terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "3.74.0"
    }
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "3.74.0"
    }
    random = {
      source  = "hashicorp/random"
      version = "3.1.0"
    }
  }
}

variable "project" {
  description = "Project ID."
  type        = string
  default     = "hip-wharf-319304"
}

variable "region" {
  description = "Region."
  type        = string
  default     = "us-central1"
}

variable "zone" {
  description = "Zone."
  type        = string
  default     = "us-central1-c"
}

provider "google" {
  project = var.project
  region  = var.region
  zone    = var.zone
}

data "google_project" "project" {
  project_id = var.project
}

#################### Networking ###########################

module "networking" {
  source  = "../modules/networking"
  project = var.project
  region  = var.region
}

#################### Workload Identity ####################

resource "random_id" "identity_pool" {
  byte_length = 4
}

resource "google_iam_workload_identity_pool" "identity_pool" {
  provider                  = google-beta
  project                   = var.project
  workload_identity_pool_id = "identity-pool-${random_id.identity_pool.hex}"
}

#################### KMS ##################################

resource "google_project_service" "cloudkms" {
  project                    = var.project
  service                    = "cloudkms.googleapis.com"
  disable_dependent_services = true
}

#################### GKE ##################################

module "gke" {
  source                = "../modules/gke"
  project               = var.project
  region                = var.region
  private_network_id    = module.networking.private_network_id
  private_subnetwork_id = module.networking.private_subnetwork_id
  service_cloudkms      = google_project_service.cloudkms
  machine_type          = "e2-standard-2"

  depends_on = [
    module.networking
  ]
}

output "gke_connect_command" {
  # description = "Command to run to connect to the kubernetes cluster."
  value = module.gke.gke_connect_command
}

#################### SQL ##################################

module "cloudsql" {
  source             = "../modules/cloudsql"
  project            = var.project
  region             = var.region
  private_network_id = module.networking.private_network_id

  depends_on = [
    module.networking
  ]
}

output "cloudsql_ip_address" {
  description = "IP address for cloudsql database."
  value       = module.cloudsql.instance.ip_address.0.ip_address
}

output "cloudsql_server_certificate" {
  description = "CA certificate."
  value       = module.cloudsql.certificate.server_ca_cert
  sensitive   = true
}

output "cloudsql_client_certificate" {
  description = "Client certificate."
  value       = module.cloudsql.certificate.cert
  sensitive   = true
}

output "cloudsql_client_key" {
  description = "Client key."
  value       = module.cloudsql.certificate.private_key
  sensitive   = true
}

resource "local_file" "pgserver_crt" {
  sensitive_content    = module.cloudsql.certificate.server_ca_cert
  filename             = "${path.module}/pgserver.crt"
  file_permission      = "0600"
  directory_permission = "0700"
}

resource "local_file" "pgclient_crt" {
  sensitive_content    = module.cloudsql.certificate.cert
  filename             = "${path.module}/pgclient.crt"
  file_permission      = "0600"
  directory_permission = "0700"
}

resource "local_file" "pgclient_key" {
  sensitive_content    = module.cloudsql.certificate.private_key
  filename             = "${path.module}/pgclient.key"
  file_permission      = "0600"
  directory_permission = "0700"
}

output "cloudsql_connection_string" {
  description = "Connection URL for main user in cloudsql."
  value       = "postgresql://postgres@${module.cloudsql.instance.ip_address.0.ip_address}/postgres?ssl=true&sslmode=verify-ca&sslcert=${urlencode(abspath(local_file.pgclient_crt.filename))}&sslkey=${urlencode(abspath(local_file.pgclient_key.filename))}&sslrootcert=${urlencode(abspath(local_file.pgserver_crt.filename))}"
}

# Create a workload identity service account for IAM authentication to
# cloudsql
module "cloudsql_test_sa" {
  source              = "../modules/workload_identity_account"
  project             = var.project
  k8s_service_account = "test-sa"
}

#################### Redis ################################

module "redis" {
  source             = "../modules/redis"
  project            = var.project
  region             = var.region
  private_network_id = module.networking.private_network_id

  depends_on = [
    module.networking
  ]
}

output "redis_host" {
  description = "Hostname/IP Address for redis database."
  value       = module.redis.redis_host
}

output "redis_port" {
  description = "Port for redis database."
  value       = module.redis.redis_port
}

#################### PubSub to BigQuery ###################

module "bigquery" {
  source           = "../modules/bigquery"
  project          = var.project
  region           = var.region
  service_cloudkms = google_project_service.cloudkms
}