locals {
  sorted-roles-name = reverse(distinct(sort(var.roles.name)))
  sorted-roles = flatten([
    for name in local.sorted-roles-name: [
      for r in var.roles:
        r if r.name == name
    ]
  ])
}

resource "kubectl_manifest" "db_secret_role" {
  ignore_fields = ["metadata.annotations"]
  count         = length(local.sorted-roles)
  yaml_body  = <<-EOF
    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
    kind: "StringSecret"
    metadata:
      name: "${var.instance}-${var.component}-role-${local.sorted-roles[count.index].name}"
      namespace: "${var.namespace}"
      labels: ${jsonencode(merge(local.common-labels, {"app.kubernetes.io/component" = local.sorted-roles[count.index].name}))}
    spec:
      forceRegenerate: false
      data:
        POSGRESQL_USERNAME: "${local.sorted-roles[count.index].name}"
      fields:
      - fieldName: "POSGRESQL_PASSWORD"
        length: "32"
  EOF
}

data "kubernetes_secret_v1" "password_role_get" {
  depends_on        = [ kubectl_manifest.db_secret_role ]
  count             = length(local.sorted-roles)
  metadata {
    name      = "${var.instance}-${var.component}-role-${local.sorted-roles[count.index].name}"
    namespace = "${var.namespace}"
  }
}

resource "postgresql_role" "role" {
  depends_on        = [ kubectl_manifest.prj_pg ]
  count             = length(local.sorted-roles)
  name              = "${local.sorted-roles[count.index].name}"
  login             = true
  password          = data.kubernetes_secret_v1.password_role_get[count.index].data["POSGRESQL_PASSWORD"]
}