# Terraform configuration for DeFi Oracle Meta Mainnet (ChainID 138)
# Azure Kubernetes Service (AKS) deployment
# 
# This configuration supports both legacy single resource group deployment
# and Well-Architected Framework multi-resource-group deployment.
# 
# For Well-Architected Framework deployment, use terraform/well-architected/main.tf
# See docs/AZURE_WELL_ARCHITECTED_REVIEW.md for details.

terraform {
  required_version = ">= 1.0"
  
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.0"
    }
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "~> 2.0"
    }
    helm = {
      source  = "hashicorp/helm"
      version = "~> 2.0"
    }
  }
  
  # Backend configuration is in backend.tf (separate file)
  # This prevents duplicate backend configuration errors
  # Backend uses environment variables from .env file
}

provider "azurerm" {
  features {
    resource_group {
      # Prevent accidental deletion in production
      prevent_deletion_if_contains_resources = var.environment == "prod" ? true : false
    }
    key_vault {
      # Don't purge on destroy in production
      purge_soft_delete_on_destroy = var.environment == "prod" ? false : true
      recover_soft_deleted_key_vaults = true
    }
  }
}

# Variables are defined in variables.tf
# Local values are defined in locals.tf
# This file uses the naming convention: {cloud}-{env}-{region}-{resource}-{instance}

# Resource Group (legacy single RG deployment)
resource "azurerm_resource_group" "main" {
  count    = var.use_well_architected ? 0 : 1
  name     = local.resource_group_name
  location = var.location
  
  tags = local.common_tags
}

# Network Module
module "networking" {
  source = "./modules/networking"
  
  resource_group_name = var.use_well_architected ? var.network_resource_group_name : azurerm_resource_group.main[0].name
  location            = var.location
  cluster_name        = var.cluster_name != "" ? var.cluster_name : local.aks_cluster
  environment         = var.environment
  tags                = local.common_tags
}

# Key Vault Module
# NOTE: For production, consider using the enhanced Key Vault module with RBAC and Private Endpoints
# See terraform/modules/keyvault-enhanced/ for Well-Architected Framework implementation
module "keyvault" {
  source = "./modules/secrets"
  
  resource_group_name = var.use_well_architected ? var.security_resource_group_name : azurerm_resource_group.main[0].name
  location            = var.location
  key_vault_name      = var.key_vault_name != "" ? var.key_vault_name : local.kv_secrets
  environment         = var.environment
  tags                = local.common_tags
}

# AKS Module
# NOTE: West Europe (westeurope) is admin-only - skip AKS cluster creation when multi-region is enabled
# Multi-region deployment handles all workload AKS clusters in the 36 workload regions
module "aks" {
  count = var.enable_multi_region ? 0 : 1  # Skip AKS in West Europe when multi-region is enabled (admin-only)
  source = "./modules/kubernetes"
  
  resource_group_name = var.use_well_architected ? var.compute_resource_group_name : azurerm_resource_group.main[0].name
  location            = var.location
  cluster_name        = var.cluster_name != "" ? var.cluster_name : local.aks_cluster
  kubernetes_version  = var.kubernetes_version
  node_count          = var.node_count
  vm_size             = var.vm_size
  environment         = var.environment
  tags                = local.common_tags
  
  vnet_subnet_id = module.networking.aks_subnet_id
  node_subnet_id = module.networking.node_subnet_id
  
  key_vault_id = module.keyvault.key_vault_id
  
  depends_on = [
    module.networking,
    module.keyvault
  ]
}

# Storage Module
module "storage" {
  source = "./modules/storage"
  
  resource_group_name = var.use_well_architected ? var.storage_resource_group_name : azurerm_resource_group.main[0].name
  location            = var.location
  cluster_name        = var.cluster_name != "" ? var.cluster_name : local.aks_cluster
  environment         = var.environment
  tags                = local.common_tags
}

# Outputs
output "resource_group_name" {
  value = var.use_well_architected ? (
    var.compute_resource_group_name != "" ? var.compute_resource_group_name : "rg-${var.environment}-compute-001"
  ) : azurerm_resource_group.main[0].name
  description = "Name of the compute resource group"
}

output "cluster_name" {
  value = var.enable_multi_region ? "N/A (West Europe is admin-only, workload clusters in multi-region)" : module.aks[0].cluster_name
  description = "Name of the AKS cluster (N/A when multi-region enabled - West Europe is admin-only)"
}

output "cluster_fqdn" {
  value = var.enable_multi_region ? "N/A (West Europe is admin-only, workload clusters in multi-region)" : module.aks[0].cluster_fqdn
  description = "FQDN of the AKS cluster (N/A when multi-region enabled - West Europe is admin-only)"
}

output "key_vault_name" {
  value = module.keyvault.key_vault_name
  description = "Name of the Key Vault"
}

output "key_vault_uri" {
  value = module.keyvault.key_vault_uri
  description = "URI of the Key Vault"
  sensitive = false
}

output "application_gateway_id" {
  value = module.networking.application_gateway_id
  description = "ID of the Application Gateway"
}

output "kubeconfig" {
  value     = var.enable_multi_region ? null : module.aks[0].kubeconfig
  sensitive = true
  description = "Kubeconfig for the AKS cluster (null when multi-region enabled - West Europe is admin-only)"
}

output "environment" {
  value = var.environment
  description = "Environment name"
}

output "use_well_architected" {
  value = var.use_well_architected
  description = "Whether Well-Architected Framework structure is used"
}