# Cloud Run Service for Flask App
resource "google_cloud_run_service" "flask_app" {
  name     = "${var.app_name}-service"
  location = var.gcp_region

  template {
    spec {
      containers {
        image = var.container_image

        # Environment variables for the Flask app
        env {
          name  = "FLASK_SECRET_KEY"
          value = var.flask_secret_key
        }

        env {
          name  = "FIREBASE_PROJECT_ID"
          value = var.firebase_project_id
        }

        env {
          name  = "GOOGLE_APPLICATION_CREDENTIALS"
          value = "/etc/secrets/service-account.json"
        }

        # Filevine API credentials
        env {
          name  = "FILEVINE_CLIENT_ID"
          value = var.filevine_client_id
        }

        env {
          name  = "FILEVINE_CLIENT_SECRET"
          value = var.filevine_client_secret
        }

        env {
          name  = "FILEVINE_PERSONAL_ACCESS_TOKEN"
          value = var.filevine_pat
        }

        env {
          name  = "FILEVINE_ORG_ID"
          value = var.filevine_org_id
        }

        env {
          name  = "FILEVINE_USER_ID"
          value = var.filevine_user_id
        }

        # Memory and CPU limits
        resources {
          limits = {
            cpu    = "1000m"
            memory = "512Mi"
          }
        }

        # Mount service account key
        volume_mount {
          name       = "service-account-key"
          mount_path = "/etc/secrets"
          read_only  = true
        }
      }

      # Service account for the container
      service_account_name = var.service_account_email

      # Volumes
      volumes {
        name = "service-account-key"
        secret {
          secret_name = google_secret_manager_secret.service_account_key.secret_id
          items {
            key  = "latest"
            path = "service-account.json"
          }
        }
      }

      # Allow unauthenticated access
      container_concurrency = 100
      timeout_seconds       = 300
    }

    # Traffic settings
    metadata {
      annotations = {
        "autoscaling.knative.dev/maxScale" = "10"
        "autoscaling.knative.dev/minScale" = "1"
        "run.googleapis.com/ingress"       = "all"
      }
    }
  }

  traffic {
    percent         = 100
    latest_revision = true
  }

  depends_on = [google_secret_manager_secret_version.service_account_key]
}

# Make Cloud Run service publicly accessible
resource "google_cloud_run_service_iam_member" "public" {
  location = google_cloud_run_service.flask_app.location
  project  = google_cloud_run_service.flask_app.project
  service  = google_cloud_run_service.flask_app.name
  role     = "roles/run.invoker"
  member   = "allUsers"
}

# Store service account key in Secret Manager
resource "google_secret_manager_secret" "service_account_key" {
  project   = var.gcp_project_id
  secret_id = "${var.app_name}-service-account-key"

  replication {
    automatic {}
  }
}

resource "google_secret_manager_secret_version" "service_account_key" {
  secret      = google_secret_manager_secret.service_account_key.id
  secret_data = var.service_account_key_data
}

# Cloud Storage bucket for container storage (if needed)
resource "google_storage_bucket" "app_storage" {
  name          = "${var.app_name}-storage-${var.gcp_project_id}"
  location      = var.gcp_region
  force_destroy = true

  uniform_bucket_level_access = true
}

# Output the service URL
output "service_url" {
  description = "Cloud Run service URL"
  value       = google_cloud_run_service.flask_app.status[0].url
}