terraform {
  required_providers {
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "2.31.0"
    }
  }
}

resource "kubernetes_namespace" "fusionauth" {
  metadata {
    name = var.namespace
  }

  lifecycle {
    ignore_changes = [metadata]
  }
}

data "kubernetes_secret" "bridge-tls" {
  metadata {
    name      = "bridge-tls"
    namespace = "cert-manager"
  }
}

resource "kubernetes_secret" "fusionauth-tls" {
  metadata {
    name      = "fusionauth-tls"
    namespace = kubernetes_namespace.fusionauth.metadata[0].name
  }

  data = data.kubernetes_secret.bridge-tls.data
  type = data.kubernetes_secret.bridge-tls.type
}

resource "kubernetes_secret" "postgresql-auth" {
  metadata {
    name      = "postgresql-auth"
    namespace = kubernetes_namespace.fusionauth.metadata[0].name
  }

  data = {
    password = var.database_password
  }
}

resource "random_password" "api_key" {
  length  = 32
  special = false
}

resource "random_password" "admin" {
  length  = 32
  special = false
}

resource "random_uuid" "default_tenant_id" {}

resource "helm_release" "fusionauth" {
  depends_on = [var.wait_on, kubernetes_secret.postgresql-auth, kubernetes_secret.fusionauth-tls]
  name             = "fusionauth"
  repository       = "https://fusionauth.github.io/charts"
  chart            = "fusionauth"
  namespace        = kubernetes_namespace.fusionauth.metadata[0].name
  version          = "1.0.10"
  create_namespace = false
  wait             = true
  wait_for_jobs    = true

  values = [
    templatefile("${path.module}/values.yaml", {
      service_uri            = local.service_uri,
      database               = var.database,
      database_username      = var.database_username,
      database_root_username = var.database_root_password != null ? var.database_root_username : null,

      # TODO: Add theme customization, and use as default

      kickstart_json = jsonencode({
        variables = {
          defaultTenantId = random_uuid.default_tenant_id.result
          adminEmail      = "engineering@fourlights.nl"
          adminPassword   = random_password.admin.result
        }
        apiKeys = [{ key = random_password.api_key.result, description = "Terraform API Key" }],
        requests = [
          {
            "method" : "POST",
            "url" : "/api/user/registration/00000000-0000-0000-0000-000000000001",
            "body" : {
              "user" : {
                "email" : "#{adminEmail}",
                "firstName" : "Thomas",
                "lastName" : "Rijpstra",
                "password" : "#{adminPassword}",
                "data" : {
                  "Company" : "Four Lights",
                  "user_type" : "iconclast"
                }
              },
              "registration" : {
                "applicationId" : "#{FUSIONAUTH_APPLICATION_ID}",
                "roles" : [
                  "admin"
                ]
              }
            }
          }
        ],
      })
    })
  ]
}

output "installed" {
  value = true
  depends_on = [helm_release.fusionauth]
}

output "api_key" {
  value     = random_password.api_key.result
  sensitive = true
}

output "admin_password" {
  value     = random_password.admin.result
  sensitive = true
}

output "server" {
  value = local.service_uri
}

output "default_tenant_id" {
  value = random_uuid.default_tenant_id.result
}

output "uri" {
  value = "https://${local.service_uri}"
}