---
- name: Injecter Secrets Vault dans group_vars/ctl.yml
  hosts: localhost
  connection: local
  gather_facts: no

  vars:
    target_group_vars_file: "/etc/ansible/group_vars/ctl"
    env: "{{ lookup('env', 'ENV') }}"

    vault_secrets_map:
      openstack_admin_project_passwd: { path: "environnement/{{ env }}/openstack_admin_project", key: "passwd" }
      git_token:                      { path: "environnement/{{ env }}/git", key: "token" }
      console_database_passwd:        { path: "environnement/{{ env }}/console_db", key: "passwd" }
      smtp_passwd:                    { path: "environnement/{{ env }}/smtp_noreply", key: "passwd" }
      smtp_support_email_passwd:    { path: "environnement/{{ env }}/smtp_support", key: "passwd" }
      authentik_bear_token:           { path: "environnement/{{ env }}/authentik_bear", key: "token" }
      oidc_client_id:                 { path: "environnement/{{ env }}/oidc_client", key: "id" }
      oidc_client_secret:             { path: "environnement/{{ env }}/oidc_client", key: "secret" }
      flouci_public_token:            { path: "environnement/{{ env }}/flouci_public", key: "token" }
      flouci_private_token:           { path: "environnement/{{ env }}/flouci_private", key: "token" }
      konnect_api_key:                { path: "environnement/{{ env }}/konnect_api", key: "key" }
      stripe_api_key:                 { path: "environnement/{{ env }}/stripe_api", key: "key" }
      stripe_test_api_key:            { path: "environnement/{{ env }}/stripe_test_api", key: "key" }
      stripe_front_api_key:           { path: "environnement/{{ env }}/stripe_front_api", key: "key" }
      stripe_front_test_api_key:    { path: "environnement/{{ env }}/stripe_front_test_api", key: "key" }

    vault_kv_mount_point: "secret"

  tasks:
    - name: Vérifier l'accès/authentification à Vault
      vars:
        first_secret_info: "{{ vault_secrets_map.values() | first }}"
        # Construit maintenant: secret/data/environnement/demo/openstack_admin_project:passwd
        test_lookup_string: "{{ vault_kv_mount_point }}/data/{{ first_secret_info.path }}:{{ first_secret_info.key }}"
      ansible.builtin.assert:
        that: lookup('community.hashi_vault.hashi_vault', test_lookup_string) is defined
        fail_msg: "Échec de la connexion/authentification à Vault ou le premier secret test '{{ test_lookup_string }}' est inaccessible. Vérifiez VAULT_ADDR et l'authentification."
        quiet: yes

    - name: Injecter chaque secret dans {{ target_group_vars_file }}
      vars:
        ctl_variable_name: "{{ item.key }}"
        # Construit maintenant: secret/data/environnement/demo/git:token (par exemple)
        vault_lookup_string: "{{ vault_kv_mount_point }}/data/{{ item.value.path }}:{{ item.value.key }}"
        secret_value: "{{ lookup('community.hashi_vault.hashi_vault', vault_lookup_string) }}"
      ansible.builtin.lineinfile:
        path: "{{ target_group_vars_file }}"
        regexp: '^\s*{{ ctl_variable_name }}:\s*.*?$'
        line: "{{ ctl_variable_name }}: '{{ secret_value }}'"
        backrefs: no
        state: present
      loop: "{{ vault_secrets_map | dict2items }}"
      when: secret_value is defined and secret_value not in [none, '']
      loop_control:
        label: "{{ item.key }}"
      no_log: true # Remis pour la sécurité