locals {
  tld              = "fourlights.dev"
  cluster_dns      = "venus.${local.tld}"
  domain           = "zitadel.${local.cluster_dns}"
  org_domain       = "fourlights.${local.domain}"
  jwt_profile_file = "../terraform/zitadel-admin-sa.json"
  name             = "365Zon"

  user_id = "308083708882059797"
}

terraform {
  required_providers {
    zitadel = {
      source  = "zitadel/zitadel"
      version = "2.0.2"
    }
  }
}

provider "zitadel" {
  domain           = local.domain
  insecure         = "false"
  jwt_profile_file = local.jwt_profile_file
}

data "zitadel_orgs" "default" {
  domain = local.domain
}

data "zitadel_org" "default" {
  for_each = toset(data.zitadel_orgs.default.ids)
  id = each.value
}

module "zitadel_project" {
  count  = data.zitadel_org.default.count
  source = "../../infra/modules/zitadel/project"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  jwt_profile_file = local.jwt_profile_file
  name             = local.name
  owners = [local.user_id]
}

// TODO: add action for setting roles as scopes

module "zitadel_project_operator_roles" {
  count  = data.zitadel_org.default.count
  source = "../../infra/modules/zitadel/project/roles"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  project_id       = module.zitadel_project[count.index].project_id
  jwt_profile_file = local.jwt_profile_file
  group            = "Operator"
  roles = [
    "manage:profiles", "manage:contacts", "manage:addresses", "manage:enquiries", "manage:flowstates",
    "manage:flowevents", "manage:files"
  ]
}

module "zitadel_project_configurator_roles" {
  count  = data.zitadel_org.default.count
  source = "../../infra/modules/zitadel/project/roles"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  project_id       = module.zitadel_project[count.index].project_id
  jwt_profile_file = local.jwt_profile_file
  group            = "Configurator"
  roles = [
    "manage:brands", "manage:flows"
  ]
}

module "zitadel_project_developer_roles" {
  count  = data.zitadel_org.default.count
  source = "../../infra/modules/zitadel/project/roles"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  project_id       = module.zitadel_project[count.index].project_id
  jwt_profile_file = local.jwt_profile_file
  group            = "Developer"
  roles = [
    "manage:jobs", "manage:infrastructure"
  ]
}

// TODO: Move External (and 365zon Push service account) to own project
// TODO: Add grant for external project
// TODO: Add read roles

module "zitadel_project_application_core_api" {
  count  = data.zitadel_org.default.count
  source = "../../infra/modules/zitadel/project/application/api"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  project_id       = module.zitadel_project[count.index].project_id
  jwt_profile_file = local.jwt_profile_file

  name = "Core API"
}

module "zitadel_project_application_core_ua" {
  count  = data.zitadel_org.default.count
  source = "../../infra/modules/zitadel/project/applicaitn/user-agent"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  project_id       = module.zitadel_project[count.index].project_id
  jwt_profile_file = local.jwt_profile_file

  name = "Core (Swagger)"


}

module "zitadel_project_application_module_365zon_api" {
  count  = data.zitadel_org.default.count
  source = "../../infra/modules/zitadel/project/application/api"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  project_id       = module.zitadel_project[count.index].project_id
  jwt_profile_file = local.jwt_profile_file

  name = "Module: Salesforce Pull API"
}

module "zitadel_project_application_module_365zon_ua" {
  count  = data.zitadel_org.default.count
  source = "../../infra/modules/zitadel/project/application/user-agent"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  project_id       = module.zitadel_project[count.index].project_id
  jwt_profile_file = local.jwt_profile_file

  name = "Module: Salesforce Pull (Swagger)"
}

module "zitadel_project_application_module_external_api" {
  count  = data.zitadel_org.default.count
  source = "../../infra/modules/zitadel/project/application/api"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  project_id       = module.zitadel_project[count.index].project_id
  jwt_profile_file = local.jwt_profile_file

  name = "Module: External API"
}

module "zitadel_project_application_module_external_ua" {
  count  = data.zitadel_org.default.count
  source = "../../infra/modules/zitadel/project/application/user-agent"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  project_id       = module.zitadel_project[count.index].project_id
  jwt_profile_file = local.jwt_profile_file

