#! /usr/bin/env bash

set -euo pipefail

vault_args=()
temp_vault_pass_file=""

cleanup() {
  if [[ -n "${temp_vault_pass_file}" ]] && [[ -f "${temp_vault_pass_file}" ]]; then
    rm -f "${temp_vault_pass_file}"
  fi
}
trap cleanup EXIT
ansible_extra_args=()
terraform_apply_args=()
terraform_passthrough=()

run_ansible=true
if [[ "${1:-}" == "--no-ansible" ]]; then
  run_ansible=false
  shift
fi

if [[ "${1:-}" == "--" ]]; then
  shift
  if [[ "${1:-}" == "terraform" ]]; then
    shift
    terraform_passthrough=("$@")
  else
    case "${1:-}" in
      output|state|workspace|providers|version|validate|fmt|taint|untaint|graph|show|console|import)
        terraform_passthrough=("$@")
        ;;
      *)
        terraform_apply_args=("$@")
        ;;
    esac
  fi
fi

if [[ -f ".env" ]]; then
  set -a
  source .env
  set +a
fi

if [[ -f "secrets/vault.yml" ]]; then
  if [[ -f "secrets/.vault_pass" ]]; then
    vault_args+=(--vault-password-file "secrets/.vault_pass")
  elif [[ -f ".vault_pass" ]]; then
    vault_args+=(--vault-password-file ".vault_pass")
  else
    read -rsp "Vault password: " vault_password
    echo
    temp_vault_pass_file=$(mktemp)
    chmod 600 "${temp_vault_pass_file}"
    printf '%s' "${vault_password}" > "${temp_vault_pass_file}"
    unset vault_password
    vault_args+=(--vault-password-file "${temp_vault_pass_file}")
  fi

  if (( ${#vault_args[@]} )); then
    vault_plain=$(ansible-vault view secrets/vault.yml "${vault_args[@]}")
  else
    vault_plain=$(ansible-vault view secrets/vault.yml)
  fi
  while IFS= read -r line; do
    [[ -z "${line}" ]] && continue
    [[ "${line}" == "---" ]] && continue
    [[ "${line}" != TF_VAR_*:* ]] && [[ "${line}" != CF_DNS_API_TOKEN:* ]] && [[ "${line}" != S3_ACCESS_KEY_ID:* ]] && [[ "${line}" != S3_SECRET_ACCESS_KEY:* ]] && continue
    key="${line%%:*}"
    value="${line#*:}"
    value="${value# }"
    [[ -z "${value}" ]] && continue
    escaped=$(printf '%q' "${value}")
    eval "export ${key}=${escaped}"
  done <<< "${vault_plain}"

  if [[ -z "${CF_DNS_API_TOKEN:-}" ]] && [[ -n "${TF_VAR_cloudflare_api_token:-}" ]]; then
    export CF_DNS_API_TOKEN="${TF_VAR_cloudflare_api_token}"
  fi
fi

terraform -chdir=terraform init

if (( ${#terraform_passthrough[@]} )); then
  terraform -chdir=terraform "${terraform_passthrough[@]}"
  exit 0
fi

if (( ${#terraform_apply_args[@]} )); then
  terraform -chdir=terraform apply "${terraform_apply_args[@]}"
else
  terraform -chdir=terraform plan -out=tfplan
  terraform -chdir=terraform apply tfplan
fi

rm -f terraform/tfplan

web_ipv4=$(terraform -chdir=terraform output -raw web_ip)
services_ipv4=$(terraform -chdir=terraform output -raw services_ip)

ssh_user=${TF_VAR_user:-ansible}

mkdir -p inventory/host_vars

cat > inventory/hosts.yml <<EOF
all:
  children:
    web_hosts:
      hosts:
        web:
          ansible_host: ${web_ipv4}
          ansible_port: ${TF_VAR_ssh_port:-22}
          ansible_user: ${ssh_user}
    services_hosts:
      hosts:
        services:
          ansible_host: ${services_ipv4}
          ansible_port: ${TF_VAR_ssh_port:-22}
          ansible_user: ${ssh_user}
EOF

cat > inventory/host_vars/web.yml <<EOF
public_ipv4: ${web_ipv4}
EOF

if [[ "${run_ansible}" == "true" ]]; then
  if [[ -n "${vault_args+x}" ]] && (( ${#vault_args[@]} )); then
    ansible_extra_args=("${vault_args[@]}")
  fi
  ansible-playbook playbooks/services.yml ${ansible_extra_args[@]+"${ansible_extra_args[@]}"}
  ansible-playbook playbooks/app.yml ${ansible_extra_args[@]+"${ansible_extra_args[@]}"}
fi