#!/usr/bin/env bash

# This uses AWS IAM Roles Anywhere[1] to acquire the NonAWSInstance
# role for the whole server.  It does this by having configured the
# Teleport CA to be a "trust anchor," allowing the Teleport host
# certificate to be used for authentication; the NonAWSInstance role
# itself has a trust relationship which lists the CA as sufficient to
# authorize for the role.
#
# [1]: https://docs.aws.amazon.com/rolesanywhere/latest/userguide

set -eu

# Check if we have cached credentials; they're good for 60 minutes, so
# check within 55min.
cache="/etc/aws-credential-cache.json"
if [ -s "$cache" ] && [ "$(find "$cache" -mmin -55)" ]; then
    cat "$cache"
    exit 0
fi

# Extract the current host cert and key from the Teleport database.
# These are nominally static for the lifetime of the host, but there's
# little reason to not refresh them on every run, in case they get
# rotated.

teleport_json=$(
    sqlite3 /var/lib/teleport/proc/sqlite.db "select value from kv where key = '/ids/node/current'"
)

# $teleport_json is a secret (it has the host key) so extract it
# carefully (i.e. not using `echo $teleport_json"`")
jq -r .spec.tls_cert <<<"$teleport_json" | base64 -d >/var/lib/teleport/host.crt
jq -r .spec.key <<<"$teleport_json" | base64 -d >/var/lib/teleport/host.key

# Write the cache out
/srv/zulip-aws-tools/bin/aws_signing_helper credential-process \
    --certificate /var/lib/teleport/host.crt \
    --private-key /var/lib/teleport/host.key \
    "$@" >"$cache"

cat "$cache"
