---
# Provision BAB project secrets in Vault from the toallab Supabase admin instance.
#
# Reads admin-level secrets from supabase_admin_vault_path (kv/data/toallab/supabase),
# constructs the per-project Postgres URL, and writes the full set of app-facing secrets
# to supabase_vault_path (per-environment, e.g. kv/data/oys/dev/supabase).
#
# ASSUMED: kv/data/toallab/supabase contains keys: anon_key, service_key, db_password
# ASSUMED: supabase_api_url, supabase_db_host, supabase_db_port, supabase_db_name
#          are set in host_vars for each supabase logical host.
#
# Usage:
#   ansible-navigator run playbooks/provision_supabase_project.yml --mode stdout --limit supabase-dev
#   ansible-navigator run playbooks/provision_supabase_project.yml --mode stdout --limit supabase-prod

- name: Provision Supabase project secrets in Vault
  hosts: supabase
  connection: local
  gather_facts: false

  tasks:
    - name: Read Supabase admin secrets from Vault
      community.hashi_vault.vault_kv2_get:
        path: "{{ supabase_admin_vault_path | regex_replace('^kv/data/', '') }}"
        engine_mount_point: kv
        url: "{{ vault_addr }}"
      register: _admin
      no_log: true

    - name: Verify required keys are present in admin vault
      ansible.builtin.assert:
        that:
          - _admin.secret.anon_key | default('') | length > 0
          - _admin.secret.service_key | default('') | length > 0
          - _admin.secret.db_password | default('') | length > 0
        fail_msg: >-
          Missing required keys in {{ supabase_admin_vault_path }}.
          Expected: anon_key, service_key, db_password.
      no_log: true

    - name: Write project secrets to Vault
      community.hashi_vault.vault_kv2_write:
        path: "{{ supabase_vault_path | regex_replace('^kv/data/', '') }}"
        engine_mount_point: kv
        url: "{{ vault_addr }}"
        data:
          url: "{{ supabase_api_url }}"
          anon_key: "{{ _admin.secret.anon_key }}"
          service_key: "{{ _admin.secret.service_key }}"
          postgres_url: >-
            postgresql://postgres:{{ _admin.secret.db_password }}@{{ supabase_db_host }}:{{ supabase_db_port }}/{{ supabase_db_name }}
      no_log: true

    - name: Report result
      ansible.builtin.debug:
        msg: >-
          Project secrets written to {{ supabase_vault_path }}
          (url, anon_key, service_key, postgres_url)