v1alpha2

type BackendConfigSpec struct {

	// Disable is to completely disable the backend configuration.
	// +optional
	Disable bool `json:"disable"`

	// +optional
	SecretSuffix string `json:"secretSuffix,omitempty"`

	// +optional
	InClusterConfig bool `json:"inClusterConfig,omitempty"`

	// +optional
	CustomConfiguration string `json:"customConfiguration,omitempty"`

	// +optional
	ConfigPath string `json:"configPath,omitempty"`

	// +optional
	Labels map[string]string `json:"labels,omitempty"`
}

type BackendConfigsReference struct {
	// Kind of the values referent, valid values are ('Secret', 'ConfigMap').
	// +kubebuilder:validation:Enum=Secret;ConfigMap
	// +required
	Kind string `json:"kind"`

	// Name of the configs referent. Should reside in the same namespace as the
	// referring resource.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=253
	// +required
	Name string `json:"name"`

	// Keys is the data key where a specific value can be found at. Defaults to all keys.
	// +optional
	Keys []string `json:"keys,omitempty"`

	// Optional marks this BackendConfigsReference as optional. When set, a not found error
	// for the values reference is ignored, but any Key or
	// transient error will still result in a reconciliation failure.
	// +optional
	Optional bool `json:"optional,omitempty"`
}

type BranchPlanner struct {
	// EnablePathScope specifies if the Branch Planner should or shouldn't check
	// if a Pull Request has changes under `.spec.path`. If enabled extra
	// resources will be created only if there are any changes in terraform files.
	// +optional
	EnablePathScope bool `json:"enablePathScope"`
}

type CloudSpec struct {
	// +required
	Organization string `json:"organization"`

	// +required
	Workspaces *CloudWorkspacesSpec `json:"workspaces"`

	// +optional
	Hostname string `json:"hostname,omitempty"`

	// +optional
	Token string `json:"token,omitempty"`
}

type CloudWorkspacesSpec struct {
	// +optional
	Name string `json:"name"`

	// +optional
	Tags []string `json:"tags,omitempty"`
}

type CrossNamespaceSourceReference struct {
	// API version of the referent.
	// +optional
	APIVersion string `json:"apiVersion,omitempty"`

	// Kind of the referent.
	// +kubebuilder:validation:Enum=GitRepository;Bucket;OCIRepository
	// +required
	Kind string `json:"kind"`

	// Name of the referent.
	// +required
	Name string `json:"name"`

	// Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.
	// +optional
	Namespace string `json:"namespace,omitempty"`
}

type FileMapping struct {
	// Reference to a Secret that contains the file content
	SecretRef meta.SecretKeyReference `json:"secretRef"`
	// Location can be either user's home directory or the Terraform workspace
	// +kubebuilder:validation:Enum=home;workspace
	// +required
	Location string `json:"location"`
	// Path of the file - relative to the "location"
	// +kubebuilder:validation:Pattern=`^(.?[/_a-zA-Z0-9]{1,})*$`
	// +required
	Path string `json:"path"`
}

type ForceUnlockEnum string

type HealthCheck struct {
	// Name of the health check.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=253
	// +required
	Name string `json:"name"`

	// Type of the health check, valid values are ('tcp', 'http').
	// If tcp is specified, address is required.
	// If http is specified, url is required.
	// +kubebuilder:validation:Enum=tcp;http
	// +required
	Type string `json:"type"`

	// URL to perform http health check on. Required when http type is specified.
	// Go template can be used to reference values from the terraform output
	// (e.g. https://example.org, {{.output_url}}).
	// +optional
	URL string `json:"url,omitempty"`

	// Address to perform tcp health check on. Required when tcp type is specified.
	// Go template can be used to reference values from the terraform output
	// (e.g. 127.0.0.1:8080, {{.address}}:{{.port}}).
	// +optional
	Address string `json:"address,omitempty"`

	// The timeout period at which the connection should timeout if unable to
	// complete the request.
	// When not specified, default 20s timeout is used.
	// +kubebuilder:default="20s"
	// +optional
	Timeout *metav1.Duration `json:"timeout,omitempty"`
}

type LockStatus struct {
	// +optional
	LastApplied string `json:"lastApplied,omitempty"`

