# Deploys the quotesdb API Worker using wrangler.
# The Cloudflare Terraform provider v4 cannot upload ES module workers that
# import wasm files (error 10021). wrangler handles the multipart module bundle
# upload correctly, so we use a null_resource with local-exec instead.
#
# The worker route (quotes.elijah.run/api/*) is also managed by wrangler via
# wrangler.toml [[routes]] — keeping route and script lifecycle together avoids
# authentication errors from split ownership.
#
# Build before applying: just build-api (runs worker-build --release)
# Output lands in build/: index.js (ES module entry) + index_bg.wasm (wasm-bindgen output).
resource "null_resource" "worker_deploy" {
  # Re-deploy whenever the compiled JS or wasm changes.
  triggers = {
    js_hash   = filemd5("../build/index.js")
    wasm_hash = filemd5("../build/index_bg.wasm")
  }

  # Run wrangler deploy from the quotesdb project root (where build/ and wrangler.toml live).
  provisioner "local-exec" {
    command     = "wrangler deploy --config wrangler.toml"
    working_dir = ".."
    environment = {
      CLOUDFLARE_API_TOKEN  = var.cloudflare_api_token
      # Providing the account ID avoids a /memberships API call that fails
      # with restricted-scope tokens.
      CLOUDFLARE_ACCOUNT_ID = var.cloudflare_account_id
    }
  }
}

# The ADMIN_AUTH_CODE worker secret must be set before the first deploy.
# Run once (or whenever you need to rotate it):
#
#   wrangler secret put ADMIN_AUTH_CODE --config wrangler.toml
#
# When ADMIN_AUTH_CODE is set, it overrides the DB-stored admin code and the
# reset-auth-code endpoint (/api/admin/reset-auth-code) returns 409 Conflict.
# To rotate it, use `wrangler secret put` again — no redeploy needed.