  name = "Module: External (Swagger)"
}

module "zitadel_project_application_module_internal_api" {
  count  = data.zitadel_org.default.count
  source = "../../infra/modules/zitadel/project/application/api"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  project_id       = module.zitadel_project[count.index].project_id
  jwt_profile_file = local.jwt_profile_file

  name = "Module: Internal API"
}

module "zitadel_project_application_module_internal_ua" {
  count  = data.zitadel_org.default.count
  source = "../../infra/modules/zitadel/project/application/user-agent"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  project_id       = module.zitadel_project[count.index].project_id
  jwt_profile_file = local.jwt_profile_file

  name = "Module: Internal swagger"
}

module "zitadel_service_account_module_internal" {
  count  = data.zitadel_org.default.count
  source = "../../infra/modules/zitadel/service-account"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  jwt_profile_file = local.jwt_profile_file

  user_name = "${local.name}-module-internal@${ local.org_domain }"
  name      = "Module Internal @ ${local.name}"

  with_secret       = true
  access_token_type = "ACCESS_TOKEN_TYPE_JWT"
}

module "zitadel_project_member_module_internal" {
  wait_on = module.zitadel_project_operator_roles[count.index].installed
  count   = data.zitadel_org.default.count
  source  = "../../infra/modules/zitadel/project/member"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  jwt_profile_file = local.jwt_profile_file

  project_id = module.zitadel_project[count.index].project_id
  user_id    = module.zitadel_service_account_module_internal[count.index].user_id

  roles = module.zitadel_project_operator_roles[count.index].roles
}

module "zitadel_service_account_module_external" {
  count  = data.zitadel_org.default.count
  source = "../../infra/modules/zitadel/service-account"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  jwt_profile_file = local.jwt_profile_file

  user_name = "${local.name}-module-external@${ local.org_domain }"
  name      = "Module External @ ${local.name}"

  with_secret       = true
  access_token_type = "ACCESS_TOKEN_TYPE_JWT"
}

module "zitadel_project_member_module_external" {
  wait_on = module.zitadel_project_operator_roles[count.index].installed
  count   = data.zitadel_org.default.count
  source  = "../../infra/modules/zitadel/project/member"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  jwt_profile_file = local.jwt_profile_file

  project_id = module.zitadel_project[count.index].project_id
  user_id    = module.zitadel_service_account_module_external[count.index].user_id

  roles = module.zitadel_project_operator_roles[count.index].roles
}

module "zitadel_service_account_module_365zon" {
  count  = data.zitadel_org.default.count
  source = "../../infra/modules/zitadel/service-account"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  jwt_profile_file = local.jwt_profile_file

  user_name = "${local.name}-module-365zon@${ local.org_domain }"
  name      = "Module 365Zon @ ${local.name}"

  with_secret       = true
  access_token_type = "ACCESS_TOKEN_TYPE_JWT"
}

module "zitadel_project_member_module_365zon" {
  wait_on = module.zitadel_project_operator_roles[count.index].installed
  count   = data.zitadel_org.default.count
  source  = "../../infra/modules/zitadel/project/member"

  domain           = local.domain
  org_id           = data.zitadel_org.default[count.index].id
  jwt_profile_file = local.jwt_profile_file

  project_id = module.zitadel_project[count.index].project_id
  user_id    = module.zitadel_service_account_module_365zon[count.index].user_id

  roles = module.zitadel_project_operator_roles[count.index].roles
}

// TODO: Application for Front-End End (implicit, authorization_code, refresh_token)
// TODO: Update API applications with callback apiDomain/swagger/oauth2-redirect.html to allow logging in for swagger (and probably hangire?)
// TODO: Put all the relevant secrets into secret manager
// TODO: Set up opentelemetry and update appinsights shit to use that.

output "org_ids" {
  value = data.zitadel_orgs.default.ids
}

output "project_ids" {
  value = [for project in module.zitadel_project : project.project_id]
}