anal.tf

# ------------------------------------------------------------------------------
# 1. Pub/Sub Topic (Intermediate queue for successful logins)
# ------------------------------------------------------------------------------

resource "google_pubsub_topic" "banking_successful_login_events" {
  project = var.gcp_project
  name    = "banking-successful-login-events"
}

# ------------------------------------------------------------------------------
# 2. Ingestion/Audit Service Account & IAM
# ------------------------------------------------------------------------------

# Grant the Audit SA permission to publish to the successful logins topic
resource "google_pubsub_topic_iam_member" "banking_auth_audit_publisher" {
  project = var.gcp_project
  topic   = google_pubsub_topic.banking_successful_login_events.name
  role    = "roles/pubsub.publisher"
  member  = "serviceAccount:${google_service_account.banking_auth_audit.email}"
}

# ------------------------------------------------------------------------------
# 3. Analysis Service Account & IAM
# ------------------------------------------------------------------------------

resource "google_service_account" "banking_auth_location_analyzer" {
  project      = var.gcp_project
  account_id   = "banking-auth-location-analyzer"
  display_name = "Banking Auth Location Analyzer"
  description  = "Analyzes successful logins for geo-location changes"
}

resource "google_project_iam_member" "banking_auth_location_analyzer_iam" {
  for_each = toset([
    "roles/secretmanager.secretAccessor", 
    "roles/datastore.user",               
  ])
  project = var.gcp_project
  role    = each.key
  member  = "serviceAccount:${google_service_account.banking_auth_location_analyzer.email}"
}

# Grant the Analyzer SA permission to publish to the existing banking-notifications topic
resource "google_pubsub_topic_iam_member" "banking_auth_location_analyzer_publisher" {
  project = var.gcp_project
  topic   = "banking-notifications" 
  role    = "roles/pubsub.publisher"
  member  = "serviceAccount:${google_service_account.banking_auth_location_analyzer.email}"
}

# ------------------------------------------------------------------------------
# 4. Analysis Cloud Function
# ------------------------------------------------------------------------------

resource "google_cloudfunctions2_function" "banking_analyze_auth_location" {
  provider = google-beta
  project  = var.gcp_project
  location = var.gcp_region
  name     = "banking-analyze-auth-location"

  build_config {
    runtime     = "nodejs24"
    entry_point = "helloHttp"
    source {
      storage_source {
        bucket = google_storage_bucket.gcf_source.name
        object = google_storage_bucket_object.dummy_node_cloud_function_source.name
      }
    }
  }

  service_config {
    max_instance_count    = 100
    service_account_email = google_service_account.banking_auth_location_analyzer.email
    
    environment_variables = {
      SENTRY_DSN          = local.mono_sentry_dsn
      SENTRY_ENV          = var.environment == "DEV" ? "dev" : "prd"
      DATABASE_NAME       = google_firestore_database.banking_auth.name
      NOTIFICATIONS_TOPIC = "banking-notifications" 
    }
  }

  event_trigger {
    event_type            = "google.cloud.pubsub.topic.v1.messagePublished"
    # Fixed the resource reference here to match the topic created above
    pubsub_topic          = google_pubsub_topic.banking_successful_login_events.id
    retry_policy          = "RETRY_POLICY_RETRY"
    service_account_email = google_service_account.banking_auth_location_analyzer.email
  }

  lifecycle {
    ignore_changes = [
      build_config.0.entry_point,
      build_config.0.runtime,
      service_config[0].environment_variables["SENTRY_RELEASE"],
      service_config[0].environment_variables["SENTRY_DIST"]
    ]
  }
}