/**
 * Copyright 2026 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

output "asset_search_results" {
  description = "Cloud Asset Inventory search results."
  value = {
    for k, v in data.google_cloud_asset_search_all_resources.default : k => v.results
  }
}

output "custom_constraint_ids" {
  description = "Map of CUSTOM_CONSTRAINTS => ID in the organization."
  value       = { for k, v in google_org_policy_custom_constraint.constraint : k => v.id }
}

output "custom_role_id" {
  description = "Map of custom role IDs created in the organization."
  value       = local.custom_role_ids
}

output "custom_roles" {
  description = "Map of custom roles resources created in the organization."
  value       = google_organization_iam_custom_role.roles
}

output "id" {
  description = "Fully qualified organization id."
  value       = var.organization_id
  depends_on = [
    google_logging_organization_settings.default,
    google_org_policy_custom_constraint.constraint,
    google_org_policy_policy.default,
    google_organization_iam_binding.authoritative,
    google_organization_iam_binding.bindings,
    google_organization_iam_custom_role.roles,
    google_organization_iam_member.bindings,
    google_tags_tag_key.default,
    google_tags_tag_key_iam_binding.default,
    google_tags_tag_value.default,
    google_tags_tag_value_iam_binding.default,
  ]
}

output "logging_identities" {
  description = "Principals used for logging sinks."
  value = {
    kms = try(
      google_logging_organization_settings.default[0].kms_service_account_id, null
    )
    logging = try(
      google_logging_organization_settings.default[0].logging_service_account_id, null
    )
  }
}

output "logging_sinks" {
  description = "Logging sink resources."
  value = {
    for name, sink in google_logging_organization_sink.sink :
    name => sink
  }
}

output "network_tag_keys" {
  description = "Tag key resources."
  value = {
    for k, v in google_tags_tag_key.default : k => v if(
      v.purpose != null && v.purpose != ""
    )
  }
}

output "network_tag_values" {
  description = "Tag value resources."
  value = {
    for k, v in google_tags_tag_value.default :
    k => v if local.tag_values[k].tag_network != null
  }
}

# TODO: deprecate in favor of id

output "organization_id" {
  description = "Organization id dependent on module resources."
  value       = var.organization_id
  depends_on = [
    google_org_policy_custom_constraint.constraint,
    google_org_policy_policy.default,
    google_organization_iam_binding.authoritative,
    google_organization_iam_binding.bindings,
    google_organization_iam_member.bindings,
    google_organization_iam_custom_role.roles,
    google_tags_tag_key.default,
    google_tags_tag_key_iam_binding.default,
    google_tags_tag_value.default,
    google_tags_tag_value_iam_binding.default,
  ]
}

output "organization_policies_ids" {
  description = "Map of ORGANIZATION_POLICIES => ID in the organization."
  value       = { for k, v in google_org_policy_policy.default : k => v.id }
}

output "scc_custom_sha_modules_ids" {
  description = "Map of SCC CUSTOM SHA MODULES => ID in the organization."
  value       = { for k, v in google_scc_management_organization_security_health_analytics_custom_module.scc_organization_custom_module : k => v.id }
}

output "scc_mute_configs" {
  description = "SCC mute configurations."
  value       = google_scc_v2_organization_mute_config.scc_mute_configs
}

output "scim_tenants" {
  description = "Workforce Identity provider SCIM tenants."
  value = {
    for k, v in google_iam_workforce_pool_provider_scim_tenant.default : k => {
      id            = v.id
      pool          = v.workforce_pool_id
      provider      = v.provider_id
      state         = v.state
      base_uri      = v.base_uri
      service_agent = v.service_agent
    }
  }
}

output "service_agents" {
  description = "Identities of all organization-level service agents."
  value       = local.service_agents
  depends_on = [
    google_organization_service_identity.default
  ]
}

output "sink_writer_identities" {
  description = "Writer identities created for each sink."
  value = {
    for name, sink in google_logging_organization_sink.sink :
    name => sink.writer_identity
  }
}

output "tag_keys" {
  description = "Tag key resources."
  value = {
    for k, v in google_tags_tag_key.default : k => v if(
      v.purpose == null || v.purpose == ""
    )
  }
}

output "tag_values" {
  description = "Tag value resources."
  value = {
    for k, v in google_tags_tag_value.default :
    k => v if local.tag_values[k].tag_network == null
  }
}

output "workforce_identity_pool_ids" {
  description = "Workforce identity pool ids."
  value = {
    for k, v in google_iam_workforce_pool.default : k => v.name
  }
}

output "workforce_identity_provider_names" {
  description = "Workforce Identity provider names."
  value = {
    for k, v in google_iam_workforce_pool_provider.default : k => v.name
  }
}

output "workforce_identity_providers" {
  description = "Workforce Identity provider attributes."
  value = {
    for k, v in local.wfif_providers : k => {
      name = google_iam_workforce_pool_provider.default[k].name
      pool = google_iam_workforce_pool.default[v.pool].name
    }
  }
}