- name: Prepare random number
  ansible.builtin.set_fact:
    rpfx: "{{ resource_group | hash('md5') | truncate(7, True, '') }}{{ 1000 | random }}"
    tenant_id: "{{ azure_tenant }}"
  run_once: true

- name: Lookup service principal object id
  ansible.builtin.set_fact:
    object_id: "{{ lookup('azure_service_principal_attribute',
                   azure_client_id=azure_client_id,
                   azure_secret=azure_secret,
                   azure_tenant=tenant_id) }}"
  register: object_id_facts

- name: Create instance of Key Vault
  azure_rm_keyvault:
    resource_group: "{{ resource_group }}"
    vault_name: "vault{{ rpfx }}"
    enabled_for_deployment: true
    vault_tenant: "{{ tenant_id }}"
    sku:
      name: standard
      family: A
    access_policies:
      - tenant_id: "{{ tenant_id }}"
        object_id: "{{ object_id }}"
        keys:
          - get
          - list
          - update
          - create
          - import
          - delete
          - recover
          - backup
          - restore
        secrets:
          - get
          - list
          - set
          - delete
          - recover
          - backup
          - restore
  register: output

- name: Create a kevyault secret
  block:
    - name: Create a kevyault secret
      azure_rm_keyvaultsecret:
        keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
        secret_name: testsecret
        secret_value: 'mysecret'
        content_type: 'Content Type Secret'
        secret_valid_from: 2000-01-02T010203Z
        secret_expiry: 2030-03-04T040506Z
        tags:
          testing: test
          delete: on-exit
      register: output
    - name: Assert the keyvault secret created
      ansible.builtin.assert:
        that: output.changed
  rescue:
    - name: Delete the keyvault secret
      azure_rm_keyvaultsecret:
        keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
        state: absent
        secret_name: testsecret

- name: Get secret current version
  azure_rm_keyvaultsecret_info:
    vault_uri: https://vault{{ rpfx }}.vault.azure.net
    name: testsecret
  register: facts

- name: Assert secret facts
  ansible.builtin.assert:
    that:
      - facts['secrets'] | length == 1
      - facts['secrets'][0]['sid']
      - facts['secrets'][0]['secret']
      - facts['secrets'][0]['tags']
      - facts['secrets'][0]['version']
      - facts['secrets'][0]['attributes']['expires']
      - facts['secrets'][0]['attributes']['not_before']
      - facts['secrets'][0]['content_type'] == 'Content Type Secret'
      - facts['secrets'][0]['attributes']['expires'] == "2030-03-04T04:05:06+00:00"
      - facts['secrets'][0]['attributes']['not_before'] == "2000-01-02T01:02:03+00:00"

- name: Delete a kevyault secret
  azure_rm_keyvaultsecret:
    keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
    state: absent
    secret_name: testsecret
  register: output

- name: Assert the keyvault secret deleted
  ansible.builtin.assert:
    that: output.changed