local chart = import '../chart.jsonnet';
local common = import '../common.jsonnet';
local deployment_manifest = import '../deployment_manifest.jsonnet';
local deployment = deployment_manifest.deployment;
local sourceEnvironment = deployment_manifest.sandboxParams.source.environment;
local environment = deployment_manifest.environment;
local full_name = chart.full_service_name(deployment.name);
local namespace_values = import '../namespace_values.jsonnet';

if (deployment_manifest.extraResources != null
    && 'aws_access' in deployment_manifest.extraResources) then
  if (namespace_values.zalandoEnabled) then {
    apiVersion: 'zalando.org/v1',
    kind: 'AWSIAMRole',
    metadata: {
      name: '%s-%s' % [full_name, environment],
      namespace: deployment_manifest.deployment.namespace,
      annotations: common.annotations,
    },
    spec: {
      roleReference: '%s-%s' % [full_name, sourceEnvironment],
    },
  } else {
    apiVersion: 'v1',
    kind: 'ServiceAccount',
    metadata: {
      annotations: {
        'eks.amazonaws.com/role-arn': 'arn:aws:iam::%s:role/%s-%s' % [namespace_values.awsAccountId, full_name, sourceEnvironment],
        'eks.amazonaws.com/sts-regional-endpoints': 'true',
        'eks.amazonaws.com/token-expiration': '10800',
      },
      name: '%s-%s' % [full_name, environment],
      namespace: deployment_manifest.deployment.namespace,
    },
  }
else null