// GCP container helpers for the OpenTofu Dagger module.
package main

import (
	"dagger/iac/internal/dagger"
)

// Helper to construct the base Container with the source code and GCP credentials.
func (m *Iac) baseContainer(
	source *dagger.Directory,
	gcpCreds *dagger.Secret,
	projectID string,
	baseImage string,
) *dagger.Container {
	// 1. Start from a clean alpine:3 base image (or user-customized alpine)
	if baseImage == "" {
		baseImage = "alpine:3"
	}
	container := dag.Container().From(baseImage)

	// 2. Add the required packages (git, curl, and bash are needed for module installations, ca-certificates for secure TLS, libc6-compat for glibc compatibility)
	container = container.WithExec([]string{
		"apk", "add", "--no-cache", "git", "curl", "ca-certificates", "bash", "libc6-compat",
	})

	// Set BINSTALLER_BIN so that the standard install scripts place binaries in /usr/local/bin
	container = container.WithEnvVariable("BINSTALLER_BIN", "/usr/local/bin")

	// 3. Securely install OpenTofu into the container using the standard install script and symlink it to tofu
	container = container.
		WithExec([]string{
			"sh", "-c", "curl -sSL https://jswank.github.io/install/tofu-install.sh | bash",
		})

	// 4. Securely install tflint into the container using the standard install script
	container = container.WithExec([]string{
		"sh", "-c", "curl -sSL https://jswank.github.io/install/tflint-install.sh | bash",
	})

	// 5. Securely install validator into the container using the standard install script
	container = container.WithExec([]string{
		"sh", "-c", "curl -sSL https://jswank.github.io/install/validator-install.sh | bash",
	})

	// 6. Set working directory to /workspace and copy the IaC files
	container = container.
		WithWorkdir("/workspace").
		WithDirectory("/workspace", source)

	// Mount credentials and set the standard GOOGLE_APPLICATION_CREDENTIALS environment variable
	if gcpCreds != nil {
		credsPath := "/gcp-creds.json"
		container = container.
			WithMountedSecret(credsPath, gcpCreds).
			WithEnvVariable("GOOGLE_APPLICATION_CREDENTIALS", credsPath)
	}

	if projectID != "" {
		container = container.WithEnvVariable("GCP_PROJECT", projectID)
	}

	return container
}