# architecture.py — Diagram as code du projet DevSecOps EKS
#
# Source de vérité de la vue d'ensemble (CI/CD + runtime EKS).
# À mettre à jour dans la même MR qu'une évolution d'archi (ex: GitOps).
#
# Régénérer l'image (depuis un venv dédié, PAS celui de l'app) :
#   python -m venv ~/.venvs/diagrams && source ~/.venvs/diagrams/bin/activate
#   pip install -r requirements.txt
#   sudo apt install -y graphviz          # dépendance système (rendu)
#   cd docs/diagrams && python architecture.py   # produit devsecops-eks.png ici

from diagrams import Diagram, Cluster, Edge
from diagrams.onprem.client import Users
from diagrams.onprem.ci import GitlabCI
from diagrams.onprem.iac import Terraform
from diagrams.onprem.network import Envoy
from diagrams.onprem.certificates import CertManager
from diagrams.saas.cdn import Cloudflare
from diagrams.aws.compute import ECR
from diagrams.aws.database import RDS
from diagrams.aws.security import SecretsManager
from diagrams.aws.network import ELB
from diagrams.k8s.compute import Deploy
from diagrams.k8s.network import SVC
from diagrams.k8s.podconfig import Secret

graph_attr = {"fontsize": "18", "bgcolor": "white", "splines": "spline"}

with Diagram(
    "DevSecOps - FastAPI sur AWS EKS",
    filename="devsecops-eks",
    show=False,
    direction="LR",
    graph_attr=graph_attr,
):
    dev = Users("Développeur")
    user = Users("Utilisateur")
    cf = Cloudflare("Cloudflare DNS")

    with Cluster("GitLab CI/CD"):
        ci = GitlabCI("build Kaniko\nscan Trivy\ndeploy Kustomize")

    with Cluster("AWS - Terraform IaC"):
        tf = Terraform("Terraform")
        ecr = ECR("ECR")
        sm = SecretsManager("Secrets Manager")
        rds = RDS("RDS PostgreSQL")

        with Cluster("EKS (cluster éphémère)"):
            elb = ELB("ELB")
            envoy = Envoy("Envoy Gateway")
            svc = SVC("Service")
            app = Deploy("FastAPI")
            eso = Deploy("External Secrets\nOperator (IRSA)")
            sec = Secret("Secret K8s")
            cm = CertManager("cert-manager")

    # CI/CD
    dev >> Edge(label="git push") >> ci
    ci >> Edge(label="push image") >> ecr
    ci >> Edge(label="apply -k") >> app

    # Provisioning
    tf >> Edge(style="dotted", label="provisionne") >> [ecr, rds, sm]

    # Trafic runtime
    user >> Edge(label="HTTPS") >> cf >> elb >> envoy >> svc >> app
    app >> Edge(label="5432") >> rds

    # Secrets (ESO + IRSA)
    eso >> Edge(style="dashed", label="IRSA") >> sm
    eso >> sec >> app

    # TLS
    cm >> Edge(style="dashed", label="Let's Encrypt DNS-01") >> cf