#!/bin/bash
set -e

PROJECT_ID="krow-workforce-dev"
PROJECT_NUMBER="933560802882"
REGION="us-central1"

echo "============================================"
echo "Fix App Engine + Artifact Registry Issue"
echo "============================================"
echo ""

# Le problème: App Engine essaie d'accéder à us.gcr.io qui pointe maintenant vers Artifact Registry
# Mais les permissions ne sont pas correctement configurées sur TOUS les repositories nécessaires

echo "1. Activation de l'API Container Registry (legacy GCR)..."
gcloud services enable containerregistry.googleapis.com --project=${PROJECT_ID}

echo ""
echo "2. Configuration des permissions sur TOUS les repositories Artifact Registry..."

# Liste de tous les repositories potentiels
REPOS=("gcr.io" "app-engine-tmp" "gae-standard")

for REPO in "${REPOS[@]}"; do
    echo ""
    echo "   → Repository: ${REPO}"
    
    # Vérifier si le repo existe
    if gcloud artifacts repositories describe ${REPO} --location=us --project=${PROJECT_ID} &>/dev/null; then
        echo "     ✓ Repository existe"
        
        # Ajouter les permissions pour Cloud Build SA
        gcloud artifacts repositories add-iam-policy-binding ${REPO} \
            --location=us \
            --member="serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com" \
            --role="roles/artifactregistry.reader" \
            --project=${PROJECT_ID} --quiet 2>/dev/null || true
            
        gcloud artifacts repositories add-iam-policy-binding ${REPO} \
            --location=us \
            --member="serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com" \
            --role="roles/artifactregistry.writer" \
            --project=${PROJECT_ID} --quiet 2>/dev/null || true
        
        # Ajouter les permissions pour App Engine SA
        gcloud artifacts repositories add-iam-policy-binding ${REPO} \
            --location=us \
            --member="serviceAccount:${PROJECT_ID}@appspot.gserviceaccount.com" \
            --role="roles/artifactregistry.reader" \
            --project=${PROJECT_ID} --quiet 2>/dev/null || true
            
        echo "     ✓ Permissions configurées"
    else
        echo "     ⚠ Repository n'existe pas (normal)"
    fi
done

echo ""
echo "3. Permissions Storage (pour les artefacts de build)..."
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
    --member="serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com" \
    --role="roles/storage.objectAdmin" \
    --condition=None --quiet

echo ""
echo "4. Permissions Cloud Build spécifiques..."
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
    --member="serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com" \
    --role="roles/cloudbuild.builds.builder" \
    --condition=None --quiet

echo ""
echo "============================================"
echo "✅ Configuration terminée!"
echo "============================================"
echo ""
echo "⏱  IMPORTANT: Attends 2-3 minutes pour la propagation des permissions IAM"
echo ""
echo "Puis lance:"
echo "  cd firebase/internal-launchpad"
echo "  gcloud app deploy app.yaml --project=${PROJECT_ID} --no-cache"
echo ""