# Lambda function and role

module "LambdaRole" {
  source                  = "../modules/security_identity_compliance/iam-role-v2"
  role-name               = "AWSLambdaBasicExecutionRole-HashWebApp"
  description             = "Lambda execution role for HashWebApp"
  create-instance-profile = false
  trusted-entity          = "lambda.amazonaws.com"
  policies = {
    AWSLambdaBasicExecutionRole = {
      description = "AWSLambdaBasicExecutionRole for HashWebApp"
      policy = jsonencode(
        {
          "Version" : "2012-10-17",
          "Statement" : [
            {
              "Effect" : "Allow",
              "Action" : "logs:CreateLogGroup",
              "Resource" : "arn:aws:logs:${var.aws-region}:${data.aws_caller_identity.this.account_id}:*"
            },
            {
              "Effect" : "Allow",
              "Action" : [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
              ],
              "Resource" : [
                "arn:aws:logs:${var.aws-region}:${data.aws_caller_identity.this.account_id}:log-group:/aws/lambda/HashWebApp:*"
              ]
            }
          ]
        }
      )
    }
  }
}

data "archive_file" "HashWebApp" {
  type        = "zip"
  source_file = "${path.module}/function.py"
  output_path = "${path.module}/function.zip"
}

resource "aws_lambda_function" "HashWebApp" {
  filename      = data.archive_file.HashWebApp.output_path
  function_name = "HashWebApp"
  role          = module.LambdaRole.role-arn
  handler       = "function.lambda_handler"
  code_sha256   = data.archive_file.HashWebApp.output_base64sha256
  architectures = ["arm64"]

  runtime = "python3.14"
}

resource "aws_lambda_permission" "HashWebApp" {
  statement_id  = "AllowExecutionFromApiGateway"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.HashWebApp.function_name
  principal     = "apigateway.amazonaws.com"
  source_arn    = "${aws_api_gateway_rest_api.HashWebApp.execution_arn}/*/*/*"
}

# rest api
resource "aws_api_gateway_rest_api" "HashWebApp" {
  body = file("${path.module}/restapi-oas30.json")

  name = "HashWebApp"

  endpoint_configuration {
    types = ["REGIONAL"]
  }
}

resource "aws_api_gateway_deployment" "HashWebApp" {
  rest_api_id = aws_api_gateway_rest_api.HashWebApp.id

  triggers = {
    redeployment = sha1(jsonencode(aws_api_gateway_rest_api.HashWebApp.body))
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_api_gateway_stage" "test" {
  deployment_id = aws_api_gateway_deployment.HashWebApp.id
  rest_api_id   = aws_api_gateway_rest_api.HashWebApp.id
  stage_name    = "test"
}