#!/usr/bin/env python3
import json
import subprocess

# This scripts copies secrets from Yandex Vault to Yandex Lockbox.
# From: https://yav.yandex-team.ru/secret/SECRET_ID/explore/versions
# To: Where yc profile is set up.
#
# Be sure that secrets does not contain '_' symbol - it is not allowed in Kubernetes objects name.

SECRET_ID = "sec-01g4x0rp7g30d2p2tva4j78j25" # yc-walle-prod-lockbox-secrets
SECRET_ID = "sec-01g609f79bh70ckpesc1z9jant" # yc-walle-preprod-lockbox-secrets
SECRET_ID = "sec-01g8ek79t6k4c178cgchrsc0hj" # yc-walle-testing-lockbox-secrets
EXTERNAL_SECRETS_OPERATOR_SA_ID = "yc.wall-e.external-secrets-operator-sa" # prod, preprod
EXTERNAL_SECRETS_OPERATOR_SA_ID = "yc.wall-e.external-secrets-operator-sa-testing" # testing
EXTERNAL_SECRETS_OPERATOR_SA_ROLE = "lockbox.payloadViewer"

print("Unblock me!")
exit(1)

cmd = subprocess.run(
    f"yav get version {SECRET_ID} --json",
    shell=True,
    check=True,
    stdout=subprocess.PIPE)

for secret_name, secret_value in json.loads(cmd.stdout)["value"].items():
    secret_value_in_one_line = secret_value.rstrip().replace('\n', '\\n')
    payload = "[{'key': '%s', 'textValue': '%s'}]" % (secret_name, secret_value_in_one_line)

    cmd = subprocess.run(
        f"yc lockbox secret create --name {secret_name} --payload \"{payload}\"",
        shell=True,
        check=True,
        stdout=subprocess.PIPE)
    print(cmd.stdout.decode())

    cmd = subprocess.run(
        f"yc lockbox secret add-access-binding --name {secret_name} --service-account-id "
        f"{EXTERNAL_SECRETS_OPERATOR_SA_ID} --role {EXTERNAL_SECRETS_OPERATOR_SA_ROLE}",
        shell=True,
        check=True,
        stdout=subprocess.PIPE)
    print(cmd.stdout.decode())

cmd = subprocess.run(
    f"yc lockbox secret list",
    shell=True,
    check=True,
    stdout=subprocess.PIPE)
print(cmd.stdout.decode())
