. $PSScriptRoot\..\..\Load-PesterModules.ps1
$here = Split-Path -Parent $MyInvocation.MyCommand.Path
$sut = (Split-Path -Leaf $MyInvocation.MyCommand.Path) -replace '\.tests\.', '.'
$global:functionPath = Join-Path -Path $here -ChildPath $sut

InModuleScope -ModuleName Alkami.DevOps.SystemEngineering -ScriptBlock {
    Write-Host "InModuleScope - Overriding SUT: $global:functionPath"
    Import-Module $global:functionPath -Force
    $inScopeModule = "Alkami.DevOps.SystemEngineering"

    Describe "New-ServerlessServiceAccountIamPolicy" {

        Mock -CommandName Get-AWSRegion                               -ModuleName $inScopeModule -MockWith { return @( @{ 'Region' = 'us-east-1' } ) }
        Mock -CommandName Import-AWSModule                            -ModuleName $inScopeModule -MockWith {}
        Mock -CommandName Get-ServerlessServiceAccountIamPolicyString -ModuleName $inScopeModule -MockWith { return 'testInlinePolicy' }
        Mock -CommandName Write-IAMRolePolicy                         -ModuleName $inScopeModule -MockWith {}

        Context "Parameter Validation" {

            It "Throws if RoleArn Is Null" {
                { New-ServerlessServiceAccountIamPolicy -RoleArn $null } | Should -Throw
            }

            It "Throws if RoleArn Is Empty" {
                { New-ServerlessServiceAccountIamPolicy -RoleArn '' } | Should -Throw
            }

            It "Throws if ProfileName Is Null" {
                { New-ServerlessServiceAccountIamPolicy -RoleArn 'TestRole' -ProfileName $null } | Should -Throw
            }

            It "Throws if ProfileName Is Empty" {
                { New-ServerlessServiceAccountIamPolicy -RoleArn 'TestRole' -ProfileName '' } | Should -Throw
            }

            It "Throws if Region Is Not In Allowable List" {
                { New-ServerlessServiceAccountIamPolicy -RoleArn 'TestRole' -ProfileName 'TestProfile' -Region 'Test' } | Should -Throw
            }

            It "Throws if SecretArns Is Null" {
                { New-ServerlessServiceAccountIamPolicy -RoleArn 'TestRole' -ProfileName 'TestProfile' -Region 'us-east-1' `
                                                      -SecretArns $null } | Should -Throw
            }

            It "Throws if SecretArns Is Empty" {
                { New-ServerlessServiceAccountIamPolicy -RoleArn 'TestRole' -ProfileName 'TestProfile' -Region 'us-east-1' `
                                                      -SecretArns @() } | Should -Throw
            }
        }

        Context "Logic" {

            It "Proxies Supplied Secret Arns to Handling Function" {

                $testArns = @( 'TestArn1', 'TestArn2')

                New-ServerlessServiceAccountIamPolicy -RoleArn 'arn:aws::iam/thisisanarn/TestName' -ProfileName 'TestProfile' -Region 'us-east-1' `
                                                      -SecretArns $testArns

                Assert-MockCalled -ModuleName $inScopeModule -CommandName Get-ServerlessServiceAccountIamPolicyString -Times 1 -Exactly -Scope It `
                                  -ParameterFilter { ($null -eq (Compare-Object $SecretArns $testArns)) }
            }

            It "Applies Inline Policy to the Supplied Role" {

                New-ServerlessServiceAccountIamPolicy -RoleArn 'arn:aws::iam/thisisanarn/TestName' -ProfileName 'TestProfile' -Region 'us-east-1' `
                                                      -SecretArns @( 'TestArn' )

                Assert-MockCalled -ModuleName $inScopeModule -CommandName Write-IAMRolePolicy -Times 1 -Exactly -Scope It `
                                  -ParameterFilter { $RoleName -ceq 'TestName' }
            }
        }
    }
}