locals {
  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
  application_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "authentik-application"
  })
  app_name    = var.app_name != "" ? var.app_name : var.component == var.instance ? var.instance : format("%s-%s", var.instance, var.component)
  main_group  = format("app-%s", local.app_slug)
  secret_name = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
  dns_name    = var.dns_name != "" ? var.dns_name : var.rule_mapper.host
  url_icon    = startswith(var.icon, "fa-") ? "fa://${var.icon}" : format("https://%s/%s", local.dns_name, var.icon)
  backend     = var.rule_mapper.paths[0].backend
  rules_icons = [{
    "host" = local.dns_name
    "http" = {
      "paths" = [{
        "path"     = "/${var.icon}"
        "pathType" = "Prefix"
        "backend"  = local.backend
      }]
    }
  }]
}

resource "kubectl_manifest" "ingress_icon" {
  count           = startswith(var.icon, "fa-") ? 0 : 1
  force_conflicts = true
  yaml_body       = <<-EOF
    apiVersion: "networking.k8s.io/v1"
    kind: "Ingress"
    metadata:
      name: "${local.app_slug}-icons"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.application_labels)}
    spec:
      ingressClassName: "${var.ingress_class}"
      rules: ${jsonencode(local.rules_icons)}
      tls:
      - secretName: "${local.secret_name}"
        hosts: ${jsonencode([local.dns_name])}
  EOF
}

data "authentik_group" "akadmin" {
  name = "authentik Admins"
}
resource "authentik_group" "groups" {
  name       = local.main_group
  attributes = jsonencode({ "${local.app_name}" = true })
}

resource "authentik_group" "subgroup" {
  count  = length(var.sub_groups)
  name   = format("%s-%s", local.main_group, var.sub_groups[count.index])
  parent = authentik_group.groups.id
}

resource "authentik_application" "app" {
  name                  = var.app_name
  slug                  = local.app_slug
  group                 = var.app_group
  protocol_provider     = var.protocol_provider
  backchannel_providers = var.backchannel_providers
  meta_launch_url       = format("https://%s", local.dns_name)
  meta_icon             = local.url_icon
}

resource "authentik_policy_expression" "policy" {
  name       = "${local.app_slug}-${local.main_group}"
  expression = <<-EOF
    attr = request.user.group_attributes()
    return attr['${local.app_name}'] if '${local.app_name}' in attr else False
  EOF
}

resource "authentik_policy_binding" "access_users" {
  target = authentik_application.app.uuid
  policy = authentik_policy_expression.policy.id
  order  = 0
}
resource "authentik_policy_binding" "access_vynil" {
  target = authentik_application.app.uuid
  group  = data.authentik_group.akadmin.id
  order  = 1
}