---
- name: Injecter Secrets Vault dans group_vars/ctl.yml
  hosts: localhost
  connection: local
  gather_facts: no

  vars:
    target_group_vars_file: "/etc/ansible/group_vars/ctl"

    vault_secrets_map:
      openstack_admin_project_passwd: { path: "services/openstack_admin_project", key: "passwd" }
      git_token:                      { path: "services/git", key: "token" }
      console_database_passwd:        { path: "services/console_db", key: "passwd" } # Assurez-vous que ce secret existe
      smtp_passwd:                    { path: "services/smtp_noreply", key: "passwd" }
      smtp_support_email_passwd:    { path: "services/smtp_support", key: "passwd" }
      authentik_bear_token:           { path: "services/authentik_bear", key: "token" }
      oidc_client_id:                 { path: "services/oidc_client", key: "id" } # Exemple si clé est 'id'
      oidc_client_secret:             { path: "services/oidc_client", key: "secret" }
      flouci_public_token:            { path: "services/flouci_public", key: "token" }
      flouci_private_token:           { path: "services/flouci_private", key: "token" }
      konnect_api_key:                { path: "services/konnect_api", key: "key" }
      stripe_api_key:                 { path: "services/stripe_api", key: "key" }
      stripe_test_api_key:            { path: "services/stripe_test_api", key: "key" }
      stripe_front_api_key:           { path: "services/stripe_front_api", key: "key" }
      stripe_front_test_api_key:    { path: "services/stripe_front_test_api", key: "key" }

    vault_kv_mount_point: "secret"

  tasks:
    - name: Vérifier l'accès/authentification à Vault
      vars:
        first_secret_info: "{{ vault_secrets_map.values() | first }}"
        test_lookup_string: "{{ vault_kv_mount_point }}/data/{{ first_secret_info.path }}:{{ first_secret_info.key }}"
      ansible.builtin.assert:
        that: lookup('community.hashi_vault.hashi_vault', test_lookup_string) is defined
        fail_msg: "Échec de la connexion/authentification à Vault ou le premier secret test est inaccessible. Vérifiez VAULT_ADDR et l'authentification (login/token)."
        quiet: yes

    - name: Injecter chaque secret dans {{ target_group_vars_file }}
      vars:
        ctl_variable_name: "{{ item.key }}"
        vault_lookup_string: "{{ vault_kv_mount_point }}/data/{{ item.value.path }}:{{ item.value.key }}"
        secret_value: "{{ lookup('community.hashi_vault.hashi_vault', vault_lookup_string) }}"
      ansible.builtin.lineinfile:
        path: "{{ target_group_vars_file }}"
        regexp: '^\s*{{ ctl_variable_name }}:\s*.*?$'
        line: "{{ ctl_variable_name }}: '{{ secret_value }}'"
        backrefs: no
        state: present
      loop: "{{ vault_secrets_map | dict2items }}"
      when: secret_value is defined and secret_value not in [none, '']
      loop_control:
        label: "{{ item.key }}"