infra/stacks/fire-planner/main.tf

variable "image_tag" {
  type        = string
  default     = "latest"
  description = "fire-planner image tag. Use 8-char git SHA in CI; :latest only for local trials."
}

variable "postgresql_host" { type = string }

variable "tls_secret_name" {
  type      = string
  sensitive = true
}

locals {
  namespace = "fire-planner"
  # Phase 3 cutover 2026-05-07. NOTE: the registry-private repo for
  # fire-planner has 0 tags — first build via Woodpecker on the new Forgejo
  # repo (viktor/fire-planner, Dockerfile + .woodpecker.yml added 2026-05-07)
  # must succeed BEFORE the next pod restart, otherwise pulls will 404.
  image = "forgejo.viktorbarzin.me/viktor/fire-planner:${var.image_tag}"
  labels = {
    app = "fire-planner"
  }
}

resource "kubernetes_namespace" "fire_planner" {
  metadata {
    name = local.namespace
    labels = {
      tier              = local.tiers.aux
      "istio-injection" = "disabled"
      # Lets us drive the deployed UI from the in-cluster chrome-service
      # for headless verification (NetworkPolicy in chrome-service ns admits
      # any namespace carrying this label).
      "chrome-service.viktorbarzin.me/client" = "true"
    }
  }
  lifecycle {
    # KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps
    # this label on every namespace.
    ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
  }
}

# App secrets — the recompute-API bearer token (manual seed in Vault).
# Seed before applying:
#   secret/fire-planner -> property `recompute_bearer_token`
resource "kubernetes_manifest" "external_secret" {
  manifest = {
    apiVersion = "external-secrets.io/v1beta1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "fire-planner-secrets"
      namespace = local.namespace
    }
    spec = {
      refreshInterval = "15m"
      secretStoreRef = {
        name = "vault-kv"
        kind = "ClusterSecretStore"
      }
      target = {
        name = "fire-planner-secrets"
        template = {
          metadata = {
            annotations = {
              "reloader.stakater.com/match" = "true"
            }
          }
        }
      }
      data = [
        {
          secretKey = "RECOMPUTE_BEARER_TOKEN"
          remoteRef = {
            key      = "fire-planner"
            property = "recompute_bearer_token"
          }
        },
        {
          secretKey = "ACTUALBUDGET_API_URL"
          remoteRef = {
            key      = "fire-planner"
            property = "actualbudget_api_url"
          }
        },
        {
          secretKey = "ACTUALBUDGET_API_KEY"
          remoteRef = {
            key      = "fire-planner"
            property = "actualbudget_api_key"
          }
        },
        {
          secretKey = "ACTUALBUDGET_SYNC_ID"
          remoteRef = {
            key      = "fire-planner"
            property = "actualbudget_sync_id"
          }
        },
      ]
    }
  }
  depends_on = [kubernetes_namespace.fire_planner]
}

# DB credentials from Vault database engine (rotated every 7 days).
# Template builds the asyncpg DSN consumed by the FastAPI app + CronJob
# as DB_CONNECTION_STRING.
resource "kubernetes_manifest" "db_external_secret" {
  manifest = {
    apiVersion = "external-secrets.io/v1beta1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "fire-planner-db-creds"
      namespace = local.namespace
    }
    spec = {
      refreshInterval = "15m"
      secretStoreRef = {
        name = "vault-database"
        kind = "ClusterSecretStore"
      }
      target = {
        name = "fire-planner-db-creds"
        template = {
          metadata = {
            annotations = {
              "reloader.stakater.com/match" = "true"
            }
          }
          data = {
            DB_CONNECTION_STRING = "postgresql+asyncpg://fire_planner:{{ .password }}@${var.postgresql_host}:5432/fire_planner"
            DB_PASSWORD          = "{{ .password }}"
          }
        }
      }
      data = [{
        secretKey = "password"
        remoteRef = {
          key      = "static-creds/pg-fire-planner"
          property = "password"
        }
      }]
    }
  }
  depends_on = [kubernetes_namespace.fire_planner]
}

# Read-only credentials for the wealthfolio_sync mirror DB (a separate
# Postgres database on the same CNPG cluster). The wealthfolio pod's
# pg-sync sidecar populates `daily_account_valuation` etc. hourly; the
# fire-planner ingest reads those tables via this role.
resource "kubernetes_manifest" "wealthfolio_sync_db_external_secret" {
  manifest = {
    apiVersion = "external-secrets.io/v1beta1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "wealthfolio-sync-db-creds"
      namespace = local.namespace
    }
    spec = {
      refreshInterval = "15m"
      secretStoreRef = {
        name = "vault-database"
        kind = "ClusterSecretStore"
      }
      target = {
        name = "wealthfolio-sync-db-creds"
        template = {
          metadata = {
            annotations = {
              "reloader.stakater.com/match" = "true"
            }
          }
          data = {
            WEALTHFOLIO_SYNC_DB_CONNECTION_STRING = "postgresql+asyncpg://wealthfolio_sync:{{ .password }}@${var.postgresql_host}:5432/wealthfolio_sync"
          }
        }
      }
      data = [{
        secretKey = "password"
        remoteRef = {
          key      = "static-creds/pg-wealthfolio-sync"
          property = "password"
        }
      }]
    }
  }
  depends_on = [kubernetes_namespace.fire_planner]
}

