# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# tfdoc:file:description common project.

locals {
  cmn_iam = {
    data_analysts = [
      # uncomment if access to all tagged columns is needed
      # "roles/datacatalog.categoryFineGrainedReader",
      "roles/datacatalog.viewer"
    ]
    data_engineers = [
      "roles/dlp.estimatesAdmin",
      "roles/dlp.reader",
      "roles/dlp.user"
    ]
    data_security = [
      "roles/datacatalog.admin",
      "roles/dlp.admin"
    ]
    sa_load = [
      "roles/datacatalog.viewer",
      "roles/dlp.user"
    ]
    sa_transf_bq = [
      "roles/datacatalog.categoryFineGrainedReader",
      "roles/datacatalog.viewer"
    ]
    sa_transf_df = [
      "roles/datacatalog.categoryFineGrainedReader",
      "roles/datacatalog.viewer",
      "roles/dlp.user"
    ]
  }
}

module "common-project" {
  source          = "../../../modules/project"
  parent          = var.project_config.parent
  billing_account = var.project_config.billing_account_id
  project_create  = var.project_config.project_create
  prefix          = local.use_projects ? null : var.prefix
  name = (
    local.use_projects
    ? var.project_config.project_ids.common
    : "${var.project_config.project_ids.common}${local.project_suffix}"
  )
  iam                   = local.use_projects ? {} : local.cmn_iam_auth
  iam_bindings_additive = !local.use_projects ? {} : local.cmn_iam_additive
  services = concat(var.project_services, [
    "datacatalog.googleapis.com",
    "dlp.googleapis.com",
  ])
}

module "common-datacatalog" {
  source     = "../../../modules/data-catalog-policy-tag"
  project_id = module.common-project.project_id
  name       = "${var.prefix}-datacatalog-policy-tags"
  location   = var.location
  tags       = var.data_catalog_tags
}

# To create KMS keys in the common project: uncomment this section
# and assign key links accondingly in local.service_encryption_keys variable

# module "cmn-kms-0" {
#   source     = "../../../modules/kms"
#   project_id = module.common-project.project_id
#   keyring = {
#     name     = "${var.prefix}-kr-global",
#     location = "global"
#   }
#   keys = {
#     pubsub = null
#   }
# }

# module "cmn-kms-1" {
#   source     = "../../../modules/kms"
#   project_id = module.common-project.project_id
#   keyring = {
#     name     = "${var.prefix}-kr-mregional",
#     location = var.location
#   }
#   keys = {
#     bq      = null
#     storage = null
#   }
# }

# module "cmn-kms-2" {
#   source     = "../../../modules/kms"
#   project_id = module.cmn-prj.project_id
#   keyring = {
#     name     = "${var.prefix}-kr-regional",
#     location = var.region
#   }
#   keys = {
#     composer = null
#     dataflow = null
#   }
# }