# Set up some basic secret configuration. We don't want the secrets themselves in here. They'll have to be hand-entered. But this will set up the scaffolding.
output "secrets_manager_reminder" {
  value = "REMINDER: If this is your first time, don't forget to update the secrets in secrets manager."
}

# tfsec:ignore:aws-ssm-secret-use-customer-key
resource "aws_secretsmanager_secret" "codebuild_ghe_key" {
  name                    = "GHE/mdr-aws-codebuild/key"
  description             = "GitHub Personal Access Key for the mdr-aws-codebuild account"
  recovery_window_in_days = 30
  tags                    = merge(local.standard_tags, var.tags)
}

# This just seeds an initial value. It will not be overwritten each update.
resource "aws_secretsmanager_secret_version" "codebuild_ghe_secret_version" {
  secret_id     = aws_secretsmanager_secret.codebuild_ghe_key.id
  secret_string = "SETME"
}

#####################
# GitHub Runners Need WebHook Secrets
# and Keys
locals {
  ghe_orgs_with_runners = {
    test = toset([
      "MDR-Engineering"
    ]),
    prod = toset([
      "mdr-engineering"
    ])
  }[var.environment]
}

# tfsec:ignore:aws-ssm-secret-use-customer-key
resource "aws_secretsmanager_secret" "github-runners-webhook-secret" {
  for_each                = local.ghe_orgs_with_runners
  name                    = "GHE/runners/${each.value}/webhook_secret"
  description             = "Webhook Secret for GitHub Runners for ${each.value}"
  recovery_window_in_days = 30
  tags                    = merge(local.standard_tags, var.tags)
}

# This just seeds an initial value. It will not be overwritten each update.
resource "aws_secretsmanager_secret_version" "github-runners-webhook-secret" {
  for_each      = local.ghe_orgs_with_runners
  secret_id     = aws_secretsmanager_secret.github-runners-webhook-secret[each.value].id
  secret_string = "SETME"
}

# tfsec:ignore:aws-ssm-secret-use-customer-key
resource "aws_secretsmanager_secret" "github-runners-webhook-key" {
  for_each                = local.ghe_orgs_with_runners
  name                    = "GHE/runners/${each.value}/webhook_key"
  description             = "Base64 Encoded Webhook Key for GitHub Runners for ${each.value}"
  recovery_window_in_days = 30
  tags                    = merge(local.standard_tags, var.tags)
}

# This just seeds an initial value. It will not be overwritten each update.
resource "aws_secretsmanager_secret_version" "github-runners" {
  for_each      = local.ghe_orgs_with_runners
  secret_id     = aws_secretsmanager_secret.github-runners-webhook-key[each.value].id
  secret_string = "SETME"
}