#!/bin/bash

function plugin_help () {
    echo "
###############################################
### azvm-deploy.sh plugin 'secured' v2505.1 ###

This plugin makes your VM compliant by:
  1. Use TLS-compliant OS img.
  2. Disable vnet outbound default access. (You need azcli older than 2.73.0)
  3. Install Azure Monitor.

Extra Optional Args:
  secured_version (default = 2505)
"
}

# Thanks ChatGPT
function vnet_args_parse_helper() {
    local subnet_name=default
    local subnet_prefixes=(10.0.0.0/24)
    local collecting_prefixes=0
    vnet_args_parse_remaining=()

    while [[ $# -gt 0 ]]; do
        case "$1" in
            --subnet-name)
                shift
                subnet_name="$1"
                ;;
            --subnet-prefixes)
                collecting_prefixes=1
                subnet_prefixes=()
                ;;
            -*)
                collecting_prefixes=0
                vnet_args_parse_remaining+=("$1")
                ;;
            *)
                if (( collecting_prefixes )); then
                    subnet_prefixes+=("$1")
                else
                    vnet_args_parse_remaining+=("$1")
                fi
                ;;
        esac
        shift
    done

    local subnet_prefix_json="$(printf "'%s'," "${subnet_prefixes[@]}" | sed 's/,$//')"
    echo "[{name:$subnet_name,default-outbound-access:false,address-prefixes:[$subnet_prefix_json]}]"
}

function plugin_before_vnet_creat () {
    var_default_val secured_version 2505

    if [ "$secured_version" -ge 2504 ]; then
        # Block default-outbound-access.
        # We have to parse vnet args, remove subnet config, and compose a json one.
        vnet_args_parse_helper "${vnet_create_xtra_arg[@]}" > /tmp/.azvm-tmp-subnets-json || exit 1
        local subnets_json="$(cat /tmp/.azvm-tmp-subnets-json)"
        vnet_create_xtra_arg=("${vnet_args_parse_remaining[@]}")
        vnet_create_xtra_arg+=(--subnets "$subnets_json")
        explicit_vnet_create=1
    fi
}

function plugin_before_vm_creat () {
    if [ "$secured_version" -ge 2405 ]; then
        # The following image are considered TLS-compliant: ["2022-datacenter-azure-edition","2022-datacenter","2022-datacenter-core","2022-datacenter-azure-edition-core","2022-datacenter-core-g2","2022-datacenter-g2","pro-22_04","pro-22_04-gen2","24_04","24_04-gen2","22_04-lts-arm64","azure-linux-3","azure-linux-arm64","azure-linux-gen2","1-gen2","cbl-mariner-1","cbl-mariner-2","cbl-mariner-2-arm64","cbl-mariner-2-fips","cbl-mariner-2-gen2","cbl-mariner-2-gen2-fips","cbl-mariner-2-kata","79-gen2"]
        # az vm image list --publisher Canonical --output table --all | grep 0001-com-ubuntu-pro-microsoft | grep 22_04-gen2
        if [[ "$vmsize" = Standard_D*v3 ]] || [[ "$vmsize" = Standard_E*v3 ]]; then
            # Adjust this filter for other gen1-only VM sku.
            vmimg=Canonical:0001-com-ubuntu-pro-microsoft:pro-22_04:22.04.202405240
        else
            vmimg=Canonical:0001-com-ubuntu-pro-microsoft:pro-22_04-gen2:22.04.202405240
        fi
        echo_info "++ plugin secured set vmimg = $vmimg"
    fi
}

function plugin_after_each_vm_creat () {
    if [ "$secured_version" -ge 2505 ]; then
        debugexec az vm extension set -n AzureMonitorLinuxAgent  --publisher Microsoft.Azure.Monitor             --version 1.0 --vm-name "$vmname$cter" --resource-group "$resgrp" --enable-auto-upgrade true --settings '{"GCS_AUTO_CONFIG":true}'
        debugexec az vm extension set -n AzureSecurityLinuxAgent --publisher Microsoft.Azure.Security.Monitoring --version 2.0 --vm-name "$vmname$cter" --resource-group "$resgrp" --enable-auto-upgrade true --settings '{"enableGenevaUpload":true,"enableAutoConfig":true}'
    fi
}