	// Pending holds the identifier of the Lock Holder to be used with Force Unlock
	// +optional
	Pending string `json:"pending,omitempty"`
}

type PlanStatus struct {
	// +optional
	LastApplied string `json:"lastApplied,omitempty"`

	// +optional
	Pending string `json:"pending,omitempty"`

	// +optional
	IsDestroyPlan bool `json:"isDestroyPlan,omitempty"`

	// +optional
	IsDriftDetectionPlan bool `json:"isDriftDetectionPlan,omitempty"`
}

type ReadInputsFromSecretSpec struct {
	// +required
	Name string `json:"name"`

	// +required
	As string `json:"as"`
}

type Remediation struct {
	// Retries is the number of retries that should be attempted on failures
	// before bailing. Defaults to '0', a negative integer denotes unlimited
	// retries.
	// +optional
	Retries int64 `json:"retries,omitempty"`
}

type ResourceInventory struct {
	// Entries of Kubernetes resource object references.
	Entries []ResourceRef `json:"entries"`
}

type ResourceRef struct {
	// Terraform resource's name.
	Name string `json:"n"`

	// Type is Terraform resource's type
	Type string `json:"t"`

	// ID is the resource identifier. This is cloud-specific. For example, ARN is an ID on AWS.
	Identifier string `json:"id"`
}

type RunnerPodMetadata struct {

	// Labels to add to the runner pod
	// +optional
	Labels map[string]string `json:"labels,omitempty"`

	// Annotations to add to the runner pod
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`
}

type RunnerPodSpec struct {

	// Runner pod image to use other than default
	// +optional
	Image string `json:"image,omitempty"`

	// List of sources to populate environment variables in the container.
	// The keys defined within a source must be a C_IDENTIFIER. All invalid keys
	// will be reported as an event when the container is starting. When a key exists in multiple
	// sources, the value associated with the last source will take precedence.
	// Values defined by an Env with a duplicate key will take precedence.
	// Cannot be updated.
	// +optional
	EnvFrom []corev1.EnvFromSource `json:"envFrom,omitempty"`

	// List of environment variables to set in the container.
	// Cannot be updated.
	// +optional
	// +patchMergeKey=name
	// +patchStrategy=merge
	Env []corev1.EnvVar `json:"env,omitempty" patchStrategy:"merge" patchMergeKey:"name"`

	// Set the NodeSelector for the Runner Pod
	// +optional
	NodeSelector map[string]string `json:"nodeSelector,omitempty"`

	// Set the Affinity for the Runner Pod
	// +optional
	Affinity *corev1.Affinity `json:"affinity,omitempty"`

	// Set the Tolerations for the Runner Pod
	// +optional
	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`

	// Set Volume Mounts for the Runner Pod
	// +optional
	VolumeMounts []corev1.VolumeMount `json:"volumeMounts,omitempty"`

	// Set Volumes for the Runner Pod
	// +optional
	Volumes []corev1.Volume `json:"volumes,omitempty"`

	// Set up Init Containers for the Runner
	// +optional
	InitContainers []corev1.Container `json:"initContainers,omitempty"`

	// Set host aliases for the Runner Pod
	// +optional
	HostAliases []corev1.HostAlias `json:"hostAliases,omitempty"`

	// Set PriorityClassName for the Runner Pod container
	// +optional
	PriorityClassName string `json:"priorityClassName,omitempty"`

	// Set SecurityContext for the Runner Pod container
	// +optional
	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`

	// Set Resources for the Runner Pod container
	// +optional
	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
}

type RunnerPodTemplate struct {

	// +optional
	Metadata RunnerPodMetadata `json:"metadata,omitempty"`

	// +optional
	Spec RunnerPodSpec `json:"spec,omitempty"`
}

type TFStateSpec struct {
	// ForceUnlock a Terraform state if it has become locked for any reason. Defaults to `no`.
	//
	// This is an Enum and has the expected values of:
	//
	// - auto
	// - yes
	// - no
	//
	// WARNING: Only use `auto` in the cases where you are absolutely certain that
	// no other system is using this state, you could otherwise end up in a bad place
	// See https://www.terraform.io/language/state/locking#force-unlock for more
	// information on the terraform state lock and force unlock.
	//
	// +optional
	// +kubebuilder:validation:Enum:=yes;no;auto
	// +kubebuilder:default:string=no
	ForceUnlock ForceUnlockEnum `json:"forceUnlock,omitempty"`

