require "resource_support/aws/aws_singular_resource_mixin"
require "resource_support/aws/aws_backend_base"
require "aws-sdk-iam"

class AwsIamRole < Inspec.resource(1)
  name "aws_iam_role"
  desc "Verifies settings for an IAM Role"
  example <<~EXAMPLE
    describe aws_iam_role('my-role') do
      it { should exist }
    end
  EXAMPLE
  supports platform: "aws"

  include AwsSingularResourceMixin
  attr_reader :description, :role_name

  def to_s
    "IAM Role #{role_name}"
  end

  private

  def validate_params(raw_params)
    validated_params = check_resource_param_names(
      raw_params: raw_params,
      allowed_params: [:role_name],
      allowed_scalar_name: :role_name,
      allowed_scalar_type: String
    )
    if validated_params.empty?
      raise ArgumentError, "You must provide a role_name to aws_iam_role."
    end

    validated_params
  end

  def fetch_from_api
    role_info = nil
    begin
      role_info = BackendFactory.create(inspec_runner).get_role(role_name: role_name)
    rescue Aws::IAM::Errors::NoSuchEntity
      @exists = false
      return
    end
    @exists = true
    @description = role_info.role.description
  end

  # Uses the SDK API to really talk to AWS
  class Backend
    class AwsClientApi < AwsBackendBase
      BackendFactory.set_default_backend(self)
      self.aws_client_class = Aws::IAM::Client
      def get_role(query)
        aws_service_client.get_role(query)
      end
    end
  end
end