locals {
  sorted-roles = reverse(distinct(sort(var.roles)))
}


resource "kubectl_manifest" "db_secret" {
  ignore_fields = ["metadata.annotations"]
  count         = length(local.sorted-roles)
  yaml_body  = <<-EOF
    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
    kind: "StringSecret"
    metadata:
      name: "${var.instance}-${var.component}-role-${local.sorted-roles[count.index]}"
      namespace: "${var.namespace}"
      labels: ${jsonencode(merge(local.common-labels, {"app.kubernetes.io/component" = local.sorted-roles[count.index]}))}
    spec:
      forceRegenerate: false
      data:
        POSGRESQL_USERNAME: "${local.sorted-roles[count.index]}"
      fields:
      - fieldName: "POSGRESQL_PASSWORD"
        length: "32"
  EOF
}

data "kubernetes_secret_v1" "password_get" {
  depends_on        = [ kubectl_manifest.db_secret ]
  count             = length(local.sorted-roles)
  metadata {
    name      = "${var.instance}-${var.component}-role-${local.sorted-roles[count.index]}"
    namespace = "${var.namespace}"
  }
}

resource "postgresql_role" "role" {
  depends_on        = [ kubectl_manifest.prj_pg ]
  count             = length(local.sorted-roles)
  name              = "${local.sorted-roles[count.index]}"
  login             = true
  password          = data.kubernetes_secret_v1.password_get[count.index].data["POSGRESQL_PASSWORD"]
}