rothbard/terraform/modules/app_engine/main.tf

# Enable App Engine Admin API
resource "google_project_service" "appengine" {
  project = var.gcp_project_id
  service = "appengine.googleapis.com"
}

# App Engine Application
resource "google_app_engine_application" "app" {
  project     = var.gcp_project_id
  location_id = var.gcp_region
  depends_on  = [google_project_service.appengine]
}

# App Engine Service for Flask app
resource "google_app_engine_standard_app_version" "flask_app" {
  project    = var.gcp_project_id
  service    = "default"
  version_id = "${var.app_name}-v1"

  runtime = "python311"

  entrypoint {
    command = "gunicorn -b :$PORT app:app"
  }

  deployment {
    zip {
      source_url = google_storage_bucket_object.app_source_zip.output_uri
    }
  }

  env_variables = {
    FLASK_SECRET_KEY               = var.flask_secret_key
    FIREBASE_PROJECT_ID           = var.firebase_project_id
    GOOGLE_APPLICATION_CREDENTIALS = "/etc/secrets/service-account.json"
    FILEVINE_CLIENT_ID            = var.filevine_client_id
    FILEVINE_CLIENT_SECRET        = var.filevine_client_secret
    FILEVINE_PERSONAL_ACCESS_TOKEN = var.filevine_pat
    FILEVINE_ORG_ID               = var.filevine_org_id
    FILEVINE_USER_ID              = var.filevine_user_id
  }

  # Service account
  service_account = var.service_account_email

  # Resources
  resources {
    cpu       = 1
    memory_gb = 0.5
    disk_gb   = 0.5
  }

  # Automatic scaling
  automatic_scaling {
    min_idle_instances = 0
    max_idle_instances = 1
    min_pending_latency = "automatic"
    max_pending_latency = "automatic"
    max_concurrent_requests = 80
  }

  # Health check
  health_check {
    enable_health_check = true
    check_path = "/"
  }

  depends_on = [
    google_storage_bucket_object.app_source_zip,
    google_secret_manager_secret_version.service_account_key
  ]
}

# Make App Engine service publicly accessible
resource "google_app_engine_firewall_rule" "allow_all" {
  project = var.gcp_project_id
  action  = "ALLOW"
  priority = "1"

  source_range = "*"
}

# Cloud Storage bucket for app source code
resource "google_storage_bucket" "app_source" {
  name          = "${var.app_name}-source-${var.gcp_project_id}"
  location      = var.gcp_region
  force_destroy = true

  uniform_bucket_level_access = true
}

# Upload app source code
resource "google_storage_bucket_object" "app_source_zip" {
  name   = "app-source.zip"
  bucket = google_storage_bucket.app_source.name
  source = var.app_source_zip_path
}

# Store service account key in Secret Manager
resource "google_secret_manager_secret" "service_account_key" {
  project   = var.gcp_project_id
  secret_id = "${var.app_name}-service-account-key"

  replication {
    automatic = true
  }
}

resource "google_secret_manager_secret_version" "service_account_key" {
  secret      = google_secret_manager_secret.service_account_key.id
  secret_data = var.service_account_key_data
}

# Output the app URL
output "app_url" {
  description = "App Engine application URL"
  value       = "https://${google_app_engine_application.app.default_hostname}"
}