secret-diff

#!/bin/bash

if [[ "$1" == "--help" ]] ; then
    echo -n "Diff cloudgate secrets from HEAD to the specified git ref. " >&2
    echo "Skips inaccessible vaults." >&2
    echo >&2
    echo "usage: $0 [REF] [ENVS...]" >&2
    echo >&2
    echo "   REF: a git ref, defaults to HEAD^" >&2
    echo "  ENVS: the environments to diff, defaults to all" >&2
    echo >&2
    exit 1
fi

defaults="$(ls deploy/environments | grep 'secrets.yml' | sed -e 's/_secrets.*//')"
environments="${@:2}"
environments="${environments:-$defaults}"
ref="${1:-HEAD^}"

error=$(mktemp)
other=$(mktemp -d)
trap "{ rm -rf $other $error; }" EXIT

view_vault() {
    cg vault -e $1 view 2>/dev/null
}

short_ref() {
    git log --pretty=format:'%h' -n 1
}

(
    set -e
    git clone . $other 2>/dev/null
    pushd $other
    git checkout $ref
    popd
) 1>/dev/null 2>$error

if [[ $? -eq 0 ]] ; then
    (
        changed="$(short_ref)"
        base="$(cd $other ; short_ref)"
        for _ENV in $environments ; do
            diff -u \
                --label "$_ENV @ $base" \
                --label "$_ENV @ $changed" \
                <(cd $other ; view_vault $_ENV) \
                <(view_vault $_ENV)
        done
    ) | less
else
    cat $error
fi