data "terraform_remote_state" "shared" {
  backend = "s3"
  config = {
    bucket = "assessment-model-terraform-state"
    key = "env:/${var.stage}/terraform.tfstate"
    region = "eu-west-2"
  }
}

data "terraform_remote_state" "pashub_to_ara" {
  backend = "s3"
  config = {
    bucket = "pashub-to-ara-terraform-state"
    key    = "env:/${var.stage}/terraform.tfstate"
    region = "eu-west-2"
  }
}

data "terraform_remote_state" "magic_plan" {
  backend = "s3"
  config = {
    bucket = "magic-plan-client-terraform-state"
    key    = "env:/${var.stage}/terraform.tfstate"
    region = "eu-west-2"
  }
}

data "aws_secretsmanager_secret_version" "db_credentials" {
  secret_id = "${var.stage}/assessment_model/db_credentials"
}

locals {
  db_credentials = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)
}


module "hubspot_deal_etl" {
  source = "../../modules/lambda_with_sqs"

  name  = "hubspot_deal_etl"
  stage = var.stage

  image_uri = local.image_uri

  # Optional: Set maximum_concurrency to limit concurrent SQS-triggered invocations (2-1000)
  maximum_concurrency = var.maximum_concurrency

  batch_size = var.batch_size

  environment = {
    STAGE = var.stage
    LOG_LEVEL = "info"
    DB_USERNAME = local.db_credentials.db_assessment_model_username
    DB_PASSWORD = local.db_credentials.db_assessment_model_password
    DB_HOST     = var.db_host
    DB_NAME     = var.db_name
    DB_PORT     = var.db_port
    HUBSPOT_API_KEY = var.hubspot_api_key

    PASHUB_TO_ARA_SQS_URL = data.terraform_remote_state.pashub_to_ara.outputs.pashub_to_ara_queue_url
    MAGICPLAN_SQS_URL     = data.terraform_remote_state.magic_plan.outputs.magic_plan_queue_url
  }
}

resource "aws_iam_role_policy_attachment" "lambda_s3_policy" {
  role       = module.hubspot_deal_etl.role_name
  policy_arn = data.terraform_remote_state.shared.outputs.hubspot_etl_s3_read_and_write_arn
}

# Create and attach S3 send policy for PasHub Fetcher queue
module "hubspot_deal_etl_sqs_policy" {
  source = "../../modules/general_iam_policy"

  policy_name        = "hubspot-deal-etl-sqs-send-${var.stage}"
  policy_description = "Allow Hubspot ETL Lambda to send messages to PasHub Fetcher queue"

  actions = [
    "sqs:SendMessage"
  ]

  resources = [
    data.terraform_remote_state.pashub_to_ara.outputs.pashub_to_ara_queue_arn
  ]
}

resource "aws_iam_role_policy_attachment" "hubspot_deal_etl_sqs_send" {
  role       = module.hubspot_deal_etl.role_name
  policy_arn = module.hubspot_deal_etl_sqs_policy.policy_arn
}

module "hubspot_deal_etl_magicplan_sqs_policy" {
  source = "../../modules/general_iam_policy"

  policy_name        = "hubspot-deal-etl-magicplan-sqs-send-${var.stage}"
  policy_description = "Allow HubSpot ETL Lambda to send messages to MagicPlan queue"
  actions            = ["sqs:SendMessage"]
  resources          = [data.terraform_remote_state.magic_plan.outputs.magic_plan_queue_arn]
}

resource "aws_iam_role_policy_attachment" "hubspot_deal_etl_magicplan_sqs_send" {
  role       = module.hubspot_deal_etl.role_name
  policy_arn = module.hubspot_deal_etl_magicplan_sqs_policy.policy_arn
}