#!/usr/bin/env bash
## Written by: Vitaliy Vasilenko - source@vitalvas.com

TF_STATE=${2:-terraform.tfstate}
export VAULT_TOKEN=$(vault write -format=json auth/approle/login role_id="${VAULT_ROLE_ID}" secret_id="${VAULT_SECRET_ID}" | jq -r '.auth.client_token')

function hashsum () {
  file=$1
  if [ $(uname -s) == "Darwin" ]; then
    echo $(md5 ${file} | awk '{print $NF}' | tr -d '\n')
  else
    echo $(md5sum ${file} | awk '{print $1}' | tr -d '\n')
  fi
}

case $1 in
  download)
    if tf_state_b64=$(vault kv get -field=state ${VAULT_KV_PATH}) 2>/dev/null ; then
      echo ${tf_state_b64} | base64 -d | gzip -d > ${TF_STATE}
    fi
    ;;

  validate)
    if [ -f "${TF_STATE}" ]; then
      tf_state_hashsum=$(hashsum ${TF_STATE})

      if vault_state_hashsum=$(vault kv get -field=hashsum ${VAULT_KV_PATH}) 2>/dev/null ; then
        if [ "${vault_state_hashsum}" == "${tf_state_hashsum}" ]; then
          echo "State was not changed"
        else
          echo "The state has changed"
        fi
      else
        echo "No state in vault"
      fi
    else
      echo "No state file"
    fi
    ;;

  upload)
    if [ -f "${TF_STATE}" ]; then
      tf_state_b64=$(cat ${TF_STATE} | gzip -9 | base64 | tr -d '\n')
      tf_state_hashsum=$(hashsum ${TF_STATE})

      if vault_state_hashsum=$(vault kv get -field=hashsum ${VAULT_KV_PATH}) 2>/dev/null ; then
        if [ "${vault_state_hashsum}" == "${tf_state_hashsum}" ]; then
          echo "State was not changed"
          exit 0
        fi
      fi

      vault kv put ${VAULT_KV_PATH} state=${tf_state_b64} hashsum=${tf_state_hashsum} time=$(date +%s)
    else
      echo "No state file to upload"
    fi
    ;;

  *)
    echo "Unknown action"
    exit 1
    ;;
esac