#!/bin/bash
#
# Phase 3: Entra ID Configuration
# Note: Most steps require manual configuration in Azure Portal
#

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "${SCRIPT_DIR}/config.sh"

log_info "=========================================="
log_info "Phase 3: Entra ID Configuration"
log_info "=========================================="

log_warning "This phase requires manual steps in Azure Portal"
log_info "See docs/deployment/DEPLOYMENT_GUIDE.md for detailed instructions"

# Check if secrets already exist
log_step "3.1 Checking for existing Entra ID configuration..."

ENTRA_TENANT_ID=$(az keyvault secret show \
  --vault-name "${KEY_VAULT_NAME}" \
  --name "entra-tenant-id" \
  --query value -o tsv 2>/dev/null || echo "")

if [ -n "${ENTRA_TENANT_ID}" ]; then
  log_success "Entra ID configuration found in Key Vault"
  log_info "Tenant ID: ${ENTRA_TENANT_ID}"
else
  log_warning "Entra ID configuration not found"
  log_info "Please complete manual steps:"
  log_info "  1. Create App Registration in Azure Portal"
  log_info "  2. Configure API permissions"
  log_info "  3. Create client secret"
  log_info "  4. Enable Verified ID service"
  log_info "  5. Create credential manifest"
  log_info ""
  log_info "Then run: scripts/deploy/store-entra-secrets.sh"
fi

# Save state
save_state "phase3" "manual-steps-required"

log_success "=========================================="
log_success "Phase 3: Entra ID - Manual steps required"
log_success "=========================================="