#!/usr/bin/env bash

function check_prereqs {
  if ! which mysql 2>&1 > /dev/null ; then
    echo "$0 error: Please install 'mysql'." > /dev/stderr
    exit 127
  fi
  if ! which jq 2>&1 > /dev/null ; then
    echo "$0 error: Please install 'jq'." > /dev/stderr
    exit 127
  fi
}

function create_stack {
    # create a Aurora MySQL cluster or an Amazon RDS MySQL database
    echo "Launching cloudformation stack with parameters from cf-parameters.json"
    aws cloudformation create-stack --stack-name "$STACKNAME" --template-body file://create-database.yaml \
        --parameters file://config/cf-parameters.json --region $REGION --capabilities CAPABILITY_IAM

    echo "Checking to see if the stack is up... waiting until complete..."
    aws cloudformation wait stack-create-complete --stack-name "$STACKNAME" --region $REGION
}

function create_user {
    export MASTERUSER="$(cat config/cf-parameters.json | jq '.[] | select(.ParameterKey=="DatabaseUsername")' | jq -r .ParameterValue)"
    export MASTERPASS="$(cat config/cf-parameters.json | jq '.[] | select(.ParameterKey=="DatabasePassword")' | jq -r .ParameterValue)"
    export DBNAME="$(cat config/cf-parameters.json | jq '.[] | select(.ParameterKey=="DatabaseName")' | jq -r .ParameterValue)"

    export AURORAEP="$(aws cloudformation describe-stacks --stack-name "$STACKNAME" --region $REGION | jq '.Stacks[].Outputs[] | select(.OutputKey=="AuroraClusterEndpoint")' | jq -r .OutputValue)"
    export CLUSTERNAME="$(aws cloudformation describe-stacks --stack-name "$STACKNAME" --region $REGION | jq '.Stacks[].Outputs[] | select(.OutputKey=="AuroraClusterName")' | jq -r .OutputValue)"
    export CLUSTEIDE="$(aws rds describe-db-clusters --region us-east-1 | jq --arg CN "$CLUSTERNAME" '.DBClusters[] | select(.DBClusterIdentifier==$CN)' | jq -r .DbClusterResourceId)"

    # Alter the instance to add IAM authentication
    echo "modifying the new Aurora MySQL Cluster to use IAM authentication"
    aws rds modify-db-cluster \
        --db-cluster-identifier $CLUSTERNAME \
        --apply-immediately \
        --enable-iam-database-authentication

    # Create a user (or use an existing IAM user), policy and attach the policy to the user
    echo "Creating IAM user and access policy"
    aws iam create-user --user-name $IAMUSER

    aws iam create-policy --policy-name database-login-$IAMUSER --policy-document "{\"Version\": \"2012-10-17\", \"Statement\": [{\"Action\": [\"rds-db:connect\"], \"Resource\": [\"arn:aws:rds-db:$REGION:$ACCOUNTID:dbuser:$CLUSTERID/$IAMUSER\"], \"Effect\": \"Allow\"}]}"

    aws iam attach-user-policy --policy-arn arn:aws:iam::$ACCOUNTID:policy/database-login-mydbuser --user-name $IAMUSER

    echo "Connect to the database and create the database user"
    mysql -h ${AURORAEP%%:*} -P 3306 --user=$MASTERUSER --password=$MASTERPASS < config/create-user.sql
}

function main {
  export ACCOUNTID="123456789012"
  export STACKNAME="iamauth"
  export REGION="us-east-1"
  export IAMUSER="mydbuser"
  set -x
  check_prereqs &&
  create_stack &&
  create_user
  set +x
}

main