apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: cloud-importer-destroy-aws
  labels:
    app.kubernetes.io/version: "1.0.0-dev"
  annotations:
    tekton.dev/pipelines.minVersion: "0.44.x"
    tekton.dev/categories: infrastructure
    tekton.dev/tags: infrastructure, aws, rhelai
    tekton.dev/displayName: "CloudImporter Destroy AWS"
    tekton.dev/platforms: "linux/amd64"
spec:
  description: >-
    This Task destroys an AWS AMI using the cloud-importer tool.
  params:
    - name: debug
      description: run with debug logs
    - name: id
      description: identifier for the taskrun
    - name: keep-state
      description: keep the Pulumi state in the S3 backend after successful destroy
      default: "false"
    - name: force-destroy
      description: destroy even if there is a lock
      default: "false"
    - name: secret-aws-credentials
      description: |
        ocp secret holding the aws credentials. Secret should be accessible to this task.

        ---
        apiVersion: v1
        kind: Secret
        metadata:
          name: aws-${name}
        type: Opaque
        data:
          access-key: ${access_key}
          secret-key: ${secret_key}
          region: ${region}
          bucket: ${bucket}
  steps:
    - name: run-cloud-importer
      image: ghcr.io/mapt-oss/cloud-importer:latest
      script: |
        #!/bin/sh

        set -euo pipefail

        # Function to mask credentials (show first and last char, hide middle)
        mask_credential() {
          local cred="$1"
          local len=${#cred}
          if [ $len -le 2 ]; then
            echo "***"
          else
            echo "${cred:0:1}***${cred: -1}"
          fi
        }

        # Credentials - set these BEFORE enabling debug mode
        export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key)
        export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key)
        export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region)
        BUCKET=$(cat /opt/aws-credentials/bucket)

        # If debug add verbosity and print masked credentials
        if [[ "$(params.debug)" == "true" ]]; then
          echo "AWS_ACCESS_KEY_ID=$(mask_credential "$AWS_ACCESS_KEY_ID")"
          echo "AWS_SECRET_ACCESS_KEY=$(mask_credential "$AWS_SECRET_ACCESS_KEY")"
          echo "AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION"
          echo "BUCKET"=$BUCKET
          set -xeuo pipefail
        fi

        cmd="cloud-importer destroy "
        cmd+="--project-name $(params.id) "
        cmd+="--backed-url s3://${BUCKET}/cloud-importer "
        if [[ "$(params.debug)" == "true" ]]; then
          cmd+="--debug "
        fi
        if [[ "$(params.keep-state)" == "true" ]]; then
          cmd+="--keep-state "
        fi
        if [[ "$(params.force-destroy)" == "true" ]]; then
          cmd+="--force-destroy "
        fi

        eval ${cmd}
      volumeMounts:
        - name: aws-credentials
          mountPath: /opt/aws-credentials
  volumes:
    - name: aws-credentials
      secret:
        secretName: $(params.secret-aws-credentials)