terraform {
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 5"
    }
  }
}

provider "cloudflare" {
  api_token = var.cloudflare_api_token
}

module "services" {
  source = "./services"
}

module "dns" {
  source               = "./dns"
  services             = module.services.services
  cloudflare_zone_id   = var.cloudflare_zone_id
  cloudflare_tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.ratchet_tunnel.id
}

module "policies" {
  source                = "./policies"
  cloudflare_zone_id    = var.cloudflare_zone_id
  cloudflare_account_id = var.cloudflare_account_id
  cloudflare_email      = var.cloudflare_email
}

resource "cloudflare_zero_trust_tunnel_cloudflared" "ratchet_tunnel" {
  account_id    = var.cloudflare_account_id
  tunnel_secret = var.cloudflared_tunnel_secret
  name          = "cloudflare > ratchet tunnel"
  config_src    = "cloudflare"
}

resource "cloudflare_zero_trust_tunnel_cloudflared_config" "ratchet_tunnel_config" {
  account_id = var.cloudflare_account_id
  tunnel_id  = cloudflare_zero_trust_tunnel_cloudflared.ratchet_tunnel.id
  config = {
    ingress = concat([for k,v in module.services.services : { hostname = "${v.subdomain}.madunde.ad", service = v.service} ], [{ service = "http_status:404" }])
  }
}

resource "cloudflare_zero_trust_access_application" "access_application" {
  for_each = module.services.services
  account_id = var.cloudflare_account_id
  zone_id    = var.cloudflare_zone_id
  domain     = "${each.value.subdomain}.madunde.ad"
  type       = "self_hosted"
  name       = "Access application for ${each.value.subdomain}.madunde.ad"
  policies = [
    {
      id         = module.policies[each.value.policy].id
      precedence = 1
    }
  ]
}