naiquevin/ansible-vault-diff

## ansible-vault-diff
#!/usr/bin/env bash

set -e

usage()
{
cat << EOF
usage: $(basename $0) [ -c COMMIT -v VAULT_PASSWORD_FILE ] -f FILE

To view the actual changes in ansible vault/secret files for a git commit.

OPTIONS:
   -h      show this help message
   -c      git commit ref [Default: HEAD]
   -f      relative path to the vault/secrets file tracked in git
   -v      path to the vault-password-file [Default: ~/.vault]
EOF
}

COMMIT=HEAD
FILE=
VAULT_PASSWORD_FILE=~/.vault
while getopts "c:f:v:h" OPTION
do
     case $OPTION in
         c)
             COMMIT=$OPTARG
             ;;
         f)
             FILE=$OPTARG
             ;;
         v)
             VAULT_PASSWORD_FILE=$OPTARG
             ;;
         h)
             usage
             exit 0
             ;;
         ?)
             usage
             exit 1
             ;;
     esac
done

if [ -z "$FILE" ]; then
    echo "Error: Please specify path to the secrets file in the repo"
    exit 1
fi

# if the FILE has changes, abort
if git diff-files | grep "$FILE"; then
    echo "Cannot proceed with changes in $FILE"
    exit 1
fi

PARENTS=`git show --summary --format='%P' $COMMIT`
NUM_PARENTS=`echo $PARENTS  | xargs -n 1 | wc -l`

if [ "$NUM_PARENTS" -eq 1 ]; then
    COMMIT_1=`echo $PARENTS`
    COMMIT_2=$COMMIT
elif [ "$NUM_PARENTS" -eq 2 ]; then
    COMMIT_1=$(echo $PARENTS | xargs -n 1 | head -n 1)
    COMMIT_2=$(echo $PARENTS | xargs -n 1 | tail -n 1)
else
    echo "Only non-merge commits and 2-way merges supported"
    exit 1
fi

CURRENT_COMMIT=`git rev-parse HEAD`

DECRYPTED_FILE_1=/tmp/$COMMIT_1-`basename $FILE`
DECRYPTED_FILE_2=/tmp/$COMMIT_2-`basename $FILE`

git checkout -q $COMMIT_1 -- $FILE
ansible-vault decrypt --vault-password-file ~/.vault $FILE
cp $FILE $DECRYPTED_FILE_1

git checkout -q $COMMIT_2 -- $FILE
ansible-vault decrypt --vault-password-file ~/.vault $FILE
cp $FILE $DECRYPTED_FILE_2

git reset -q HEAD -- $FILE
git checkout -q $FILE

git diff $DECRYPTED_FILE_1 $DECRYPTED_FILE_2

git checkout -q master
rm $DECRYPTED_FILE_1 $DECRYPTED_FILE_2
	#!/usr/bin/env bash

	set -e

	usage()
	{
	cat << EOF
	usage: $(basename $0) [ -c COMMIT -v VAULT_PASSWORD_FILE ] -f FILE

	To view the actual changes in ansible vault/secret files for a git commit.

	OPTIONS:
	-h show this help message
	-c git commit ref [Default: HEAD]
	-f relative path to the vault/secrets file tracked in git
	-v path to the vault-password-file [Default: ~/.vault]
	EOF
	}

	COMMIT=HEAD
	FILE=
	VAULT_PASSWORD_FILE=~/.vault
	while getopts "c:f:v:h" OPTION
	do
	case $OPTION in
	c)
	COMMIT=$OPTARG
	;;
	f)
	FILE=$OPTARG
	;;
	v)
	VAULT_PASSWORD_FILE=$OPTARG
	;;
	h)
	usage
	exit 0
	;;
	?)
	usage
	exit 1
	;;
	esac
	done

	if [ -z "$FILE" ]; then
	echo "Error: Please specify path to the secrets file in the repo"
	exit 1
	fi

	# if the FILE has changes, abort
	if git diff-files \| grep "$FILE"; then
	echo "Cannot proceed with changes in $FILE"
	exit 1
	fi

	PARENTS=`git show --summary --format='%P' $COMMIT`
	NUM_PARENTS=`echo $PARENTS \| xargs -n 1 \| wc -l`

	if [ "$NUM_PARENTS" -eq 1 ]; then
	COMMIT_1=`echo $PARENTS`
	COMMIT_2=$COMMIT
	elif [ "$NUM_PARENTS" -eq 2 ]; then
	COMMIT_1=$(echo $PARENTS \| xargs -n 1 \| head -n 1)
	COMMIT_2=$(echo $PARENTS \| xargs -n 1 \| tail -n 1)
	else
	echo "Only non-merge commits and 2-way merges supported"
	exit 1
	fi

	CURRENT_COMMIT=`git rev-parse HEAD`

	DECRYPTED_FILE_1=/tmp/$COMMIT_1-`basename $FILE`
	DECRYPTED_FILE_2=/tmp/$COMMIT_2-`basename $FILE`

	git checkout -q $COMMIT_1 -- $FILE
	ansible-vault decrypt --vault-password-file ~/.vault $FILE
	cp $FILE $DECRYPTED_FILE_1

	git checkout -q $COMMIT_2 -- $FILE
	ansible-vault decrypt --vault-password-file ~/.vault $FILE
	cp $FILE $DECRYPTED_FILE_2

	git reset -q HEAD -- $FILE
	git checkout -q $FILE

	git diff $DECRYPTED_FILE_1 $DECRYPTED_FILE_2

	git checkout -q master
	rm $DECRYPTED_FILE_1 $DECRYPTED_FILE_2