	// LockIdentifier holds the Identifier required by Terraform to unlock the state
	// if it ever gets into a locked state.
	//
	// You'll need to put the Lock Identifier in here while setting ForceUnlock to
	// either `yes` or `auto`.
	//
	// Leave this empty to do nothing, set this to the value of the `Lock Info: ID: [value]`,
	// e.g. `f2ab685b-f84d-ac0b-a125-378a22877e8d`, to force unlock the state.
	//
	// +optional
	LockIdentifier string `json:"lockIdentifier,omitempty"`

	// LockTimeout is a Duration string that instructs Terraform to retry acquiring a lock for the specified period of
	// time before returning an error. The duration syntax is a number followed by a time unit letter, such as `3s` for
	// three seconds.
	//
	// Defaults to `0s` which will behave as though `LockTimeout` was not set
	//
	// +optional
	// +kubebuilder:default:string="0s"
	LockTimeout metav1.Duration `json:"lockTimeout,omitempty"`
}

type Terraform struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec TerraformSpec `json:"spec,omitempty"`
	// +kubebuilder:default={"observedGeneration":-1}
	Status TerraformStatus `json:"status,omitempty"`
}

type TerraformList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []Terraform `json:"items"`
}

type TerraformSpec struct {

	// ApprovePlan specifies name of a plan wanted to approve.
	// If its value is "auto", the controller will automatically approve every plan.
	// +optional
	ApprovePlan string `json:"approvePlan,omitempty"`

	// Destroy produces a destroy plan. Applying the plan will destroy all resources.
	// +optional
	Destroy bool `json:"destroy,omitempty"`

	// +optional
	BackendConfig *BackendConfigSpec `json:"backendConfig,omitempty"`

	// +optional
	BackendConfigsFrom []BackendConfigsReference `json:"backendConfigsFrom,omitempty"`

	// +optional
	Cloud *CloudSpec `json:"cloud,omitempty"`

	// +optional
	// +kubebuilder:default:=default
	Workspace string `json:"workspace,omitempty"`

	// List of input variables to set for the Terraform program.
	// +optional
	Vars []Variable `json:"vars,omitempty"`

	// List of references to a Secret or a ConfigMap to generate variables for
	// Terraform resources based on its data, selectively by varsKey. Values of the later
	// Secret / ConfigMap with the same keys will override those of the former.
	// +optional
	VarsFrom []VarsReference `json:"varsFrom,omitempty"`

	// Values map to the Terraform variable "values", which is an object of arbitrary values.
	// It is a convenient way to pass values to Terraform resources without having to define
	// a variable for each value. To use this feature, your Terraform file must define the variable "values".
	// +optional
	Values *apiextensionsv1.JSON `json:"values,omitempty"`

	// TfVarsFiles loads all given .tfvars files. It copycats the -var-file functionality.
	// +optional
	TfVarsFiles []string `json:"tfVarsFiles,omitempty"`

	// List of all configuration files to be created in initialization.
	// +optional
	FileMappings []FileMapping `json:"fileMappings,omitempty"`

	// The interval at which to reconcile the Terraform.
	// +required
	Interval metav1.Duration `json:"interval"`

	// The interval at which to retry a previously failed reconciliation.
	// The default value is 15 when not specified.
	// +optional
	RetryInterval *metav1.Duration `json:"retryInterval,omitempty"`

	// Path to the directory containing Terraform (.tf) files.
	// Defaults to 'None', which translates to the root path of the SourceRef.
	// +optional
	Path string `json:"path,omitempty"`

	// SourceRef is the reference of the source where the Terraform files are stored.
	// +required
	SourceRef CrossNamespaceSourceReference `json:"sourceRef"`

	// Suspend is to tell the controller to suspend subsequent TF executions,
	// it does not apply to already started executions. Defaults to false.
	// +optional
	Suspend bool `json:"suspend,omitempty"`

