terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 5.0"
    }
    firebase = {
      source  = "terraform-google-modules/firebase/google"
      version = "~> 13.0"
    }
  }

  required_version = ">= 1.0"
}

provider "google" {
  project = var.gcp_project_id
  region  = var.gcp_region
}

provider "firebase" {
  project = var.gcp_project_id
}

# Firebase Project Setup
resource "google_firebase_project" "default" {
  provider = google-beta
  project  = var.gcp_project_id
}

# Firebase Web App
resource "google_firebase_web_app" "rothbard_portal" {
  provider = google-beta
  project  = google_firebase_project.default.project
  display_name = "Rothbard Client Portal"

  app_url = "https://${var.domain_name}"

  # Handle OAuth redirect
  oauth_config {
    client_id = var.oauth_client_id
    client_secret = var.oauth_client_secret
  }
}

# Firestore Database
resource "google_firestore_database" "default" {
  provider    = google-beta
  project     = var.gcp_project_id
  name        = "(default)"
  location_id = var.firestore_location
  type        = "FIRESTORE_NATIVE"

  delete_protection_state = "DISABLED"
}

# Firebase Authentication - Complete Configuration
resource "google_identitytoolkit_config" "default" {
  provider = google-beta
  project  = var.gcp_project_id

  sign_in_options {
    email {
      enabled = true
      password_required = true
    }

    # Disable other providers for security
    phone {
      enabled = false
    }

    google {
      enabled = var.enable_google_signin
    }

    facebook {
      enabled = false
    }

    apple {
      enabled = false
    }
  }

  # Email configuration
  email {
    reset_password_template {
      from_email_address = var.auth_from_email
      from_display_name = var.auth_from_name
      reply_to = var.auth_reply_to
      subject = "Reset your Rothbard Law Group password"
      html = file("${path.module}/templates/reset_password.html")
      text = file("${path.module}/templates/reset_password.txt")
    }

    email_verification_template {
      from_email_address = var.auth_from_email
      from_display_name = var.auth_from_name
      reply_to = var.auth_reply_to
      subject = "Verify your Rothbard Law Group account"
      html = file("${path.module}/templates/email_verification.html")
      text = file("${path.module}/templates/email_verification.txt")
    }
  }

  # Security settings
  sign_in {
    allow_duplicate_emails = false
  }

  # Multi-factor authentication (disabled for simplicity)
  multi_factor_auth {
    enabled = false
  }

  # Anonymous user access (disabled)
  anonymous {
    enabled = false
  }
}

# Service Account for the Flask App
resource "google_service_account" "flask_app" {
  account_id   = "rothbard-flask-app"
  display_name = "Rothbard Flask App Service Account"
}

# IAM permissions for the Flask App
resource "google_project_iam_member" "firestore_access" {
  project = var.gcp_project_id
  role    = "roles/datastore.user"
  member  = "serviceAccount:${google_service_account.flask_app.email}"
}

resource "google_project_iam_member" "firebase_admin" {
  project = var.gcp_project_id
  role    = "roles/firebase.admin"
  member  = "serviceAccount:${google_service_account.flask_app.email}"
}

# Firestore Security Rules
resource "google_firestore_security_policy" "default" {
  project = var.gcp_project_id
  policy = {
    rules = [
      {
        description = "Allow users to read/write their own profile"
        match = {
          collection = "users"
          document = "{userId}"
        }
        allow = [
          {
            resource = "read"
            condition = {
              name = "request.auth.uid == userId"
            }
          },
          {
            resource = "write"
            condition = {
              name = "request.auth.uid == userId"
            }
          }
        ]
      },
      {
        description = "Only authenticated users can access the database"
        match = {
          collection = "{collection=**}"
        }
        allow = [
          {
            resource = "read"
            condition = {
              name = "request.auth != null"
            }
          },
          {
            resource = "write"
            condition = {
              name = "request.auth != null"
            }
          }
        ]
      }
    ]
  }
}

# Firebase Hosting (optional - for static assets)
resource "google_firebase_hosting_site" "default" {
  provider = google-beta
  project  = var.gcp_project_id
  site_id  = "rothbard-portal"

  # Default configuration for hosting
  config {
    public_root_dir = "public"
    headers = [
      {
        headers = ["Cache-Control: public, max-age=31536000"]
        glob = "**/*.@(jpg|jpeg|gif|png|svg|webp)"
      },
      {
        headers = ["Cache-Control: public, max-age=86400"]
        glob = "**/*.@(css|js)"
      }
    ]
    redirects = [
      {
        status_code = 302
        path = "/login"
        location = "/login.html"
      }
    ]
    rewrites = [
      {
        glob = "**"
        path = "/index.html"
      }
    ]
  }
}

# Output important values
output "firebase_web_app_id" {
  description = "Firebase Web App ID"
  value       = google_firebase_web_app.rothbard_portal.app_id
}

output "firebase_project_id" {
  description = "Firebase Project ID"
  value       = google_firebase_project.default.project
}

output "service_account_email" {
  description = "Service account email for Flask app"
  value       = google_service_account.flask_app.email
}