# tls-secret for fire-planner.viktorbarzin.me is auto-cloned into every
# namespace by Kyverno's `sync-tls-secret` ClusterPolicy — no local module
# call needed.

resource "kubernetes_deployment" "fire_planner" {
  metadata {
    name      = "fire-planner"
    namespace = kubernetes_namespace.fire_planner.metadata[0].name
    labels = merge(local.labels, {
      tier = local.tiers.aux
    })
    annotations = {
      "reloader.stakater.com/search" = "true"
    }
  }

  spec {
    replicas = 1
    strategy {
      type = "Recreate"
    }

    selector {
      match_labels = local.labels
    }

    template {
      metadata {
        labels = local.labels
        annotations = {
          "dependency.kyverno.io/wait-for" = "postgresql.dbaas:5432"
        }
      }

      spec {
        image_pull_secrets {
          name = "registry-credentials"
        }

        init_container {
          name              = "alembic-migrate"
          image             = local.image
          image_pull_policy = "Always"
          command           = ["python", "-m", "fire_planner", "migrate"]

          env_from {
            secret_ref {
              name = "fire-planner-db-creds"
            }
          }

          resources {
            requests = {
              cpu    = "50m"
              memory = "256Mi"
            }
            limits = {
              memory = "512Mi"
            }
          }
        }

        container {
          name  = "fire-planner"
          image = local.image

          command = ["python", "-m", "fire_planner", "serve"]

          port {
            container_port = 8080
          }

          env_from {
            secret_ref {
              name = "fire-planner-secrets"
            }
          }
          env_from {
            secret_ref {
              name = "fire-planner-db-creds"
            }
          }
          env_from {
            secret_ref {
              name = "wealthfolio-sync-db-creds"
            }
          }

          readiness_probe {
            http_get {
              path = "/healthz"
              port = 8080
            }
            initial_delay_seconds = 5
            period_seconds        = 10
          }

          liveness_probe {
            http_get {
              path = "/healthz"
              port = 8080
            }
            initial_delay_seconds = 5
            period_seconds        = 10
          }

          resources {
            requests = {
              cpu    = "100m"
              memory = "512Mi"
            }
            limits = {
              memory = "1024Mi"
            }
          }
        }
      }
    }
  }

  lifecycle {
    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
  }

  depends_on = [
    kubernetes_manifest.external_secret,
    kubernetes_manifest.db_external_secret,
  ]
}

# ClusterIP-only — /recompute is cluster-internal (operator triggers
# via kubectl port-forward or ad-hoc CronJob).
resource "kubernetes_service" "fire_planner" {
  metadata {
    name      = "fire-planner"
    namespace = kubernetes_namespace.fire_planner.metadata[0].name
    labels    = local.labels
  }

  spec {
    type     = "ClusterIP"
    selector = local.labels

    port {
      name        = "http"
      port        = 8080
      target_port = 8080
    }
  }
}

# Monthly recompute on the 2nd at 09:00 UTC. Wealthfolio-sync runs on
# the 1st at 08:00, so account_snapshot is fresh by the time the
# planner picks up.
resource "kubernetes_cron_job_v1" "fire_planner_recompute" {
  metadata {
    name      = "fire-planner-recompute"
    namespace = kubernetes_namespace.fire_planner.metadata[0].name
  }
  spec {
    schedule                      = "0 9 2 * *"
    concurrency_policy            = "Forbid"
    successful_jobs_history_limit = 3
    failed_jobs_history_limit     = 5
    starting_deadline_seconds     = 600

    job_template {
      metadata {
        labels = local.labels
      }
      spec {
        backoff_limit              = 1
        ttl_seconds_after_finished = 86400
        template {
          metadata {
            labels = local.labels
          }
          spec {
            restart_policy = "OnFailure"
            image_pull_secrets {
              name = "registry-credentials"
            }
            container {
              name    = "recompute"
              image   = local.image
              command = ["python", "-m", "fire_planner", "recompute-all"]

              env_from {
                secret_ref {
                  name = "fire-planner-secrets"
                }
              }
              env_from {
                secret_ref {
                  name = "fire-planner-db-creds"
                }
              }
              env_from {
                secret_ref {
                  name = "wealthfolio-sync-db-creds"
                }
              }

              resources {
                requests = {
                  cpu    = "200m"
                  memory = "1Gi"
                }
                limits = {
                  memory = "2Gi"
                }
              }
            }
          }
        }
      }
    }
  }

  lifecycle {
    # KYVERNO_LIFECYCLE_V1
    ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config]
  }

  depends_on = [
    kubernetes_manifest.external_secret,
    kubernetes_manifest.db_external_secret,
    kubernetes_manifest.wealthfolio_sync_db_external_secret,
  ]
}

