#!/usr/bin/env bash
# deploy-role.sh — Download and deploy the plainfra-ReadOnly role into a
# customer AWS account. Hosted on S3 alongside customer-role.yaml and
# invoked by the "Option A: CloudShell" path in signup.html.
#
# Usage:
#   curl -sL https://triont-plainfra-onboarding.s3.ap-southeast-2.amazonaws.com/deploy-role.sh | bash -s <ExternalId>

set -euo pipefail

EXTERNAL_ID="${1:?Usage: bash deploy-role.sh <ExternalId>}"
PLAINFRA_ACCOUNT="921514166437"
BUCKET="https://triont-plainfra-onboarding.s3.ap-southeast-2.amazonaws.com"
TEMPLATE="customer-role.yaml"
STACK_NAME="plainfra-ReadOnly"

echo "Downloading ${TEMPLATE}..."
curl -sO "${BUCKET}/${TEMPLATE}"

echo "Deploying ${STACK_NAME} stack..."
aws cloudformation deploy \
  --template-file "${TEMPLATE}" \
  --stack-name "${STACK_NAME}" \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameter-overrides \
      "ExternalId=${EXTERNAL_ID}" \
      "PlainfraAccountId=${PLAINFRA_ACCOUNT}"

echo "Done — plainfra-ReadOnly role deployed. Return to the plainfra signup page and click Check Connection."