# Enable foundational APIs required for Terraform to manage other services
resource "google_project_service" "cloudresourcemanager" {
  provider = google-beta
  project  = var.project_id
  service  = "cloudresourcemanager.googleapis.com"
  disable_on_destroy = false
}

resource "google_project_service" "serviceusage" {
  provider = google-beta
  project  = var.project_id
  service  = "serviceusage.googleapis.com"
  disable_on_destroy = false
}

# Enable required APIs
resource "google_project_service" "firebase" {
  provider = google-beta
  project  = var.project_id
  service  = "firebase.googleapis.com"
  disable_on_destroy = false
  
  depends_on = [
    google_project_service.cloudresourcemanager,
    google_project_service.serviceusage
  ]
}

resource "google_project_service" "identitytoolkit" {
  provider = google-beta
  project  = var.project_id
  service  = "identitytoolkit.googleapis.com"
  disable_on_destroy = false
}

resource "google_project_service" "firestore" {
  provider = google-beta
  project  = var.project_id
  service  = "firestore.googleapis.com"
  disable_on_destroy = false
}

# Firebase Project
resource "google_firebase_project" "default" {
  provider = google-beta
  project  = var.project_id

  depends_on = [
    google_project_service.firebase,
  ]
}

# Firebase Web App
resource "google_firebase_web_app" "default" {
  provider     = google-beta
  project      = var.project_id
  display_name = "Haumdaucher Web"

  depends_on = [google_firebase_project.default]
}

data "google_firebase_web_app_config" "default" {
  provider   = google-beta
  web_app_id = google_firebase_web_app.default.app_id
  project    = var.project_id
}

# Identity Platform (Auth)
resource "google_identity_platform_config" "default" {
  provider = google-beta
  project  = var.project_id

  # Enable Google Sign-In (and others if needed, but keeping it simple)
  sign_in {
    allow_duplicate_emails = false

    anonymous {
      enabled = false
    }

    email {
      enabled = false # We only want Google Sign-In
    }
  }

  depends_on = [google_project_service.identitytoolkit]
}

# NOTE: OAuth Client ID usually needs to be configured in console for Identity Platform
# or imported. Terraform support for *creating* the OAuth client for IAP/Identity is limited/complex.
# We will assume the default one created by Firebase is used or documented.

# Firestore Database (Native)
resource "google_firestore_database" "database" {
  provider                    = google-beta
  project                     = var.project_id
  name                        = "(default)"
  location_id                 = var.region
  type                        = "FIRESTORE_NATIVE"
  concurrency_mode            = "OPTIMISTIC"
  app_engine_integration_mode = "DISABLED"

  depends_on = [google_project_service.firestore]
}

# Allowlist Configuration Document
resource "google_firestore_document" "allowlist" {
  provider    = google-beta
  project     = var.project_id
  database    = google_firestore_database.database.name
  collection  = "config"
  document_id = "allowlist"
  
  # Serialize the list of emails into a JSON string map for the fields
  fields = jsonencode({
    emails = {
      arrayValue = {
        values = [
          for email in var.allowed_users : {
            stringValue = email
          }
        ]
      }
    }
  })
}