# profiles::consul::client
class profiles::consul::client (
  String $secret_id_salt = '',
  Stdlib::Fqdn         $consul_hostname  = 'consul.service.consul',
  Enum['http','https'] $consul_protocol  = 'http',
  Stdlib::Port         $consul_port      = 8500,
  String               $consul_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'),
) {

  # Create ACL policy that allows nodes to update themselves and read others
  consul_policy { $facts['networking']['hostname']:
    description   => "${facts['networking']['fqdn']} puppet-generated-policy",
    rules         => [
      {
        'resource'    => 'node',
        'segment'     => $facts['networking']['hostname'],
        'disposition' => 'write'
      },
      {
        'resource'    => 'node',
        'segment'     => '',
        'disposition' => 'read'
      }
    ],
    acl_api_token => $consul_api_token,
    hostname      => $consul_hostname,
    protocol      => $consul_protocol,
    port          => $consul_port,
  }

  consul_token { $facts['networking']['hostname']:
    accessor_id      => fqdn_uuid($facts['networking']['fqdn']),
    description      => "${facts['networking']['fqdn']} puppet-generated-token",
    policies_by_name => [$facts['networking']['hostname']],
    acl_api_token    => $consul_api_token,
    secret_id        => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}"),
    hostname         => $consul_hostname,
    protocol         => $consul_protocol,
    port             => $consul_port,

  }

  # ensure the consul token is saved for the root user
  file {'/root/.config/consul_node_token':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0600',
    content => Sensitive(fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")),
    require => File['/root/.config'],
  }

}