# IAM role for Lambda functions
resource "aws_iam_role" "lambda_role" {
  name = "${var.app_name}-lambda-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "lambda.amazonaws.com"
        }
      }
    ]
  })
}

# IAM policy for Lambda to access DynamoDB
resource "aws_iam_role_policy" "lambda_dynamodb_policy" {
  name = "${var.app_name}-lambda-dynamodb-policy"
  role = aws_iam_role.lambda_role.id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = [
          "dynamodb:GetItem",
          "dynamodb:PutItem",
          "dynamodb:UpdateItem",
          "dynamodb:DeleteItem",
          "dynamodb:Scan",
          "dynamodb:Query"
        ]
        Resource = [
          aws_dynamodb_table.filaments.arn,
          "${aws_dynamodb_table.filaments.arn}/index/*"
        ]
      },
      {
        Effect = "Allow"
        Action = [
          "logs:CreateLogGroup",
          "logs:CreateLogStream",
          "logs:PutLogEvents"
        ]
        Resource = "arn:aws:logs:*:*:*"
      }
    ]
  })
}

# Lambda function for filaments CRUD
resource "aws_lambda_function" "filaments_api" {
  filename         = data.archive_file.filaments_lambda_zip.output_path
  function_name    = "${var.app_name}-filaments-api"
  role            = aws_iam_role.lambda_role.arn
  handler         = "index.handler"
  runtime         = "nodejs18.x"
  timeout         = 30
  memory_size     = 256
  source_code_hash = data.archive_file.filaments_lambda_zip.output_base64sha256

  environment {
    variables = {
      TABLE_NAME   = aws_dynamodb_table.filaments.name
      CORS_ORIGIN  = var.domain_name != "" ? "https://${var.domain_name}" : "*"
    }
  }

  depends_on = [aws_iam_role_policy.lambda_dynamodb_policy]
}

# Lambda function for authentication
resource "aws_lambda_function" "auth_api" {
  filename         = data.archive_file.auth_lambda_zip.output_path
  function_name    = "${var.app_name}-auth-api"
  role            = aws_iam_role.lambda_role.arn
  handler         = "index.handler"
  runtime         = "nodejs18.x"
  timeout         = 10
  memory_size     = 128
  source_code_hash = data.archive_file.auth_lambda_zip.output_base64sha256

  environment {
    variables = {
      JWT_SECRET          = var.jwt_secret
      ADMIN_USERNAME      = var.admin_username
      ADMIN_PASSWORD_HASH = var.admin_password_hash
      CORS_ORIGIN         = var.domain_name != "" ? "https://${var.domain_name}" : "*"
    }
  }

  depends_on = [aws_iam_role_policy.lambda_dynamodb_policy]
}

# Archive files for Lambda deployment
data "archive_file" "filaments_lambda_zip" {
  type        = "zip"
  source_dir  = "${path.module}/../lambda/filaments"
  output_path = "${path.module}/../lambda/filaments.zip"
}

data "archive_file" "auth_lambda_zip" {
  type        = "zip"
  source_dir  = "${path.module}/../lambda/auth"
  output_path = "${path.module}/../lambda/auth.zip"
}