#----------------------------------------------------------------------------
# Okta Auth
#----------------------------------------------------------------------------

resource "vault_okta_auth_backend" "okta" {
    description  = "Terraform Okta auth backend"
    organization = "mdr-multipass"
    token        = var.okta_api_token
    base_url     = "okta.com"
    ttl          = "1h"
    max_ttl      = "8h"

    group {
        group_name = "mdr-admins"
        policies   = [vault_policy.admins.name]
    }
    group {
        group_name = "mdr-engineers"
        policies   = [vault_policy.engineers.name]
    }
    group {
        group_name = "phantom-role-administrator"
        policies   = [vault_policy.phantom.name]
    }
    group {
        group_name = "vault-admins"
        policies   = [vault_policy.admins.name]
    }
    group {
        group_name = "analyst-shift-lead"
        policies   = [vault_policy.soc.name]
    }
    group {
        group_name = "analyst-tier-3"
        policies   = [vault_policy.soc.name]
    }
}

#----------------------------------------------------------------------------
# Okta OIDC Auth
#----------------------------------------------------------------------------

#NOTICE: Members of the default_role do not need to type in the role, like a boss.
# If you are not a member of the default_role, then you must type in your role, like a peasent. 
resource "vault_jwt_auth_backend" "okta_oidc" {
    description            = "Terraform Managed OIDC Auth"
    path                   = "oidc"
    type                   = "oidc"
    oidc_discovery_url     = "https://mdr-multipass.okta.com"
    oidc_client_id         = var.okta_oidc_client_id
    oidc_client_secret     = var.okta_oidc_client_secret
    bound_issuer           = "https://mdr-multipass.okta.com"
    default_role           = "mdr-admins"
    tune {
        listing_visibility = "unauth"
        max_lease_ttl      = "8h"
        default_lease_ttl  = "1h"
        token_type         = "default-service"
    }
    #the oidc_client_secret causes terraform to think it needs to apply changes. 
    #lifecycle { ignore_changes = [oidc_client_secret,]}
}

#max token length of 28800 seconds ( 8 Hours )
resource "vault_jwt_auth_backend_role" "okta_oidc" {
  for_each               = var.roles
  backend                = vault_jwt_auth_backend.okta_oidc.path
  role_name              = each.key
  token_policies         = each.value.token_policies
  user_claim             = "email"
  role_type              = "oidc"
  allowed_redirect_uris  = ["https://vault.${var.dns_info["private"]["zone"]}/ui/vault/auth/oidc/oidc/callback" ]
  oidc_scopes            = [ "profile", "email", "groups" ]
  bound_claims           = { groups = join(",", each.value.bound_groups) }
  verbose_oidc_logging   = false
  token_explicit_max_ttl = "28800" 
}

#----------------------------------------------------------------------------
# AWS Auth
#----------------------------------------------------------------------------
resource "vault_auth_backend" "aws" {
  type = "aws"
}

#vault write auth/aws/config/client sts_endpoint=https://sts.us-gov-east-1.amazonaws.com sts_region=us-gov-east-1
#https://github.com/terraform-providers/terraform-provider-vault/pull/717
#https://github.com/terraform-providers/terraform-provider-vault/issues/689
resource "vault_aws_auth_backend_client" "aws" {
  backend      = vault_auth_backend.aws.path
  sts_endpoint = "https://sts.${var.aws_region}.amazonaws.com"
  sts_region   = var.aws_region
}

resource "vault_aws_auth_backend_role" "portal" {
  backend                         = vault_auth_backend.aws.path
  role                            = "portal"
  auth_type                       = "iam"
  bound_iam_principal_arns        = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:role/portal-instance-role"]
  #inferred_aws_region             = "us-gov-east-1"
  token_ttl                       = 60
  token_max_ttl                   = 86400
  token_policies                  = ["portal"]
}

resource "vault_aws_auth_backend_role" "portal-data-sync-lambda-role" {
  backend                         = vault_auth_backend.aws.path
  role                            = "portal-data-sync-lambda-role"
  auth_type                       = "iam"
  bound_iam_principal_arns        = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:role/portal-data-sync-lambda-role"]
  #inferred_aws_region             = "us-gov-east-1"
  token_ttl                       = 60
  token_max_ttl                   = 86400
  token_policies                  = ["portal"]
}


#----------------------------------------------------------------------------
# AppRole Auth ( not currently used )
#----------------------------------------------------------------------------

resource "vault_auth_backend" "approle" {
  type        = "approle"
  description = "approle"

}



#----------------------------------------------------------------------------
# File Audit
#----------------------------------------------------------------------------

resource "vault_audit" "file_audit" {
  type    = "file"
  options = {
    file_path = "/var/log/vault.log"
  }
}