#!/usr/bin/env bash
# =============================================================================
# 03-create-secrets.sh  (Linux)
# Creates and configures secrets in Google Cloud Secret Manager.
#
# Run this after 02-setup-project.sh to set up sensitive configuration
# values (e.g., MongoDB connection string).
#
# Windows users: run GCR/scripts/03-create-secrets.ps1 in PowerShell instead.
# =============================================================================
set -euo pipefail

if [[ "$(uname -s)" != "Linux" ]]; then
    echo "ERROR: This script is for Linux only."
    echo "Windows users: run GCR/scripts/03-create-secrets.ps1"
    exit 1
fi

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

# ── Load .env ─────────────────────────────────────────────────────────────────
ENV_FILE="$SCRIPT_DIR/../.env"
if [[ ! -f "$ENV_FILE" ]]; then
    echo "ERROR: $ENV_FILE not found."
    echo "Copy GCR/.env.example to GCR/.env and fill in your values first."
    exit 1
fi
# shellcheck disable=SC1090
source "$ENV_FILE"

: "${GCP_PROJECT_ID:?GCP_PROJECT_ID is not set in .env}"

echo "================================================================"
echo "  Google Cloud Secret Manager setup"
echo "================================================================"
echo "  Project: $GCP_PROJECT_ID"
echo ""

# ── Helper function to create or update a secret ──────────────────────────────
create_or_update_secret() {
    local SECRET_NAME="$1"
    local SECRET_PROMPT="$2"

    echo ">>> Setting up secret: $SECRET_NAME"
    echo "    $SECRET_PROMPT"
    read -rsp "    Enter value (will not be echoed): " SECRET_VALUE
    echo ""

    if gcloud secrets describe "$SECRET_NAME" --project="$GCP_PROJECT_ID" &>/dev/null; then
        echo "    Secret already exists — creating new version..."
        printf '%s' "$SECRET_VALUE" | gcloud secrets versions add "$SECRET_NAME" \
            --data-file=- \
            --project="$GCP_PROJECT_ID"
    else
        echo "    Creating new secret..."
        printf '%s' "$SECRET_VALUE" | gcloud secrets create "$SECRET_NAME" \
            --data-file=- \
            --replication-policy="automatic" \
            --project="$GCP_PROJECT_ID"
    fi

    echo "    ✓ Secret '$SECRET_NAME' ready."
    echo ""
}

# ── Step 1: Create MongoDB connection string secret ──────────────────────────
create_or_update_secret \
    "mongodb-connection-string" \
    "MongoDB Atlas or self-hosted connection URI (e.g., mongodb+srv://user:pass@cluster.mongodb.net)"

# ── Step 2: Grant Cloud Run service account access to secrets ─────────────────
echo ">>> Granting Cloud Run service account access to secrets..."
echo ""

# Get the default Cloud Run service account for this project
SERVICE_ACCOUNT="$GCP_PROJECT_ID@appspot.gserviceaccount.com"

for SECRET_NAME in mongodb-connection-string; do
    echo "    Granting Secret Accessor role for '$SECRET_NAME' to $SERVICE_ACCOUNT"
    gcloud secrets add-iam-policy-binding "$SECRET_NAME" \
        --member="serviceAccount:$SERVICE_ACCOUNT" \
        --role="roles/secretmanager.secretAccessor" \
        --project="$GCP_PROJECT_ID" \
        --quiet
done

echo ""
echo "================================================================"
echo "  Secret Manager setup complete!"
echo "================================================================"
echo ""
echo ">>> Summary:"
echo "    Secrets created:"
echo "      • mongodb-connection-string"
echo ""
echo "    Service account granted access:"
echo "      • $SERVICE_ACCOUNT"
echo ""
echo ">>> Next step: run GCR/scripts/04-deploy.sh"
echo "    (The deploy script will automatically inject secrets into"
echo "     the running container.)"