data "scaleway_account_project" "project" {
  project_id = "${var.scaleway_project_id}"
}

resource "scaleway_account_ssh_key" "default" {
  name       = var.default_ssh_key.name
  public_key = var.default_ssh_key.public_key
}

data "scaleway_iam_user" "serguzim" {
  email = "tobias@msrg.cc"
}

locals {
  service_buckets = {for key, val in var.services : key => val if val.bucket}
}

resource "scaleway_iam_application" "service_applications" {
  for_each = local.service_buckets
  name = each.value.name
}

resource "scaleway_iam_policy" "service_storage_policies" {
  for_each = local.service_buckets
  name = "${each.key}_storage_policy"
  application_id = scaleway_iam_application.service_applications[each.key].id
  rule {
    project_ids = [data.scaleway_account_project.project.id]
    permission_set_names = ["ObjectStorageFullAccess"]
  }
}

resource "scaleway_object_bucket" "service_buckets" {
  for_each = local.service_buckets
  name = "${each.value.name}.serguzim.me"
  lifecycle {
   prevent_destroy = true
 }
}

resource "scaleway_object_bucket_policy" "service_bucket_policies" {
  for_each = local.service_buckets
  bucket = scaleway_object_bucket.service_buckets[each.key].id
  policy = jsonencode({
    Version = "2023-04-17",
    Id = "${each.key}_bucket_policy",
    Statement = [
      {
        Sid = "Scaleway secure statement"
        Effect = "Allow"
        Action = "*"
        Principal = {
          SCW = "user_id:${data.scaleway_iam_user.serguzim.id}"
        }
        Resource = [
          "${scaleway_object_bucket.service_buckets[each.key].name}",
          "${scaleway_object_bucket.service_buckets[each.key].name}/*",
        ]
      },
      {
        Sid = "${each.key} statement"
        Effect = "Allow"
        Action = "*"
        Principal = {
          SCW = "application_id:${scaleway_iam_application.service_applications[each.key].id}"
        }
        Resource = [
          "${scaleway_object_bucket.service_buckets[each.key].name}",
          "${scaleway_object_bucket.service_buckets[each.key].name}/*",
        ]
      },
    ]
  })
}

resource "time_rotating" "rotate_after_a_year" {
  rotation_years = 1
}

resource "scaleway_iam_api_key" "service_keys" {
  for_each       = local.service_buckets
  description    = "Service key for ${each.key}"
  application_id = scaleway_iam_application.service_applications[each.key].id
  expires_at     = time_rotating.rotate_after_a_year.rotation_rfc3339
}


resource "scaleway_registry_namespace" "public" {
  name        = "public.serguzim.net"
  description = "Public container registry for serguzim.net"
  is_public   = true
}

resource "scaleway_registry_namespace" "private" {
  name        = "private.serguzim.net"
  description = "Private container registry for serguzim.net"
  is_public   = false
}