#!/bin/bash
set -e

export AWS_PAGER=""
AWS_REGION=${1-eu-west-1}
EKS_NAME=${2}
FILESYSTEM_ID=${3}
SUFFIX=${4-temp}
if [ "$#" -ne 3 ]; then
    echo "Please pass, 1) AWS Region, 2) EKS name 3) FileSystem Id 4) SUFFIX"
    exit 1
fi
account_id=$(aws sts get-caller-identity --query "Account" --output text)
oidc_provider=$(aws eks describe-cluster --name "${EKS_NAME}" --region "${AWS_REGION}" --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")

# Role for EFS CSI service account

cat >policy-cdrp-efs-csi-${SUFFIX}.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:DescribeAvailabilityZones",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "elasticfilesystem:DescribeAccessPoints",
        "elasticfilesystem:DescribeFileSystems",
        "elasticfilesystem:DescribeMountTargets"
      ],
      "Resource": [
        "arn:*:elasticfilesystem:${AWS_REGION}:$account_id:file-system/${FILESYSTEM_ID}",
        "arn:*:elasticfilesystem:${AWS_REGION}:$account_id:access-point/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "elasticfilesystem:CreateAccessPoint",
      "Resource": [
        "arn:*:elasticfilesystem:${AWS_REGION}:$account_id:file-system/${FILESYSTEM_ID}"
      ],
      "Condition": {
        "StringLike": {
          "aws:RequestTag/efs.csi.aws.com/cluster": "true"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "elasticfilesystem:DeleteAccessPoint",
      "Resource": [
        "arn:*:elasticfilesystem:${AWS_REGION}:$account_id:access-point/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/efs.csi.aws.com/cluster": "true"
        }
      }
    }
  ]
}
EOF

echo "Creating policy policy-cdrp-efs-csi-${SUFFIX}"
cdrp_efs_csi_policy_arn=$(aws iam create-policy --policy-name "policy-cdrp-efs-csi-${SUFFIX}" --policy-document file://policy-cdrp-efs-csi-${SUFFIX}.json --query "Policy.Arn" --output text)

cat >trust-relationship-efs-${SUFFIX}.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:*:iam::$account_id:oidc-provider/$oidc_provider"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "$oidc_provider:aud": "sts.amazonaws.com",
          "$oidc_provider:sub": "system:serviceaccount:cdrplatform:sa-efs-csi-controller"
        }
      }
    }
  ]
}
EOF

echo "Creating role role-cdrp-efs-csi-${SUFFIX}"
aws iam create-role --role-name "role-cdrp-efs-csi-${SUFFIX}" --assume-role-policy-document file://trust-relationship-efs-${SUFFIX}.json --description "Role for EFS CSI service account"
aws iam attach-role-policy --role-name "role-cdrp-efs-csi-${SUFFIX}" --policy-arn="$cdrp_efs_csi_policy_arn"

# Role for external secrets service account
cat >policy-cdrp-ext-secrets-${SUFFIX}.json <<EOF
{
    "Statement": [
        {
            "Action": "secretsmanager:ListSecrets",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "secretsmanager:ListSecretVersionIds",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret"
            ],
            "Effect": "Allow",
            "Resource": [
              "arn:*:secretsmanager:*:*:secret:organisation*-id-*",
              "arn:*:secretsmanager:*:*:secret:organisation*-tokens-*",
              "arn:*:secretsmanager:*:*:secret:AWS_ACCESS_KEY_ID-*",
              "arn:*:secretsmanager:*:*:secret:AWS_SECRET_ACCESS_KEY-*"
            ]
        }
    ],
    "Version": "2012-10-17"
}
EOF

echo "Creating policy policy-cdrp-ext-secrets-${SUFFIX}"
cdrp_ext_secrets_policy_arn=$(aws iam create-policy --policy-name "policy-cdrp-ext-secrets-${SUFFIX}" --policy-document file://policy-cdrp-ext-secrets-${SUFFIX}.json --query "Policy.Arn" --output text)

cat >trust-relationship-ext-secrets-${SUFFIX}.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:*:iam::$account_id:oidc-provider/$oidc_provider"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "$oidc_provider:aud": "sts.amazonaws.com",
          "$oidc_provider:sub": "system:serviceaccount:cdrplatform:ext-secrets"
        }
      }
    }
  ]
}
EOF

echo "Creating role role-cdrp-ext-secrets-${SUFFIX}"
aws iam create-role --role-name "role-cdrp-ext-secrets-${SUFFIX}" --assume-role-policy-document file://trust-relationship-ext-secrets-${SUFFIX}.json --description "Role for External secrets service account"
aws iam attach-role-policy --role-name "role-cdrp-ext-secrets-${SUFFIX}" --policy-arn="$cdrp_ext_secrets_policy_arn"