terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 4.0.0"
    }

    azuread = {
      source  = "hashicorp/azuread"
      version = ">= 3.0.0"
    }
  }

  backend "local" {
    path = "azure-image-chooser.tfstate"
  }
}

provider "azurerm" {
  features {}

  subscription_id = var.subscription_id
}

data "azurerm_client_config" "current" {}

data "azuread_user" "az_lab_admin" {
  user_principal_name = "az-lab-admin@lab.koszewscy.waw.pl"
}

locals {
  kv_secret_name = "azure-client-secret"
  app_name       = "${var.project_name}-app"
}

resource "azurerm_resource_group" "rg" {
  name     = "rg-${var.project_name}"
  location = "Poland Central"
}

resource "azurerm_log_analytics_workspace" "logaws" {
  name                = "${var.project_name}-logs"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  sku                 = "PerGB2018"
  retention_in_days   = 30
}

resource "azurerm_key_vault" "kv" {
  name                      = "${var.project_name}-kv"
  location                  = azurerm_resource_group.rg.location
  resource_group_name       = azurerm_resource_group.rg.name
  sku_name                  = "standard"
  tenant_id                 = data.azurerm_client_config.current.tenant_id
}

resource "azurerm_role_assignment" "app_assignment" {
  scope                = azurerm_key_vault.kv.id
  principal_id         = azurerm_user_assigned_identity.uai.principal_id
  role_definition_name = "Key Vault Secrets User"
}

resource "azurerm_role_assignment" "az_lab_admin_assignment" {
  scope                = azurerm_key_vault.kv.id
  principal_id         = data.azuread_user.az_lab_admin.object_id
  role_definition_name = "Key Vault Secrets Officer"
}

resource "azurerm_key_vault_secret" "azure_client_secret" {
  key_vault_id = azurerm_key_vault.kv.id
  name         = local.kv_secret_name
  value        = var.azure_client_secret

  depends_on = [azurerm_role_assignment.az_lab_admin_assignment]
}

resource "azurerm_container_app_environment" "env" {
  name                       = "${var.project_name}-env"
  resource_group_name        = azurerm_resource_group.rg.name
  location                   = azurerm_resource_group.rg.location
  log_analytics_workspace_id = azurerm_log_analytics_workspace.logaws.id
}

resource "azurerm_container_app" "app" {
  name                         = local.app_name
  container_app_environment_id = azurerm_container_app_environment.env.id
  resource_group_name          = azurerm_resource_group.rg.name
  revision_mode                = "Single"

  secret {
    name                = local.kv_secret_name
    key_vault_secret_id = azurerm_key_vault_secret.azure_client_secret.id
    identity            = azurerm_user_assigned_identity.uai.id
  }

  template {
    container {
      name   = "azure-image-chooser"
      image  = "skdomlab.azurecr.io/azure-image-chooser:latest"
      cpu    = "0.25"
      memory = "0.5Gi"

      env {
        name  = "AZURE_CLIENT_ID"
        value = var.azure_client_id
      }

      env {
        name  = "AZURE_TENANT_ID"
        value = var.azure_tenant_id
      }

      env {
        name        = "AZURE_CLIENT_SECRET"
        secret_name = local.kv_secret_name
      }

      env {
        name  = "AZURE_SUBSCRIPTION_ID"
        value = var.subscription_id
      }

      env {
        name  = "AZURE_LOCATION"
        value = azurerm_resource_group.rg.location
      }
    }
  }

  ingress {
    target_port      = 8501
    external_enabled = true

    traffic_weight {
      latest_revision = true
      percentage      = 100
    }
  }

  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.uai.id]
  }

  registry {
    server   = "skdomlab.azurecr.io"
    identity = azurerm_user_assigned_identity.uai.id
  }

  depends_on = [
    azurerm_key_vault.kv,
    azurerm_key_vault_secret.azure_client_secret,
    azurerm_role_assignment.app_assignment
  ]
}

resource "azurerm_user_assigned_identity" "uai" {
  name                = "${var.project_name}-uai"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
}

resource "azurerm_role_assignment" "acr_pull" {
  scope                = data.azurerm_container_registry.acr.id
  role_definition_name = "AcrPull"
  principal_id         = azurerm_user_assigned_identity.uai.principal_id
}

data "azurerm_container_registry" "acr" {
  name                = "skdomlab"
  resource_group_name = "dom-lab-common"
}

data "azurerm_dns_zone" "lab_dns_zone" {
  name                = var.dns_zone_name
  resource_group_name = var.dns_zone_resource_group_name
}

resource "azurerm_dns_txt_record" "domain_verification" {
  name                = "asuid.${var.project_name}"
  resource_group_name = data.azurerm_dns_zone.lab_dns_zone.resource_group_name
  zone_name           = data.azurerm_dns_zone.lab_dns_zone.name
  ttl                 = 300

  record {
    value = azurerm_container_app.app.custom_domain_verification_id
  }
}

resource "azurerm_dns_cname_record" "app_record" {
  name                = var.project_name
  zone_name           = var.dns_zone_name
  resource_group_name = var.dns_zone_resource_group_name
  ttl                 = 300

  record = "${local.app_name}.${azurerm_container_app_environment.env.default_domain}"
}

resource "azurerm_container_app_custom_domain" "custom_domain" {
  name             = trimsuffix(trimprefix(azurerm_dns_txt_record.domain_verification.fqdn, "asuid."), ".")
  container_app_id = azurerm_container_app.app.id

  lifecycle {
    ignore_changes = [certificate_binding_type, container_app_environment_certificate_id]
  }
}