#!/bin/bash

# A script to demonstrate IAM user, group, and policy management using AWS CLI.
# This script creates a user, a group, a custom policy for S3 read-only access,
# attaches the policy to the group, and adds the user to the group.
# Finally, it cleans up all created resources.

# --- Configuration ---
REGION="us-east-1"
USER_NAME="MyCLIUser"
GROUP_NAME="MyCLIGroup"
POLICY_NAME="MyCLIS3ReadOnlyPolicy"

# --- 1. Create IAM User ---
echo "--- Creating IAM User: $USER_NAME ---"
aws iam create-user \
  --user-name $USER_NAME \
  --region $REGION

echo "User '$USER_NAME' created."

# --- 2. Create IAM Group ---
echo -e "\n--- Creating IAM Group: $GROUP_NAME ---"
aws iam create-group \
  --group-name $GROUP_NAME \
  --region $REGION

echo "Group '$GROUP_NAME' created."

# --- 3. Create Custom IAM Policy (S3 Read-Only) ---
echo -e "\n--- Creating Custom IAM Policy: $POLICY_NAME ---"
POLICY_DOCUMENT=$(cat <<'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "*"
    }
  ]
}
EOF
)

POLICY_ARN=$(aws iam create-policy \
  --policy-name $POLICY_NAME \
  --policy-document "$POLICY_DOCUMENT" \
  --region $REGION \
  --query 'Policy.Arn' --output text)

echo "Policy '$POLICY_NAME' created with ARN: $POLICY_ARN"
sleep 5 # Give IAM a moment to propagate the policy

# --- 4. Attach Policy to Group ---
echo -e "\n--- Attaching Policy '$POLICY_NAME' to Group '$GROUP_NAME' ---"
aws iam attach-group-policy \
  --group-name $GROUP_NAME \
  --policy-arn $POLICY_ARN \
  --region $REGION

echo "Policy attached to group."

# --- 5. Add User to Group ---
echo -e "\n--- Adding User '$USER_NAME' to Group '$GROUP_NAME' ---"
aws iam add-user-to-group \
  --user-name $USER_NAME \
  --group-name $GROUP_NAME \
  --region $REGION

echo "User added to group. '$USER_NAME' now has S3 read-only access."

echo -e "\n--- IAM setup complete. User '$USER_NAME' is in group '$GROUP_NAME' with S3 read-only access. ---"
read -p "Press Enter to clean up resources..."

# --- Clean Up ---
echo -e "\n--- Cleaning up resources ---"

# Remove user from group
echo "Removing user from group..."
aws iam remove-user-from-group \
  --user-name $USER_NAME \
  --group-name $GROUP_NAME \
  --region $REGION

# Detach policy from group
echo "Detaching policy from group..."
aws iam detach-group-policy \
  --group-name $GROUP_NAME \
  --policy-arn $POLICY_ARN \
  --region $REGION

# Delete policy
echo "Deleting policy..."
aws iam delete-policy \
  --policy-arn $POLICY_ARN \
  --region $REGION

# Delete group
echo "Deleting group..."
aws iam delete-group \
  --group-name $GROUP_NAME \
  --region $REGION

# Delete user
echo "Deleting user..."
aws iam delete-user \
  --user-name $USER_NAME \
  --region $REGION

echo -e "\n--- All IAM resources cleaned up successfully ---"