# =============================================================================
# VAULT DATA SOURCES
# =============================================================================
data "vault_generic_secret" "cloudflare" {
  path = var.vault_cloudflare_path
}

data "vault_generic_secret" "authentik" {
  path = var.vault_authentik_path
}

# =============================================================================
# LOCALS
# =============================================================================
locals {
  # Secrets Cloudflare depuis Vault
  cloudflare_api_token      = data.vault_generic_secret.cloudflare.data["api_token"]
  cloudflare_account_id = data.vault_generic_secret.cloudflare.data["account_id"]
  cloudflare_zone_id    = data.vault_generic_secret.cloudflare.data["zone_id_org"]
  cloudflare_email      = data.vault_generic_secret.cloudflare.data["email"]
  
  authentik_oidc_client_id_cloudflare = data.vault_generic_secret.authentik.data["client_id_cloudflare"]
  authentik_oidc_secret_cloudflare    = data.vault_generic_secret.authentik.data["secret_cloudflare"]

  # Construction des ingress rules pour toutes les applications
  ingress_rules = concat(
    [
      for app_name, app_config in var.applications : {
        hostname = "${app_config.subdomain}.${var.cloudflare_zone_id}"
        service  = app_config.origin_url
        origin_request = {
          no_tls_verify = app_config.no_tls_verify
          
          # Configuration Access si activée
          access = app_config.access_enabled ? {
            team_name = app_config.access_team_name
            aud_tag   = app_config.access_aud_tags
            required  = true
          } : null
        }
      }
    ],
    # Règle catch-all en dernier
    [{
      service = "http_status:404"
    }]
  )
}