#!/bin/bash

# A script to create an AWS CloudHSM cluster using AWS CLI.

# --- Configuration ---
REGION="us-east-1"
CLUSTER_NAME="MyCLICHSMCluster"
HSM_TYPE="hsm1.medium" # Specify a valid HSM type
SG_NAME="MyCLICHSMSG"

# --- 1. Get Default VPC and Subnet ---
echo "--- Getting Default VPC and Subnet ID ---"
VPC_ID=$(aws ec2 describe-vpcs \
  --filters "Name=is-default,Values=true" \
  --query "Vpcs[0].VpcId" \
  --region $REGION \
  --output text)

if [ -z "$VPC_ID" ]; then
  echo "Error: Could not find a default VPC. Exiting."
  exit 1
fi
echo "Default VPC ID: $VPC_ID"

SUBNET_ID=$(aws ec2 describe-subnets \
  --filters "Name=vpc-id,Values=$VPC_ID" "Name=default-for-az,Values=true" \
  --query "Subnets[0].SubnetId" \
  --region $REGION \
  --output text)

if [ -z "$SUBNET_ID" ]; then
  echo "Error: Could not find a default subnet. Exiting."
  exit 1
fi
echo "Default Subnet ID: $SUBNET_ID"

# --- 2. Create Security Group for CloudHSM ---
echo -e "\n--- Creating Security Group: $SG_NAME ---"
SG_ID=$(aws ec2 create-security-group \
  --group-name $SG_NAME \
  --description "Security Group for CloudHSM cluster" \
  --vpc-id $VPC_ID \
  --region $REGION \
  --query 'GroupId' --output text)

# Authorize inbound traffic from itself (for cluster communication)
aws ec2 authorize-security-group-ingress \
  --group-id $SG_ID \
  --protocol -1 \
  --source-group $SG_ID \
  --region $REGION

echo "Security Group '$SG_NAME' created with ID: $SG_ID"

# --- 3. Create CloudHSM Cluster ---
echo -e "\n--- Creating CloudHSM Cluster: $CLUSTER_NAME ---"
CLUSTER_ID=$(aws cloudhsmv2 create-cluster \
  --hsm-type $HSM_TYPE \
  --subnet-ids $SUBNET_ID \
  --tag-list Key=Name,Value=$CLUSTER_NAME \
  --region $REGION \
  --query 'Cluster.ClusterId' --output text)

echo "CloudHSM Cluster created with ID: $CLUSTER_ID. Waiting for it to be in 'UNINITIALIZED' state..."
aws cloudhsmv2 wait cluster-exists \
  --cluster-id $CLUSTER_ID \
  --region $REGION

# CloudHSM doesn't have a 'cluster-uninitialized' waiter, so we poll
while true; do
  STATUS=$(aws cloudhsmv2 describe-clusters \
    --filters clusterIds=$CLUSTER_ID \
    --region $REGION \
    --query 'Clusters[0].State' --output text)
  if [ "$STATUS" == "UNINITIALIZED" ]; then
    echo "CloudHSM Cluster is in 'UNINITIALIZED' state."
    break
  else
    echo "Cluster status: $STATUS, waiting..."
    sleep 30
  fi
done

echo -e "\n--- CloudHSM Cluster Setup Complete! ---"
echo "Cluster ID: $CLUSTER_ID"
echo "Next steps: Initialize the cluster and create HSM users."

read -p "Press Enter to delete the CloudHSM cluster and clean up resources..."

# --- Clean Up ---
echo -e "\n--- Cleaning up resources ---"

# Delete CloudHSM Cluster
echo "Deleting CloudHSM Cluster '$CLUSTER_ID' நான்குக"
aws cloudhsmv2 delete-cluster \
  --cluster-id $CLUSTER_ID \
  --region $REGION

echo "Waiting for CloudHSM cluster to be deleted..."
# CloudHSM doesn't have a 'cluster-deleted' waiter, so we poll
while true; do
  STATUS=$(aws cloudhsmv2 describe-clusters \
    --filters clusterIds=$CLUSTER_ID \
    --region $REGION \
    --query 'Clusters[0].State' --output text 2>/dev/null)
  if [ -z "$STATUS" ]; then
    echo "CloudHSM Cluster deleted."
    break
  else
    echo "Cluster status: $STATUS, waiting..."
    sleep 30
  fi
done

# Delete Security Group
echo "Deleting Security Group '$SG_NAME' நான்குக"
aws ec2 delete-security-group \
  --group-id $SG_ID \
  --region $REGION

echo "Security Group deleted."

echo -e "\n--- CloudHSM cluster demonstration and cleanup complete ---"