terraform {
  required_providers {
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "~> 6.0"
    }
  }
}

provider "google" {
  project = var.gcp_project_id
  region  = var.gcp_region
}


# Firebase Project Setup
resource "google_firebase_project" "default" {
  provider = google-beta
  project  = var.gcp_project_id
}

# Firebase Web App
resource "google_firebase_web_app" "rothbard_portal" {
  provider = google-beta
  project  = google_firebase_project.default.project
  display_name = "Rothbard Client Portal"

  app_urls = ["https://${var.domain_name}"]
}

# Firestore Database
resource "google_firestore_database" "default" {
  provider    = google-beta
  project     = var.gcp_project_id
  name        = "(default)"
  location_id = var.firestore_location
  type        = "FIRESTORE_NATIVE"

  delete_protection_state = "DELETE_PROTECTION_DISABLED"
}

# Firebase Authentication - Complete Configuration
resource "google_firebase_auth_config" "default" {
  provider = google-beta
  project  = var.gcp_project_id

  sign_in_options {
    email {
      enabled = true
      password_required = true
    }

    # Disable other providers for security
    phone {
      enabled = false
    }

    google {
      enabled = var.enable_google_signin
    }

    facebook {
      enabled = false
    }

    apple {
      enabled = false
    }
  }

  # Email configuration
  email {
    reset_password_template {
      from_email_address = var.auth_from_email
      from_display_name = var.auth_from_name
      reply_to = var.auth_reply_to
      subject = "Reset your Rothbard Law Group password"
      html = file("${path.module}/templates/reset_password.html")
      text = file("${path.module}/templates/reset_password.txt")
    }

    email_verification_template {
      from_email_address = var.auth_from_email
      from_display_name = var.auth_from_name
      reply_to = var.auth_reply_to
      subject = "Verify your Rothbard Law Group account"
      html = file("${path.module}/templates/email_verification.html")
      text = file("${path.module}/templates/email_verification.txt")
    }
  }

  # Security settings
  sign_in {
    allow_duplicate_emails = false
  }

  # Multi-factor authentication (disabled for simplicity)
  multi_factor_auth {
    enabled = false
  }

  # Anonymous user access (disabled)
  anonymous {
    enabled = false
  }
}

# Service Account for the Flask App
resource "google_service_account" "flask_app" {
  account_id   = "rothbard-flask-app"
  display_name = "Rothbard Flask App Service Account"
}

# IAM permissions for the Flask App
resource "google_project_iam_member" "firestore_access" {
  project = var.gcp_project_id
  role    = "roles/datastore.user"
  member  = "serviceAccount:${google_service_account.flask_app.email}"
}

resource "google_project_iam_member" "firebase_admin" {
  project = var.gcp_project_id
  role    = "roles/firebase.admin"
  member  = "serviceAccount:${google_service_account.flask_app.email}"
}

# Firestore Security Rules - Note: Firestore security policies are managed through Firestore rules
# This section is commented out as google_firestore_security_policy is not supported
# Security rules should be managed through firestore.rules file or Firebase console

# Firebase Hosting (optional - for static assets)
resource "google_firebase_hosting_site" "default" {
  provider = google-beta
  project  = var.gcp_project_id
  site_id  = "rothbard-portal"
}

# Output important values
output "firebase_web_app_id" {
  description = "Firebase Web App ID"
  value       = google_firebase_web_app.rothbard_portal.app_id
}

output "firebase_project_id" {
  description = "Firebase Project ID"
  value       = google_firebase_project.default.project
}

output "service_account_email" {
  description = "Service account email for Flask app"
  value       = google_service_account.flask_app.email
}