# Public ingress at fire-planner.viktorbarzin.me. Authentik-protected
# (forward-auth at the Traefik layer); Cloudflare-proxied for CDN +
# DDoS shielding. Backend FastAPI serves the SPA at / and the API
# under /api/* (FRONTEND_DIST=/app/frontend_dist, baked into the image).
module "ingress" {
  source          = "../../modules/kubernetes/ingress_factory"
  dns_type        = "proxied"
  namespace       = kubernetes_namespace.fire_planner.metadata[0].name
  name            = "fire-planner"
  port            = 8080
  tls_secret_name = var.tls_secret_name
  auth            = "required"
  extra_annotations = {
    "gethomepage.dev/enabled"     = "true"
    "gethomepage.dev/name"        = "FIRE Planner"
    "gethomepage.dev/description" = "Risk-adjusted retirement projections (ProjectionLab clone)"
    "gethomepage.dev/icon"        = "mdi-fire"
    "gethomepage.dev/group"       = "Finance"
  }
}

# Second ingress at the same host for the /api/ prefix WITHOUT Authentik
# forward-auth. The SPA loads under Authentik (main ingress at /), then its
# fetch() XHRs hit /api/* directly — ANY forward-auth here (required OR
# public-tier auto-bind) would 302 the XHR to a cross-origin Authentik
# login page, which fetch() rejects under CORS preflight rules. Even the
# `auth = "public"` flow needs a 302+cookie dance on first visit to set
# the guest session cookie, so it doesn't help XHR APIs. App-layer bearer
# auth still gates writes (POST/PATCH/DELETE on scenarios, /recompute,
# /simulate); read endpoints are open. Acceptable for a personal tool
# whose only data is anonymous numeric projections.
module "ingress_api" {
  source          = "../../modules/kubernetes/ingress_factory"
  dns_type        = "none"
  namespace       = kubernetes_namespace.fire_planner.metadata[0].name
  name            = "fire-planner-api"
  host            = "fire-planner" # share effective_host with main ingress
  service_name    = "fire-planner"
  port            = 8080
  ingress_path    = ["/api/"]
  tls_secret_name = var.tls_secret_name
  # auth = "none": XHR-based API endpoints; forward-auth 302+cookie-dance breaks CORS preflight and browser fetch().
  auth            = "none"
}

# Plan-time read of the ESO-created K8s Secret for Grafana datasource
# password. First-apply gotcha: must
# `terragrunt apply -target=kubernetes_manifest.db_external_secret` so
# the Secret exists before this data source plans.
data "kubernetes_secret" "fire_planner_db_creds" {
  metadata {
    name      = "fire-planner-db-creds"
    namespace = kubernetes_namespace.fire_planner.metadata[0].name
  }
  depends_on = [kubernetes_manifest.db_external_secret]
}

# Grafana datasource for fire_planner PostgreSQL DB.
# Lives in the monitoring namespace so the grafana sidecar
# (label grafana_datasource=1) picks it up.
#
# Grafana 11.2+ Postgres plugin reads the DB name from jsonData.database;
# the top-level `database` field is silently ignored by the frontend and
# triggers "you do not have default database" on every panel.
# See github.com/grafana/grafana#112418 — same fix as the payslip-ingest
# datasource (commit cc56ba29).
resource "kubernetes_config_map" "grafana_fire_planner_datasource" {
  metadata {
    name      = "grafana-fire-planner-datasource"
    namespace = "monitoring"
    labels = {
      grafana_datasource = "1"
    }
  }
  data = {
    "fire-planner-datasource.yaml" = yamlencode({
      apiVersion = 1
      datasources = [{
        name   = "FirePlanner"
        type   = "postgres"
        access = "proxy"
        url    = "${var.postgresql_host}:5432"
        user   = "fire_planner"
        uid    = "fire-planner-pg"
        jsonData = {
          database        = "fire_planner"
          sslmode         = "disable"
          postgresVersion = 1600
          timescaledb     = false
        }
        secureJsonData = {
          password = data.kubernetes_secret.fire_planner_db_creds.data["DB_PASSWORD"]
        }
        editable = true
      }]
    })
  }
}