require 'securerandom'
load_delivery_chef_config

aws_creds = encrypted_data_bag_item_for_environment('cia-creds','chef-cia')

Chef::Log.info('Check to see if the creds data bag exists')
begin
  database_creds = data_bag_item('cia-creds', "#{node['delivery']['change']['project']}-database").to_hash
  Chef::Log.info('Data bag found.')
rescue Net::HTTPServerException => http_e
  raise http_e unless http_e.response.code == "404"
  Chef::Log.info('Data bag wasn\'t found. Creating hash')
  database_creds = {
    'id' => "#{node['delivery']['change']['project']}-database",
    node['delivery']['change']['stage'] => {}
  }
end


# Notes about RDS setup
#######################
#
# As a general rule, we are still managing "network" concerns as a manual step.
# This will change as time goes by but until then, buyer beware, the VPC and SG
# resources are all hand configured...

aws_db_subnet_group = 'subnet_group_name'
aws_sg = ['sg-valid_sg_id']


rds_name = instance_name

if database_creds[node['delivery']['change']['stage']] &&
  database_creds[node['delivery']['change']['stage']][rds_name] &&
  database_creds[node['delivery']['change']['stage']][rds_name]['username']

  username = database_creds[node['delivery']['change']['stage']][rds_name]['username']
  password = database_creds[node['delivery']['change']['stage']][rds_name]['password']
else
  username = instance_name.gsub(/-/, '_')
  password = SecureRandom.hex(32)

  unless database_creds[node['delivery']['change']['stage']]
    database_creds[node['delivery']['change']['stage']] = {}
  end

  database_creds[node['delivery']['change']['stage']][rds_name] = {
    'username' => username,
    'password' => password
  }

  creds_dbag_item = Chef::DataBagItem.new
  creds_dbag_item.data_bag('cia-creds')
  creds_dbag_item.raw_data = Chef::EncryptedDataBagItem.encrypt_data_bag_item(
    database_creds,
    Chef::EncryptedDataBagItem.load_secret
  )
  creds_dbag_item.save
end

# As of the writing of this comment, the aws_rds instance doesn't support update
# actions, just creation.
aws_rds rds_name do
  aws_access_key        aws_creds['access_key_id']
  aws_secret_access_key aws_creds['secret_access_key']
  engine                'postgres'
  db_instance_class     'db.t2.small'
  allocated_storage     20
  master_username       username
  master_user_password  password
  multi_az              aws_multi_az
  db_subnet_group_name  aws_db_subnet_group
  publicly_accessible   false
  tags [
    {key: 'X-Project', value: node['delivery']['change']['project']},
    {key: 'X-Contact', value: 'cia'}
  ]
  vpc_security_group_ids aws_sg
  storage_type 'gp2'
  sensitive true
end

data_bag_prep = {}
ruby_block 'rds info' do
  block do
    require 'pp'
    db_info = node[:aws_rds].to_h[rds_name]
    cred_info = database_creds[node['delivery']['change']['stage']][rds_name]
    data_bag_prep = {rds_name => db_info.merge(cred_info)}
  end
end

ruby_block 'upload data bag' do
  block do
    with_server_config do
      dbag_item = Chef::DataBagItem.new
      dbag_item.data_bag('cia-creds')
      dbag_data = data_bag_item('cia-creds',"#{node['delivery']['change']['project']}-database").to_hash
      dbag_data[node['delivery']['change']['stage']] = data_bag_prep
      dbag_item.raw_data = Chef::EncryptedDataBagItem.encrypt_data_bag_item(
        dbag_data,
        Chef::EncryptedDataBagItem.load_secret
      )
      dbag_item.save
    end
  end
end