# GCS Bucket for artifacts (logs, AI outputs, patches)
resource "google_storage_bucket" "artifacts" {
  name                        = var.artifact_bucket_name
  location                    = var.region
  uniform_bucket_level_access = true
  versioning { enabled = true }
}

# Firestore (Native mode) – requires enabling in console once per project
resource "google_firestore_database" "default" {
  name        = "(default)"
  location_id = var.region
  type        = "FIRESTORE_NATIVE"
}

# Service account for Control Plane
resource "google_service_account" "control_plane_sa" {
  account_id   = "sa-control-plane"
  display_name = "Product OS Control Plane"
}

# Cloud Run service for Control Plane API
resource "google_cloud_run_v2_service" "control_plane" {
  name     = "control-plane"
  location = var.region

  template {
    service_account = google_service_account.control_plane_sa.email

    containers {
      image = var.control_plane_image
      env {
        name  = "GCP_PROJECT_ID"
        value = var.project_id
      }
      env {
        name  = "GCS_BUCKET_ARTIFACTS"
        value = google_storage_bucket.artifacts.name
      }
      env {
        name  = "AUTH_MODE"
        value = "dev"
      }
    }
  }
}

# Public access for dev; prefer IAM auth in production
resource "google_cloud_run_v2_service_iam_member" "control_plane_public" {
  name     = google_cloud_run_v2_service.control_plane.name
  location = var.region
  role     = "roles/run.invoker"
  member   = "allUsers"
}