# Monitoring stack for k3s cluster with Thanos
terraform {
  required_providers {
    helm = {
      source  = "hashicorp/helm"
      version = ">= 2.0.0"
    }
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = ">= 2.0.0"
    }
  }
}

# Create monitoring namespace
resource "kubernetes_namespace" "monitoring" {
  metadata {
    name = "monitoring"
  }

  lifecycle {
    ignore_changes = [metadata]
  }
}

resource "random_password" "grafana_admin_password" {
  length  = 40
  special = false
}

# Create secret for remote write authentication
resource "kubernetes_secret" "prometheus_remote_write_auth" {
  metadata {
    name      = "prometheus-remote-write-auth"
    namespace = kubernetes_namespace.monitoring.metadata[0].name
  }

  data = {
    username = var.remote_write_username
    password = var.remote_write_password
  }
}

# Prometheus + Grafana + Alertmanager stack
resource "helm_release" "kube_prometheus_stack" {
  depends_on = [var.wait_on, kubernetes_secret.prometheus_remote_write_auth]

  name       = "monitoring"
  repository = "https://prometheus-community.github.io/helm-charts"
  chart      = "kube-prometheus-stack"
  namespace  = kubernetes_namespace.monitoring.metadata[0].name
  version    = "75.9.0"  # Specify version for reproducibility

  # Use values from template file
  values = [
    templatefile("${path.module}/monitoring-values.yaml.tftpl", {
      remote_write_url       = var.remote_write_url
      remote_read_url        = var.remote_read_url
      grafana_admin_password = random_password.grafana_admin_password.result
    })
  ]
}

# Output important endpoints
output "grafana_url" {
  value = "http://monitoring-grafana.${kubernetes_namespace.monitoring.metadata[0].name}.svc.cluster.local"
}

output "alertmanager_url" {
  value = "http://monitoring-kube-prometheus-alertmanager.${kubernetes_namespace.monitoring.metadata[0].name}.svc.cluster.local:9093"
}

output "prometheus_url" {
  value = "http://monitoring-kube-prometheus-prometheus.${kubernetes_namespace.monitoring.metadata[0].name}.svc.cluster.local:9090"
}

# Instructions for accessing services
output "access_instructions" {
  value = <<-EOT
    To access services from outside the cluster:

    Grafana:
    kubectl port-forward -n ${kubernetes_namespace.monitoring.metadata[0].name} svc/monitoring-grafana 3000:80

    Alertmanager:
    kubectl port-forward -n ${kubernetes_namespace.monitoring.metadata[0].name} svc/monitoring-kube-prometheus-alertmanager 9093:9093

    Default Grafana credentials:
    Username: admin
    Password: ${random_password.grafana_admin_password.result}
  EOT
}