variable "domain" {
	description = "Domain name to use the AWS route53 zone"
}

variable "tags" {
	default = {
		"purpose" = "letsencrypt delegation"
	}
}

variable "use_pgp" {
	default = false
	description = "Whether or not to use a PGP key to encrypt the secret access key"
}

variable "pgp_key" {
	description = "base64 encoded public gpg key to encrypt the secrets with"
	default = ""
}

resource "aws_route53_zone" "_" {
	name = var.domain

	tags = var.tags
}


resource "aws_iam_user" "_" {
	name = "letesencrypt-delegation-${var.domain}"

	tags = merge({
		"Name" = "Letsencrypt delegation user for ${var.domain}"
	}, var.tags)
}

resource "aws_iam_access_key" "_" {
	user = aws_iam_user._.name

	pgp_key = var.use_pgp ? var.pgp_key : null
}

resource "aws_iam_user_policy" "_" {
	name = "letsencrypt-delegation-${var.domain}"
	user = aws_iam_user._.name
	policy = data.aws_iam_policy_document.r53.json
}

data "aws_iam_policy_document" "r53" {
	statement {
		actions = [
			"route53:GetChange",
			"route53:ListHostedZones"
		]

		resources = [ "*" ]
	}

	statement {
		actions = [
			"route53:ChangeResourceRecordSets",
			"route53:ListResourceRecordSets"
		]

		resources = [ "arn:aws:route53:::hostedzone/${aws_route53_zone._.id}" ]
	}
}

output "info" {
	value = var.use_pgp ? "\nexport AWS_ACCESS_KEY_ID=${aws_iam_access_key._.id}\nexport AWS_SECRET_ACCESS_KEY=$(echo \"${aws_iam_access_key._.encrypted_secret}\" | base64 -d | gpg -d )\n" : "\nexport AWS_ACCESS_KEY_ID=${aws_iam_access_key._.id}\nexport AWS_SECRET_ACCESS_KEY=${aws_iam_access_key._.secret}\n"

}