resource "helm_release" "vault" {
  depends_on = [kubectl_manifest.vault_aws_creds]
  name             = "vault"
  repository       = "https://helm.releases.hashicorp.com"
  chart            = "vault"
  namespace        = "vault"
  version          = "0.28.1"
  create_namespace = true
  wait             = true

  set {
    name  = "server.ha.enabled"
    value = "true"
  }

  set {
    name  = "server.ha.raft.enabled"
    value = "true"
  }

  values = [
    <<-EOT
    server:
      ingress:
        enabled: true
        ingressClassName: traefik
        annotations:
          kubernetes.io/ingress.class: traefik
          cert-manager.io/cluster-issuer: letsencrypt
          traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
        hosts:
          - host: ${var.hostname}
            paths: []
        tls:
          - secretName: tls-vault
            hosts:
              - ${var.hostname}
      extraEnvironmentVars:
        VAULT_SEAL_TYPE: "awskms"
        AWS_REGION: "${var.aws_region}"
        VAULT_AWSKMS_SEAL_KEY_ID: "${var.aws_kms_key_id}"
      extraSecretEnvironmentVars:
        - envName: AWS_ACCESS_KEY_ID
          secretName: vault-aws-creds
          secretKey: AWS_ACCESS_KEY_ID
        - envName: AWS_SECRET_ACCESS_KEY
          secretName: vault-aws-creds
          secretKey: AWS_SECRET_ACCESS_KEY
    EOT
  ]
}


resource "ssh_resource" "vault_init" {
  depends_on = [helm_release.vault]
  host        = var.node_public_ip
  user        = var.node_username
  private_key = var.ssh_private_key_pem

  commands = [
    "kubectl -n vault exec vault-0 -- vault operator init -format=json"
  ]
}

resource "local_file" "vault-keys" {
  depends_on = [ssh_resource.vault_init]
  filename = format("%s/%s", path.root, "vault.secret")
  content = ssh_resource.vault_init.result
}