# profiles::consul::client
class profiles::consul::client (
  String $secret_id_salt = '',
  Stdlib::Fqdn         $consul_hostname  = 'consul.service.consul',
  Enum['http','https'] $consul_protocol  = 'http',
  Stdlib::Port         $consul_port      = 8500,
  String               $consul_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'),
  Boolean              $members_lookup     = false,
  String               $members_role       = undef,
  Array                $consul_servers     = [],
  Stdlib::Absolutepath $data_dir           = '/opt/consul',
  Array[Hash]          $node_rules         = [],
  Hash                 $ports              = {},
) {

  if $facts['enc_role'] != $members_role {

    # set a datacentre/cluster name
    $consul_cluster = "${::facts['country']}-${::facts['region']}"

    # if lookup is enabled, find all the hosts in the specified role and create the servers_array
    if $members_lookup {

      # check that the role is also set
      unless !($members_role == undef) {
        fail("members_role must be provided for ${title} when members_lookup is True")
      }

      # if it is, find hosts, sort them so they dont cause changes every run
      $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))

    # else use provided array from params
    }else{
      $servers_array = $consul_servers
    }

    # deploy the consul agent
    class { 'consul':
      config_hash => {
        'data_dir'             => $data_dir,
        'datacenter'           => $consul_cluster,
        'log_level'            => 'INFO',
        'node_name'            => $facts['networking']['fqdn'],
        'retry_join'           => $servers_array,
        'bind_addr'            => $::facts['networking']['ip'],
        'advertise_addr'       => $::facts['networking']['ip'],
        'enable_script_checks' => true,
        'ports'                => $ports,
        'acl'                  => {
          tokens => {
            default => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")
          }
        }
      },
    }
  }

  # Create ACL policy that allows nodes to update themselves and read others
  consul_policy { $facts['networking']['hostname']:
    description   => "${facts['networking']['fqdn']} puppet-generated-policy",
    rules         => $node_rules,
    acl_api_token => $consul_api_token,
    hostname      => $consul_hostname,
    protocol      => $consul_protocol,
    port          => $consul_port,
  }

  consul_token { $facts['networking']['hostname']:
    accessor_id      => fqdn_uuid($facts['networking']['fqdn']),
    description      => "${facts['networking']['fqdn']} puppet-generated-token",
    policies_by_name => [$facts['networking']['hostname']],
    acl_api_token    => $consul_api_token,
    secret_id        => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}"),
    hostname         => $consul_hostname,
    protocol         => $consul_protocol,
    port             => $consul_port,

  }

  # ensure the consul token is saved for the root user
  file {'/root/.config/consul_node_token':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0600',
    content => Sensitive(fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")),
    require => File['/root/.config'],
  }

  # cleanup /usr/local/bin/consul which was created by url install method
  if $facts['os']['family'] == 'RedHat' {
    file {'/usr/local/bin/consul':
      ensure => absent,
    }
  }
}