	// Force instructs the controller to unconditionally
	// re-plan and re-apply TF resources. Defaults to false.
	// +kubebuilder:default:=false
	// +optional
	Force bool `json:"force,omitempty"`

	// +optional
	ReadInputsFromSecrets []ReadInputsFromSecretSpec `json:"readInputsFromSecrets,omitempty"`

	// A list of target secrets for the outputs to be written as.
	// +optional
	WriteOutputsToSecret *WriteOutputsToSecretSpec `json:"writeOutputsToSecret,omitempty"`

	// Disable automatic drift detection. Drift detection may be resource intensive in
	// the context of a large cluster or complex Terraform statefile. Defaults to false.
	// +kubebuilder:default:=false
	// +optional
	DisableDriftDetection bool `json:"disableDriftDetection,omitempty"`

	// +optional
	CliConfigSecretRef *corev1.SecretReference `json:"cliConfigSecretRef,omitempty"`

	// List of health checks to be performed.
	// +optional
	HealthChecks []HealthCheck `json:"healthChecks,omitempty"`

	// Create destroy plan and apply it to destroy terraform resources
	// upon deletion of this object. Defaults to false.
	// +kubebuilder:default:=false
	// +optional
	DestroyResourcesOnDeletion bool `json:"destroyResourcesOnDeletion,omitempty"`

	// Name of a ServiceAccount for the runner Pod to provision Terraform resources.
	// Default to tf-runner.
	// +kubebuilder:default:=tf-runner
	// +optional
	ServiceAccountName string `json:"serviceAccountName,omitempty"`

	// Clean the runner pod up after each reconciliation cycle
	// +kubebuilder:default:=true
	// +optional
	AlwaysCleanupRunnerPod *bool `json:"alwaysCleanupRunnerPod,omitempty"`

	// Configure the termination grace period for the runner pod. Use this parameter
	// to allow the Terraform process to gracefully shutdown. Consider increasing for
	// large, complex or slow-moving Terraform managed resources.
	// +kubebuilder:default:=30
	// +optional
	RunnerTerminationGracePeriodSeconds *int64 `json:"runnerTerminationGracePeriodSeconds,omitempty"`

	// RefreshBeforeApply forces refreshing of the state before the apply step.
	// +kubebuilder:default:=false
	// +optional
	RefreshBeforeApply bool `json:"refreshBeforeApply,omitempty"`

	// +optional
	RunnerPodTemplate RunnerPodTemplate `json:"runnerPodTemplate,omitempty"`

	// EnableInventory enables the object to store resource entries as the inventory for external use.
	// +optional
	EnableInventory bool `json:"enableInventory,omitempty"`

	// +optional
	TFState *TFStateSpec `json:"tfstate,omitempty"`

	// Targets specify the resource, module or collection of resources to target.
	// +optional
	Targets []string `json:"targets,omitempty"`

	// Parallelism limits the number of concurrent operations of Terraform apply step. Zero (0) means using the default value.
	// +kubebuilder:default:=0
	// +optional
	Parallelism int32 `json:"parallelism,omitempty"`

	// StoreReadablePlan enables storing the plan in a readable format.
	// +kubebuilder:validation:Enum=none;json;human
	// +kubebuilder:default:=none
	// +optional
	StoreReadablePlan string `json:"storeReadablePlan,omitempty"`

	// +optional
	Webhooks []Webhook `json:"webhooks,omitempty"`

	// +optional
	DependsOn []meta.NamespacedObjectReference `json:"dependsOn,omitempty"`

	// Enterprise is the enterprise configuration placeholder.
	// +optional
	Enterprise *apiextensionsv1.JSON `json:"enterprise,omitempty"`

	// PlanOnly specifies if the reconciliation should or should not stop at plan
	// phase.
	// +optional
	PlanOnly bool `json:"planOnly,omitempty"`

	// BreakTheGlass specifies if the reconciliation should stop
	// and allow interactive shell in case of emergency.
	// +optional
	BreakTheGlass bool `json:"breakTheGlass,omitempty"`

	// BranchPlanner configuration.
	// +optional
	BranchPlanner *BranchPlanner `json:"branchPlanner,omitempty"`

