main.tf

locals {
    short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0],".","-"))

    customer_service_account_suffix = "-${var.division}-tf"
    customer_service_account_prefix = substr(local.short_mcomm,0,30-length(local.customer_service_account_suffix))
    customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
    division_folder_ids = {
        dev = {
            //its = ""
        }
        test = {
            its    = "folders/100600555387"
            campus = "folders/549439339393"
            mm     = "folders/783942636538"
            hipaa  = "folders/607376512236"
        }
        prod = {
            its    = "folders/666809107084"
            campus = "folders/1013928641872"            
            mm     = "folders/332243639992"
            hipaa  = "folders/293380204207"
        }
    }
    master_billing_account_id = {
        //dev  = ""
        test = "01D8BC-7D5855-0BC393"
        prod = "01D8BC-7D5855-0BC393"
    }
    database_function_url = {
        //dev = ""
        test = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db" # Need a test DB
        prod = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db"
    }
    curl_body = {
        kind              = "billing"
        billingAccountId  = google_billing_subaccount.customer_subaccount.billing_account_id
        billing_contact   = var.billing_contact
        mcomm_group_email = var.mcomm_group_email
        shortcode         = var.shortcode
    }
    
}

module "audit" {
    count                   = var.division == "hipaa" ? 1: 0
    source                  = "./modules/terraform-google-gcp-at-um-customer-audit/"
    division                = var.division
    billing_id              = google_billing_subaccount.customer_subaccount.billing_account_id
    folder_id               = google_folder.customer_folder.id
    mcomm_group_email       = var.mcomm_group_email
    database_function_url   = local.database_function_url[var.environment]
    shortcode               = var.shortcode
    environment             = var.environment
    audit_logs_access       = var.audit_logs_access     
}

resource "google_folder" "customer_folder" {
    display_name = var.folder_display_name == "" ? local.short_mcomm : var.folder_display_name
    parent = local.division_folder_ids[var.environment][var.division]
}

data "google_iam_policy" "customer_folder_policy" {
    binding {
        role = "roles/browser"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

    binding {
        role = "organizations/715302536254/roles/GCP_at_UM_Customer_Folder_Viewer"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

    dynamic "binding" {
        for_each = var.customer_is_shared_vpc_admin ? ["roles/compute.xpnAdmin"] : []
        content {
            role = binding.value
            members = [
                "group:${var.mcomm_group_email}",
            ]
        }
    }

    binding {
        role = "roles/resourcemanager.projectCreator"
        members = [
            "serviceAccount:${google_service_account.customer_service_account.email}",
        ]
    }

    binding {
        role = "roles/resourcemanager.folderEditor"
        members = [
            "serviceAccount:${var.provisioning_service_account_email}",
        ]
    }
}

resource "google_folder_iam_policy" "customer_folder_policy" {
  folder      = google_folder.customer_folder.name
  policy_data = data.google_iam_policy.customer_folder_policy.policy_data
}

resource "random_id" "customer_bucket_id" {
    byte_length = 2
}

resource "google_storage_bucket" "customer_bucket" {
    project = var.customer_bucket_project_id
    name = "gcp-at-um-${local.short_mcomm}-${random_id.customer_bucket_id.hex}"
    location = "US"
    storage_class = "STANDARD"

    uniform_bucket_level_access = true

    versioning {
        enabled = true
    }
}

resource "google_service_account" "customer_service_account" {
    project     = var.customer_service_account_project_id
    account_id  = local.customer_service_account_id
    description = "${local.short_mcomm} Terraform Service Account"
}

data "google_iam_policy" "customer_service_account_policy" {
  binding {
    role = "roles/iam.serviceAccountKeyAdmin"

    members = [
        "group:${var.mcomm_group_email}",
    ]
  }
}

resource "google_service_account_iam_policy" "customer_service_account_policy" {
  service_account_id = google_service_account.customer_service_account.name
  policy_data        = data.google_iam_policy.customer_service_account_policy.policy_data
}

data "google_iam_policy" "customer_bucket_policy" {
    binding {
        role = "roles/storage.legacyBucketWriter"
        members = [
            "serviceAccount:${google_service_account.customer_service_account.email}",
        ]
    }

    binding {
        role = "roles/storage.objectViewer"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }
}

resource "google_storage_bucket_iam_policy" "customer_bucket_policy" {
    bucket = google_storage_bucket.customer_bucket.name
    policy_data = data.google_iam_policy.customer_bucket_policy.policy_data
}

data "google_service_account_id_token" "customer_db_token" {
    target_audience = local.database_function_url[var.environment]
}

resource "null_resource" "customer_database" {
    triggers = {
        billingAccountId  = google_billing_subaccount.customer_subaccount.billing_account_id
        billing_contact   = var.billing_contact
        mcomm_group_email = var.mcomm_group_email
        shortcode         = var.shortcode
    }

    provisioner "local-exec" {
        command = "curl ${local.database_function_url[var.environment]} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '${jsonencode(local.curl_body)}'"
    }
}

// Need to make a customer Git repo

resource "google_billing_subaccount" "customer_subaccount" {
    display_name           = local.short_mcomm
    master_billing_account = local.master_billing_account_id[var.environment]
    deletion_policy        = "RENAME_ON_DESTROY"
}

resource "google_billing_account_iam_policy" "customer_billing_account_policy" {
    billing_account_id = google_billing_subaccount.customer_subaccount.billing_account_id
    policy_data        = data.google_iam_policy.customer_billing_account_policy.policy_data
}

data "google_iam_policy" "customer_billing_account_policy" {
    binding {
        role = "roles/billing.user"

        members = [
            "serviceAccount:${google_service_account.customer_service_account.email}",
        ]
    }

    binding {
        role = "organizations/715302536254/roles/UM_billingUser"

        members = [
            "group:${var.mcomm_group_email}",
        ]
    }
}