data "cloudflare_account" "arcodange" {
  filter = {
    name = "arcodange@gmail.com"
  }
}

locals {
  cloudflare_account_id = data.cloudflare_account.arcodange.account_id
}

resource "cloudflare_r2_bucket" "arcodange_tf" {
  account_id   = local.cloudflare_account_id
  name         = "arcodange-tf"
  jurisdiction = "eu"
}

module "cf_r2_arcodange_tf_token" {
  source     = "./modules/cloudflare_token"
  account_id = local.cloudflare_account_id
  bucket     = cloudflare_r2_bucket.arcodange_tf
  token_name = "r2_arcodange_tf_token"
  permissions = {
    bucket = [
      "account:Workers R2 Storage Read",
      "bucket:Workers R2 Storage Bucket Item Write",
    ]
    account = [ 
      "account:Account Settings Read",
    ]
  }
}
resource "vault_kv_secret" "cf_r2_arcodange_tf" {
  path = "kvv1/cloudflare/r2/arcodange-tf"
  data_json = jsonencode({
    S3_SECRET_ACCESS_KEY = module.cf_r2_arcodange_tf_token.r2_credentials.secret_access_key
    S3_ACCESS_KEY        = module.cf_r2_arcodange_tf_token.r2_credentials.access_key_id
    S3_ENDPOINT          = "https://${local.cloudflare_account_id}.eu.r2.cloudflarestorage.com"
  })
}

data "vault_policy_document" "cf_r2_arcodange_tf" {
  rule {
    path         = "kvv1/cloudflare/r2/arcodange-tf"
    capabilities = ["read"]
  }
  rule {
    path         = "kvv1/zoho/self_client" # zoho mail client is created manually
    capabilities = ["read"]
  }
}
resource "vault_policy" "cf_r2_arcodange_tf" {
  name   = "factory__cf_r2_arcodange_tf"
  policy = data.vault_policy_document.cf_r2_arcodange_tf.hcl
}

data "gitea_repo" "cms" {
  name     = "cms"
  username = "arcodange-org"
}
module "cf_arcodange_cms_token" {
  source     = "./modules/cloudflare_token"
  account_id = local.cloudflare_account_id
  bucket     = cloudflare_r2_bucket.arcodange_tf
  token_name = "cf_arcodange_cms_token"
  permissions = {
    account = [
      "account:Pages Write",
      "account:Account DNS Settings Write",
      "account:Account Settings Read",
      "zone:Zone Write",
      "zone:DNS Write",
    ]
  }
}
resource "gitea_repository_actions_secret" "cf_arcodange_cms_token" {
  repository       = data.gitea_repo.cms.name
  repository_owner = data.gitea_repo.cms.username
  secret_name      = "CLOUDFLARE_API_TOKEN"
  secret_value     = module.cf_arcodange_cms_token.token
}
resource "gitea_repository_actions_secret" "cf_account_id_cms" {
  repository       = data.gitea_repo.cms.name
  repository_owner = data.gitea_repo.cms.username
  secret_name      = "CLOUDFLARE_ACCOUNT_ID"
  secret_value     = local.cloudflare_account_id
}

output "token" {
  value = module.cf_arcodange_cms_token.token
  sensitive = true
}

resource "vault_kv_secret" "cf_arcodange_cms_token" {
  path = "kvv1/cloudflare/cms/cf_arcodange_cms_token"
  data_json = jsonencode({
    token = module.cf_arcodange_cms_token.token
  })
}