data "aws_secretsmanager_secret" "ghe-key" {
  name = "GHE/mdr-aws-codebuild/key"
  provider = aws.c2
}

data "aws_secretsmanager_secret_version" "ghe-key" {
  secret_id = data.aws_secretsmanager_secret.ghe-key.id
  provider = aws.c2
}

#locals {
#  If key was in json format, we would need to decode it.
#  secret_ghe_key = jsondecode(data.aws_secretsmanager_secret_version.ghe-key.secret_string)
#}


# Note some AWS craziness here. The GitHub credential is not tied to a build, even though it _looks_
# like it is in the Web UI. There can only be one GitHub credential per account+region::
# https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-codebuild.GitHubSourceCredentials.html
#
# "Note: CodeBuild only allows a single credential for GitHub to be saved in a given AWS account 
#        in a given region - any attempt to add more than one will result in an error."
resource "aws_codebuild_source_credential" "github_token" {
  auth_type   = "PERSONAL_ACCESS_TOKEN"
  server_type = "GITHUB_ENTERPRISE"
  token       = data.aws_secretsmanager_secret_version.ghe-key.secret_string
}