---
# Regenerate bucket access key - outputs new credentials to console
# Use with caution - invalidates existing credentials

- name: Validate required variables
  ansible.builtin.assert:
    that:
      - bucket_name is defined
    fail_msg: "Required variable not defined: bucket_name"

- name: Set key name
  ansible.builtin.set_fact:
    key_name: "{{ bucket_name }}-access"

- name: Delete existing bucket key
  ansible.builtin.command:
    cmd: >
      incus storage bucket key delete {{ storage_pool }} {{ bucket_name }} {{ key_name }}
      --project={{ project_name }}
  register: key_deleted
  failed_when: false

- name: Create new bucket access key
  ansible.builtin.command:
    cmd: >
      incus storage bucket key create {{ storage_pool }} {{ bucket_name }} {{ key_name }}
      --role={{ bucket_role }} --project={{ project_name }}
  register: key_created

- name: Parse new credentials from text output
  ansible.builtin.set_fact:
    bucket_credentials:
      access-key: "{{ key_created.stdout | regex_search('Access key: (.+)', '\\1') | first }}"
      secret-key: "{{ key_created.stdout | regex_search('Secret key: (.+)', '\\1') | first }}"

- name: Get bucket info for endpoint
  ansible.builtin.command:
    cmd: >
      incus storage bucket show {{ storage_pool }} {{ bucket_name }}
      --project={{ project_name }}
  register: bucket_info
  changed_when: false

- name: Parse bucket info from YAML
  ansible.builtin.set_fact:
    bucket_data: "{{ bucket_info.stdout | from_yaml }}"

- name: Display new S3 bucket credentials
  ansible.builtin.debug:
    msg:
      - "============================================"
      - "S3 BUCKET KEY REGENERATED: {{ bucket_name }}"
      - "============================================"
      - "Endpoint:       {{ bucket_data.s3_url }}"
      - "Bucket:         {{ bucket_name }}"
      - "New Access Key: {{ bucket_credentials['access-key'] }}"
      - "New Secret Key: {{ bucket_credentials['secret-key'] }}"
      - "============================================"