	// Remediation specifies what the controller should do when reconciliation
	// fails. The default is to not perform any action.
	// +optional
	Remediation *Remediation `json:"remediation,omitempty"`
}

type TerraformStatus struct {
	meta.ReconcileRequestStatus `json:",inline"`

	// ObservedGeneration is the last reconciled generation.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`

	// The last successfully applied revision.
	// The revision format for Git sources is <branch|tag>/<commit-sha>.
	// +optional
	LastAppliedRevision string `json:"lastAppliedRevision,omitempty"`

	// LastAttemptedRevision is the revision of the last reconciliation attempt.
	// +optional
	LastAttemptedRevision string `json:"lastAttemptedRevision,omitempty"`

	// LastPlannedRevision is the revision used by the last planning process.
	// The result could be either no plan change or a new plan generated.
	// +optional
	LastPlannedRevision string `json:"lastPlannedRevision,omitempty"`

	// LastPlanAt is the time when the last terraform plan was performed
	// +optional
	LastPlanAt *metav1.Time `json:"lastPlanAt,omitempty"`

	// LastDriftDetectedAt is the time when the last drift was detected
	// +optional
	LastDriftDetectedAt *metav1.Time `json:"lastDriftDetectedAt,omitempty"`

	// LastAppliedByDriftDetectionAt is the time when the last drift was detected and
	// terraform apply was performed as a result
	// +optional
	LastAppliedByDriftDetectionAt *metav1.Time `json:"lastAppliedByDriftDetectionAt,omitempty"`

	// +optional
	AvailableOutputs []string `json:"availableOutputs,omitempty"`

	// +optional
	Plan PlanStatus `json:"plan,omitempty"`

	// Inventory contains the list of Terraform resource object references that have been successfully applied.
	// +optional
	Inventory *ResourceInventory `json:"inventory,omitempty"`

	// +optional
	Lock LockStatus `json:"lock,omitempty"`

	// ReconciliationFailures is the number of reconciliation
	// failures since the last success or update.
	// +optional
	ReconciliationFailures int64 `json:"reconciliationFailures,omitempty"`
}

type Variable struct {
	// Name is the name of the variable
	// +required
	Name string `json:"name"`

	// +optional
	Value *apiextensionsv1.JSON `json:"value,omitempty"`

	// +optional
	ValueFrom *corev1.EnvVarSource `json:"valueFrom,omitempty"`
}

type VarsReference struct {
	// Kind of the values referent, valid values are ('Secret', 'ConfigMap').
	// +kubebuilder:validation:Enum=Secret;ConfigMap
	// +required
	Kind string `json:"kind"`

	// Name of the values referent. Should reside in the same namespace as the
	// referring resource.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=253
	// +required
	Name string `json:"name"`

	// VarsKeys is the data key at which a specific value can be found. Defaults to all keys.
	// +optional
	VarsKeys []string `json:"varsKeys,omitempty"`

	// Optional marks this VarsReference as optional. When set, a not found error
	// for the values reference is ignored, but any VarsKey or
	// transient error will still result in a reconciliation failure.
	// +optional
	Optional bool `json:"optional,omitempty"`
}

type Webhook struct {
	// +kubebuilder:validation:Enum=post-planning
	// +kubebuilder:default:=post-planning
	// +required
	Stage string `json:"stage"`

	// +kubebuilder:default:=true
	// +optional
	Enabled *bool `json:"enabled,omitempty"`

	// +required
	URL string `json:"url"`

	// +kubebuilder:value:Enum=SpecAndPlan,SpecOnly,PlanOnly
	// +kubebuilder:default:=SpecAndPlan
	// +optional
	PayloadType string `json:"payloadType,omitempty"`

	// +optional
	ErrorMessageTemplate string `json:"errorMessageTemplate,omitempty"`

	// +required
	TestExpression string `json:"testExpression,omitempty"`
}

type WriteOutputsToSecretSpec struct {
	// Name is the name of the Secret to be written
	// +required
	Name string `json:"name"`

	// Labels to add to the outputted secret
	// +optional
	Labels map[string]string `json:"labels,omitempty"`

	// Annotations to add to the outputted secret
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`

	// Outputs contain the selected names of outputs to be written
	// to the secret. Empty array means writing all outputs, which is default.
	// +optional
	Outputs []string `json:"outputs,omitempty"`
}