resource "vault_mount" "kv" {
  path        = "secret"
  type        = "kv-v2"
  description = "KV v2 secrets engine"
}

resource "vault_jwt_auth_backend" "gitea" {
  path               = "jwt"
  type               = "jwt"
  bound_issuer       = "https://gitea.home.hrajfrisbee.cz"
  jwks_url           = "https://gitea.home.hrajfrisbee.cz/login/oauth/keys"
}

resource "vault_policy" "eso_read" {
  name   = "external-secrets-read"
  policy = <<-EOT
    path "${vault_mount.kv.path}/data/*" {
      capabilities = ["read"]
    }
    path "${vault_mount.kv.path}/metadata/*" {
      capabilities = ["read", "list"]
    }
  EOT
}

# for now i allow my gitea to read everything in /v1/secret/data/gitea
resource "vault_policy" "gitea_ci_read" {
  name   = "gitea-ci-read"
  policy = <<-EOT
    path "${vault_mount.kv.path}/data/gitea/*" {
      capabilities = ["read"]
    }
    path "${vault_mount.kv.path}/metadata/gitea/*" {
      capabilities = ["read", "list"]
    }
  EOT
}

resource "vault_jwt_auth_backend_role" "gitea_ci" {
  backend        = vault_jwt_auth_backend.gitea.path
  role_name      = "gitea-ci"
  role_type      = "jwt"
  token_policies = [vault_policy.gitea_ci_read.name]

  user_claim      = "sub"
  bound_audiences = ["https://gitea.home.hrajfrisbee.cz"]

  # allow any valid jwt token when commented out
  # bound_claims = {
  #   repository = "myorg/repo1,myorg/repo3"
  # }

  token_ttl     = 600
  token_max_ttl = 1200
}

resource "vault_auth_backend" "approle" {
  type = "approle"
}

resource "vault_approle_auth_backend_role" "eso" {
  backend        = vault_auth_backend.approle.path
  role_name      = "external-secrets"
  token_policies = [vault_policy.eso_read.name]
  token_ttl      = 3600
  token_max_ttl  = 14400
}

data "vault_approle_auth_backend_role_id" "eso" {
  backend   = vault_auth_backend.approle.path
  role_name = vault_approle_auth_backend_role.eso.role_name
}

resource "vault_approle_auth_backend_role_secret_id" "eso" {
  backend   = vault_auth_backend.approle.path
  role_name = vault_approle_auth_backend_role.eso.role_name
}

output "role_id" {
  value     = data.vault_approle_auth_backend_role_id.eso.role_id
  sensitive = true
}

output "secret_id" {
  value     = vault_approle_auth_backend_role_secret_id.eso.secret_id
  sensitive = true
}

resource "vault_approle_auth_backend_role" "gitea_ci" {
  backend        = vault_auth_backend.approle.path
  role_name      = "gitea-ci"
  token_policies = [vault_policy.gitea_ci_read.name]
  token_ttl      = 600
  token_max_ttl  = 1200
}

data "vault_approle_auth_backend_role_id" "gitea_ci" {
  backend   = vault_auth_backend.approle.path
  role_name = vault_approle_auth_backend_role.gitea_ci.role_name
}

resource "vault_approle_auth_backend_role_secret_id" "gitea_ci" {
  backend   = vault_auth_backend.approle.path
  role_name = vault_approle_auth_backend_role.gitea_ci.role_name
}

output "gitea_ci_role_id" {
  value     = data.vault_approle_auth_backend_role_id.gitea_ci.role_id
  sensitive = true
}

output "gitea_ci_secret_id" {
  value     = vault_approle_auth_backend_role_secret_id.gitea_ci.secret_id
  sensitive = true
}