terraform {
  required_providers {
    slugify = {
      source  = "public-cloud-wl/slugify"
      version = "0.1.1"
    }
  }
}

locals {
  authority = "https://${var.zitadel_domain}"
  slug_project = provider::slugify::slug(var.project)
  slug_name = provider::slugify::slug(var.name)

  cluster = "${local.slug_project}.${var.cluster_domain}"
  uri     = "https://${local.slug_name}.${local.cluster}"
}

module "zitadel_project_application_api" {
  source  = "../project/application/api"
  wait_on = var.wait_on

  org_id     = var.org_id
  project_id = var.project_id

  name = "${var.name} API"
}

module "zitadel_project_application_ua" {
  source  = "../project/application/user-agent"
  wait_on = module.zitadel_project_application_api.installed

  org_id     = var.org_id
  project_id = var.project_id

  name = "${ var.name } (Swagger)"

  redirect_uris = ["${local.uri}/swagger/oauth2-redirect.html"]
  post_logout_redirect_uris = [local.uri]
}


resource "kubernetes_secret" "user-agent" {
  type = "Opaque"
  depends_on = [module.zitadel_project_application_ua]

  metadata {
    name      = "${local.slug_name}-user-agent"
    namespace = var.namespace
  }

  data = {
    "authority" = local.authority
    "audience"  = var.project_id
    "client_id" = module.zitadel_project_application_ua.client_id
  }
}

resource "kubernetes_secret" "api" {
  type = "Opaque"
  depends_on = [module.zitadel_project_application_api]

  metadata {
    name      = "${local.slug_name}-api"
    namespace = var.namespace
  }

  data = {
    "authority"     = local.authority
    "client_id"     = module.zitadel_project_application_api.client_id
    "client_secret" = module.zitadel_project_application_api.client_secret
  }
}

module "zitadel_service_account" {
  count   = var.service_account ? 1 : 0
  wait_on = module.zitadel_project_application_api.installed
  source  = "../service-account"

  org_id = var.org_id

  user_name = "${local.slug_name}@${ local.cluster }"
  name      = "${var.name} @ ${var.project}"

  with_secret       = true
  access_token_type = "ACCESS_TOKEN_TYPE_JWT"
}

module "zitadel_project_user_grant" {
  count  = var.service_account ? 1 : 0
  source = "../project/user-grant"

  org_id = var.org_id

  project_id = var.project_id
  user_id    = module.zitadel_service_account[0].user_id

  roles = var.roles
}

resource "kubernetes_secret" "service-account" {
  count = var.service_account ? 1 : 0
  type  = "Opaque"
  depends_on = [module.zitadel_service_account]

  metadata {
    name      = "${local.slug_name}-service-account"
    namespace = var.namespace
  }

  data = {
    "authority"     = local.authority
    "audience"      = var.project_id
    "client_id"     = module.zitadel_service_account[count.index].client_id
    "client_secret" = module.zitadel_service_account[count.index].client_secret
  }
}

output "installed" {
  value = true
  depends_on = [kubernetes_secret.service-account]
}