#!/usr/bin/env bash

set -efo pipefail

dir="$(dirname "${BASH_SOURCE[0]}")"

container_image=
container_engine=podman

container_run_opts=(
	--read-only
)

container_mount_opts=(
	-v "$(realpath "$dir"):/cert"
)

use_kms=0

while [ $# -gt 0 ]; do
	case "$1" in
		--container-engine)
			container_engine="$2"
			if [ "$container_engine" = "docker" ]; then
				container_run_opts=()
			fi
			shift 2
			;;
		--container-run-opts)
			declare -a "container_run_opts=($2)"
			shift 2
			;;
		--kms)
			use_kms=1
			shift
			;;
		*)
			break
			;;
	esac
done

make_opts=()

if [ "$use_kms" = 1 ]; then
	make_opts+=(USE_KMS=1)
	for e in AWS_DEFAULT_REGION AWS_REGION AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN; do
		if [ -n "${!e-}" ]; then
			make_opts+=("$e=${!e}")
		fi
	done
fi

if [ -z "$container_image" ]; then
	image_file="$(mktemp)"
	"$container_engine" build --iidfile "$image_file" -f "$dir/Containerfile" "$dir"
	container_image="$(cat "$image_file")"
	rm "$image_file"
fi

"$container_engine" run --rm "${container_run_opts[@]}" "${container_mount_opts[@]}" "$container_image" make --no-print-directory -C /cert "${make_opts[@]}" "$@"
