#!/usr/bin/env -S deno run --allow-env --allow-net --allow-run --allow-read --allow-write

import {
  BitwardenSession,
  getRequiredEnv,
  getStdout,
  prependWith,
  type SecureNote,
} from "@liz-ci/utils";
import type { AnsiblePlaybookJobProps } from "@liz-ci/model";

const args: AnsiblePlaybookJobProps = {
  path: getRequiredEnv("path"),
  playbooks: getRequiredEnv("playbooks"),
};

const bitwardenSession = new BitwardenSession();

const secretFiles = await Promise.all(
  ["ansible_secrets", "ssh_key"]
    .map((secretName) =>
      bitwardenSession
        .getItem<SecureNote>(secretName)
        .then(async ({ notes: recoveredSecret }) => {
          const tempFile = await Deno.makeTempFile();
          await Deno.writeTextFile(tempFile, recoveredSecret);
          return tempFile;
        })
    ),
);
const [ansibleSecrets, sshKey] = secretFiles;
try {
  const volumes = [
    `${args.path}:/ansible`,
    `${sshKey}:/root/id_rsa`,
    `${ansibleSecrets}:/ansible/secrets.yml`,
  ];
  const playbookCmd = `ansible-playbook -e @secrets.yml ${args.playbooks}`;

  await getStdout([
    "docker",
    "run",
    ...prependWith(volumes, "-v"),
    "willhallonline/ansible:latest",
    ...playbookCmd.split(" "),
  ]);
} finally {
  await Promise.allSettled(
    [bitwardenSession.close()].concat(
      secretFiles.map((p) => Deno.remove(p)),
    ),
  );
}