#
# Warning: This file contains terraform that will lead to secrets being stored in the terraform state file unencrypted. It is not suitable for a production deploy, but since this is a test/experiment, the additional automation outweighed the potential risk.
#

resource "tls_private_key" "jwt_private_key" {
  algorithm = "RSA"
  rsa_bits  = 2048
}

resource "google_secret_manager_secret" "jwt_private_key" {
  project   = google_project.project.project_id
  secret_id = "jwt-private-key"

  replication {
    auto {}
  }

  depends_on = [google_project_service.service["secretmanager"], ]
}


resource "google_secret_manager_secret_version" "jwt_private_key" {
  secret = google_secret_manager_secret.jwt_private_key.id

  secret_data = tls_private_key.jwt_private_key.private_key_pem
}

resource "google_secret_manager_secret_iam_member" "member" {
  project   = google_secret_manager_secret.jwt_private_key.project
  secret_id = google_secret_manager_secret.jwt_private_key.secret_id
  role      = "roles/secretmanager.secretAccessor"
  member    = "serviceAccount:${google_project.project.number}-compute@developer.gserviceaccount.com"
  # TODO: This should probably be using a service account specific to the cloud run service instead of the compute service agent.
}

output "jwt_private_key" {
  value     = tls_private_key.jwt_private_key.private_key_pem
  sensitive = true
}