scwrypts/zsh/lib/cloud/aws/rds.module.zsh

#####################################################################

DEPENDENCIES+=(
	docker
)

REQUIRED_ENV+=(
	AWS_ACCOUNT
	AWS_REGION
)

use cloud/aws/cli

#####################################################################

RDS__SELECT_DATABASE() {
	local DATABASES=$(_RDS__GET_AVAILABLE_DATABASES)
	[ ! $DATABASES ] && FAIL 1 'no databases available'

	local ID=$(\
		echo $DATABASES | jq -r '.instance + " @ " + .cluster' \
			| FZF 'select a database (instance@cluster)' \
	)
	[ ! $ID ] && ABORT

	local INSTANCE=$(echo $ID | sed 's/ @ .*$//')
	local CLUSTER=$(echo $ID  | sed 's/^.* @ //')

	echo $DATABASES | jq "select (.instance == \"$INSTANCE\" and .cluster == \"$CLUSTER\")"
}

_RDS__GET_AVAILABLE_DATABASES() {
	AWS rds describe-db-instances \
		| jq -r '.[] | .[] | {
			instance: .DBInstanceIdentifier,
			cluster:  .DBClusterIdentifier,
			type:     .Engine,
			host:     .Endpoint.Address,
			port:     .Endpoint.Port,
			user:     .MasterUsername,
			database: .DBName
		}'
}

RDS__GET_DATABASE_CREDENTIALS() {
	local PRINT_PASSWORD=0
	local ERRORS=0

	while [[ $# -gt 0 ]]
	do
		case $1 in
			--print-password ) PRINT_PASSWORD=1 ;;
			* )
				WARNING "unrecognized argument $1"
				ERRORS+=1
				;;
		esac
		shift 1
	done

	CHECK_ERRORS

	##########################################

	local DATABASE=$(RDS__SELECT_DATABASE)
	[ ! $DATABASE ] && ABORT

	DB_HOST="$(echo $DATABASE | jq -r '.host')"
	[ ! $DB_HOST ] && { ERROR 'unable to find host'; return 2; }

	DB_PORT="$(echo $DATABASE | jq -r '.port')"
	[ ! $DB_PORT ] && DB_PORT=5432
	[[ $DB_PORT =~ ^null$ ]] && DB_PORT=5432

	##########################################

	local AUTH_METHOD=$(\
		echo "iam\nsecretsmanager\nuser-input" \
			| FZF 'select an authentication method' \
	)
	[ ! $AUTH_METHOD ] && ABORT

	case $AUTH_METHOD in
		iam            ) _RDS_AUTH__iam ;;
		secretsmanager ) _RDS_AUTH__secretsmanager ;;
		user-input     ) _RDS_AUTH__userinput ;;
	esac

	[[ $PRINT_PASSWORD -eq 1 ]] && DEBUG "password : $DB_PASS"

	return 0
}

_RDS_AUTH__iam() {
	DB_PASS=$(\
		AWS rds generate-db-auth-token \
		--hostname $DB_HOST \
		--port $DB_PORT \
		--username $DB_USER \
	)
}

_RDS_AUTH__secretsmanager() {
	local CREDENTIALS=$(_RDS__GET_SECRETSMANAGER_CREDENTIALS)
	echo $CREDENTIALS | jq -e '.pass' >/dev/null 2>&1 \
		&& DB_PASS="$(echo $CREDENTIALS | jq -r '.pass')"
	
	echo $CREDENTIALS | jq -e '.password' >/dev/null 2>&1 \
		&& DB_PASS="$(echo $CREDENTIALS | jq -r '.password')"
	
	echo $CREDENTIALS | jq -e '.user' >/dev/null 2>&1 \
		&& DB_USER=$(echo $CREDENTIALS | jq -r '.user')
	
	echo $CREDENTIALS | jq -e '.username' >/dev/null 2>&1 \
		&& DB_USER=$(echo $CREDENTIALS | jq -r '.username')
	
	echo $CREDENTIALS | jq -e '.name' >/dev/null 2>&1 \
		&& DB_NAME=$(echo $CREDENTIALS | jq -r '.name')
	
	echo $CREDENTIALS | jq -e '.dbname' >/dev/null 2>&1 \
		&& DB_NAME=$(echo $CREDENTIALS | jq -r '.dbname')
}

_RDS__GET_SECRETSMANAGER_CREDENTIALS() {
	local ID=$(\
		AWS secretsmanager list-secrets \
			| jq -r '.[] | .[] | .Name' \
			| FZF 'select a secret' \
	)
	[ ! $ID ] && return 1

	AWS secretsmanager get-secret-value --secret-id "$ID" \
		| jq -r '.SecretString' | jq
}