resource "random_password" "oidc_client_id" {
  length           = 72
  override_special = "-._~"
}

resource "random_password" "oidc_secret" {
  length           = 72
  override_special = "-._~"
}

resource "nomad_variable" "authelia_oidc_secret" {
  path = "secrets/authelia/${var.name}"
  items = {
    client_id   = resource.random_password.oidc_client_id.result
    secret      = resource.random_password.oidc_secret.result
    secret_hash = resource.random_password.oidc_secret.bcrypt_hash
  }
}

resource "nomad_variable" "authelia_access_control_oidc" {
  path = "authelia/access_control/oidc_clients/${var.name}"
  items = {
    id                   = resource.random_password.oidc_client_id.result
    description          = var.oidc_client_config.description
    authorization_policy = var.oidc_client_config.authorization_policy
    redirect_uris        = yamlencode(var.oidc_client_config.redirect_uris)
    scopes               = yamlencode(var.oidc_client_config.scopes)
  }
}

resource "nomad_acl_policy" "oidc_authelia" {
  count       = var.job_acl != null ? 1 : 0
  name        = "${var.name}-authelia"
  description = "Give access to shared authelia variables"
  rules_hcl   = <<EOH
namespace "default" {
  variables {
    path "secrets/authelia/${var.name}" {
      capabilities = ["read"]
    }
  }
}
EOH

  job_acl {
    job_id = var.job_acl.job_id
    group  = var.job_acl.group
    task   = var.job_acl.task
  }
}