#!/bin/bash -eu

func="$1"
arch="$2"


# Get function metadata

metadata=$(aws lambda get-function --function-name "$func")
role=$(echo "$metadata" | jq -r '.Configuration.Role')
role_name=${role##*/}
runtime=$(echo $metadata | jq -r '.Configuration.Runtime')


# Add the AWS Parameters and Secrets Lambda Extension, and our requestspytz layer

current_layers=$(echo "$metadata" | jq -r '.Configuration.Layers // [] | .[].Arn')

new_layers=(
)

case "$arch" in
arm64)
    secrets_layer="arn:aws:lambda:ap-southeast-2:665172237481:layer:AWS-Parameters-and-Secrets-Lambda-Extension-Arm64:11"
    ;;
x86_64)
    secrets_layer="arn:aws:lambda:ap-southeast-2:665172237481:layer:AWS-Parameters-and-Secrets-Lambda-Extension:11"
    ;;
*)
    echo >&2 "Unknown architecture: $arch"
    exit 1
    ;;
esac

case "$runtime" in
python3.10|python3.11)
    requests_layer="arn:aws:lambda:ap-southeast-2:987740478065:layer:requestspytz:2"
    ;;
python3.9|python3.7)
    requests_layer="arn:aws:lambda:ap-southeast-2:987740478065:layer:requestspytz:1"
    ;;
*)
    echo >&2 "Unknown runtime: $runtime"
    exit 1
    ;;
esac

new_layers+=( "$secrets_layer" "$requests_layer" )

updated_layers="$current_layers"

for new_layer in "${new_layers[@]}"; do
    if [[ ! $current_layers =~ $new_layer ]]; then
        updated_layers="$updated_layers $new_layer"
    fi
done

if [ "$updated_layers" != "$current_layers" ]; then
    aws lambda update-function-configuration --function-name "$func" --layers $updated_layers
fi


# Grant Permissions

policy='{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": [
        "arn:aws:secretsmanager:ap-southeast-2:987740478065:secret:secret*"
      ]
    }
  ]
}'

aws iam put-role-policy --role-name "$role_name" --policy-name SecretsManagerPolicy --policy-document "$policy"


# Configure Environment Variables

lambda_env.py "$func" SECRET_ARN="$SECRET_ARN"