data "github_repository" "this" {
    name    = var.name
}

resource "aws_codebuild_project" "this_no_artifact" {
  count                 = var.artifact_s3_bucket=="" ? 1 : 0

  name                  = var.name
  description           = "Container for ${var.name}"
  service_role          = var.service_role
  encryption_key        = var.kms_key
  badge_enabled         = var.badge_enabled

  source {
    type                = "GITHUB_ENTERPRISE"
    location            = data.github_repository.this.http_clone_url
    report_build_status = true
  }

  environment {
    compute_type        = "BUILD_GENERAL1_SMALL"
    image               = var.codebuild_image
    type                = "LINUX_CONTAINER"
    privileged_mode     = true
  }

  artifacts {
    type                = "NO_ARTIFACTS"
  }

  tags = merge(var.standard_tags, var.tags)
}
 
resource "aws_ecr_repository" "this-api" {
    name  = "portal-api"
}

resource "aws_ecr_repository" "this-nginx" {
    name  = "portal-nginx"
}

data "aws_iam_policy_document" "ecr_cross_account_policy" {
  statement {
    sid = "ECRWrite"
    effect = "Allow"
    actions = [
      "ecr:GetAuthorizationToken",
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchGetImage",
      "ecr:BatchCheckLayerAvailability",
      "ecr:PutImage",
      "ecr:InitiateLayerUpload",
      "ecr:UploadLayerPart",
      "ecr:CompleteLayerUpload",
      "ecr:DescribeRepositories",
      "ecr:ListImages",
      "ecr:DescribeImages",
    ]
    principals {
      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
      type        = "AWS"
    }
  }
}

resource "aws_ecr_repository_policy" "this-api" {
  repository = aws_ecr_repository.this-api.name
  policy = data.aws_iam_policy_document.ecr_cross_account_policy.json
}

resource "aws_ecr_lifecycle_policy" "this-api" {
  repository = aws_ecr_repository.this-api.name
  policy = file("${path.module}/lifecycle-policy.json")
}

resource "aws_ecr_repository_policy" "this-nginx" {
  repository = aws_ecr_repository.this-nginx.name
  policy = data.aws_iam_policy_document.ecr_cross_account_policy.json
}

resource "aws_ecr_lifecycle_policy" "this-nginx" {
  repository = aws_ecr_repository.this-nginx.name
  policy = file("${path.module}/lifecycle-policy.json")
}

resource "aws_codebuild_webhook" "this" {
  project_name  = var.name
  branch_filter = var.webhook_branch_filter

  depends_on = [ aws_codebuild_project.this_no_artifact  ]
}

resource "github_repository_webhook" "this" {
  active     = true
  events     = ["push"]
  repository = data.github_repository.this.name

  configuration {
    url          = aws_codebuild_webhook.this.payload_url
    secret       = aws_codebuild_webhook.this.secret
    content_type = "json"
    insecure_ssl = false
  }
}