# AWS Credential Management for FiSH

# TODO change your user
set AWS_IAM_USER ""

# TODO setup your aws-mfa credential keys in the credentials file
# TODO replace "PLACE_YOUR_ROLE_HERE" with the actual role you want to assume.

# AWS Account details
set DEV_ACCOUNT_ID ""
set STG_ACCOUNT_ID ""
set PROD_ACCOUNT_ID ""
set OPS_ACCOUNT_ID ""

# Update if different regions are used in your setup
export AWS_REGION=eu-west-1
export AWS_DEFAULT_REGION=eu-west-1


function envAWS --description 'switch to different aws account environments (-) with MFA'
	if test (count $argv) -lt 1
		echo "Provide an AWS Environment: dev, staging, prod, ops"
		return
	end

	switch $argv[1]
	case dev
		echo "switching to /refreshing dev"
		aws-mfa --assume-role arn:aws:iam::$DEV_ACCOUNT_ID:role/PLACE_YOUR_ROLE_HERE --duration 43200 --role-session-name "$AWS_IAM_USER"
		getAWSenv
	case stg
		echo "switching to /refreshing staging"
		aws-mfa --assume-role arn:aws:iam::$STG_ACCOUNT_ID:role/PLACE_YOUR_ROLE_HERE --duration 43200 --role-session-name "$AWS_IAM_USER"
		getAWSenv
	case prod
		echo "switching to /refreshing prod"
		aws-mfa --assume-role arn:aws:iam::$PROD_ACCOUNT_ID:role/PLACE_YOUR_ROLE_HERE --duration 3600 --role-session-name "$AWS_IAM_USER"
		getAWSenv
	case ops
		echo "switching to /refreshing ops"
		aws-mfa --assume-role arn:aws:iam::$OPS_ACCOUNT_ID:role/PLACE_YOUR_ROLE_HERE --duration 3600 --role-session-name "$AWS_IAM_USER"
		getAWSenv
	case '*'
		echo "Wrong / Invalid Environment provided"
		return 1
	end
end

function getAWSenv --description 'verify and set environment'
	set aws_account_id (aws sts get-caller-identity | jq -r '.Account')

	if not test -n "$aws_account_id"
		echo "aws sts could not get identify. Are you logged in ?"
		set -ge env # clear env
		return 1
	end
	if [ $aws_account_id = $DEV_ACCOUNT_ID ]
		set -g env dev
	else if [ $aws_account_id = $STG_ACCOUNT_ID ]
		set -g env stg
	else if [ $aws_account_id = $PROD_ACCOUNT_ID ]
		set -g env prod
	else if [ $aws_account_id = $OPS_ACCOUNT_ID ]
		set -g env ops
	else
		set -ge env
		return 1
	end
end

function getSecretAWS --description 'get & decrypt secrets from ssm parameter store via cli command if permissions are granted'
    if test (count $argv) -lt 1
        echo "Provide a Path to the Secret"
        return
    end

    aws ssm get-parameter --name "$argv[1]" --with-decryption | jq .Parameter.Value -r
end