKSConfig struct {
	// Disable controls whether EKS-related permissions are granted
	Disable bool `json:"disable"`
	// AllowIAMRoleCreation controls whether the EKS controllers have permissions for creating IAM
	// roles per cluster
	AllowIAMRoleCreation bool `json:"iamRoleCreation,omitempty"`
	// EnableUserEKSConsolePolicy controls the creation of the policy to view EKS nodes and workloads.
	EnableUserEKSConsolePolicy bool `json:"enableUserEKSConsolePolicy,omitempty"`
	// DefaultControlPlaneRole controls the configuration of the AWS IAM role for
	// the EKS control plane. This is the default role that will be used if
	// no role is included in the spec and automatic creation of the role
	// isn't enabled
	DefaultControlPlaneRole AWSIAMRoleSpec `json:"defaultControlPlaneRole,omitempty"`
	// ManagedMachinePool controls the configuration of the AWS IAM role for
	// used by EKS managed machine pools.
	ManagedMachinePool *AWSIAMRoleSpec `json:"managedMachinePool,omitempty"`
	// Fargate controls the configuration of the AWS IAM role for
	// used by EKS managed machine pools.
	Fargate *AWSIAMRoleSpec `json:"fargate,omitempty"`
	// KMSAliasPrefix is prefix to use to restrict permission to KMS keys to only those that have an alias
	// name that is prefixed by this.
	// Defaults to cluster-api-provider-aws-*
	KMSAliasPrefix string `json:"kmsAliasPrefix,omitempty"`
}

type EventBridgeConfig struct {
	// Enable controls whether permissions are granted to consume EC2 events
	Enable bool `json:"enable,omitempty"`
}

type Nodes struct {
	AWSIAMRoleSpec `json:",inline"`

	// DisableCloudProviderPolicy if set to true, will not generate and attach the policy for the AWS Cloud Provider.
	// Defaults to false.
	DisableCloudProviderPolicy bool `json:"disableCloudProviderPolicy"`

	// EC2ContainerRegistryReadOnly controls whether the node has read-only access to the
	// EC2 container registry
	EC2ContainerRegistryReadOnly bool `json:"ec2ContainerRegistryReadOnly"`
}