#Requires -Version 5.1
param()
Set-StrictMode -Version Latest
$ErrorActionPreference = 'Continue'

$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
$EnvFile   = Join-Path $ScriptDir "..\\.env"
if (-not (Test-Path $EnvFile)) { Write-Error "ERROR: $EnvFile not found."; exit 1 }

$config = @{}
foreach ($line in Get-Content $EnvFile) {
    if ($line -match '^\s*$' -or $line -match '^\s*#') { continue }
    if ($line -match '^([^=]+)=(.*)$') { $config[$Matches[1].Trim()] = $Matches[2].Trim() }
}

$GCP_PROJECT_ID = if ($config['GCP_PROJECT_ID']) { $config['GCP_PROJECT_ID'] } else { '' }
if (-not $GCP_PROJECT_ID) { Write-Error "GCP_PROJECT_ID not set"; exit 1 }

Write-Host "================================================================"
Write-Host "  Google Cloud Secret Manager setup - Project: $GCP_PROJECT_ID"
Write-Host "================================================================"
Write-Host ""

$SecretName = "mongodb-connection-string"
Write-Host ">>> Secret: $SecretName"
Write-Host "    MongoDB connection URI (e.g. mongodb+srv://user:pass@cluster.mongodb.net)"
$val = Read-Host "    Enter value" -AsSecureString
$plain = [System.Net.NetworkCredential]::new("", $val).Password
$tmp = [System.IO.Path]::GetTempFileName()
try {
    [System.IO.File]::WriteAllText($tmp, $plain, [System.Text.Encoding]::UTF8)
    gcloud secrets describe $SecretName --project=$GCP_PROJECT_ID 2>$null | Out-Null
    if ($LASTEXITCODE -eq 0) {
        gcloud secrets versions add $SecretName --data-file=$tmp --project=$GCP_PROJECT_ID 2>$null | Out-Null
    } else {
        gcloud secrets create $SecretName --data-file=$tmp --replication-policy=automatic --project=$GCP_PROJECT_ID 2>$null | Out-Null
    }
    if ($LASTEXITCODE -ne 0) { Write-Error "Failed to save secret."; exit 1 }
} finally {
    Remove-Item $tmp -Force -ErrorAction SilentlyContinue
}
Write-Host "    Secret saved."
Write-Host ""

Write-Host ">>> Granting Cloud Run service account access to secrets..."
$PROJECT_NUMBER = (gcloud projects describe $GCP_PROJECT_ID --format='value(projectNumber)' 2>$null).Trim()
$APPENGINE_SA = "$GCP_PROJECT_ID@appspot.gserviceaccount.com"
$COMPUTE_SA = "$PROJECT_NUMBER-compute@developer.gserviceaccount.com"
gcloud iam service-accounts describe $APPENGINE_SA --project=$GCP_PROJECT_ID 2>$null | Out-Null
$SA = if ($LASTEXITCODE -eq 0) { $APPENGINE_SA } else { $COMPUTE_SA }
Write-Host "    Granting secretAccessor on '$SecretName' to: $SA"
gcloud secrets add-iam-policy-binding $SecretName --member="serviceAccount:$SA" --role=roles/secretmanager.secretAccessor --project=$GCP_PROJECT_ID --quiet 2>$null | Out-Null
if ($LASTEXITCODE -ne 0) { Write-Error "Failed to grant access."; exit 1 }

Write-Host ""
Write-Host ">>> Secrets setup complete."
Write-Host ">>> Next step: run GCR\scripts\04-deploy.ps1"