#!/usr/bin/env bash
#
# tf-encrypt - Encrypt Terraform state and tfvars files with SOPS
#
# Usage: ./scripts/tf-encrypt
#

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
TF_DIR="$(dirname "$SCRIPT_DIR")"

cd "$TF_DIR"

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

error() {
    echo -e "${RED}ERROR: $1${NC}" >&2
    exit 1
}

success() {
    echo -e "${GREEN}✓ $1${NC}"
}

warn() {
    echo -e "${YELLOW}⚠ $1${NC}"
}

# Check if SOPS is installed
if ! command -v sops &> /dev/null; then
    error "sops is not installed. Install it from: https://github.com/getsops/sops/releases"
fi

# Check if .sops.yaml exists
if [[ ! -f .sops.yaml ]]; then
    error ".sops.yaml not found. Copy .sops.yaml.example and configure your age key."
fi

# Check if age key placeholder is still present
if grep -q "YOUR_AGE_PUBLIC_KEY_HERE" .sops.yaml; then
    error ".sops.yaml contains placeholder. Replace YOUR_AGE_PUBLIC_KEY_HERE with your actual age public key."
fi

echo "🔐 Encrypting Terraform files..."
echo

# Encrypt terraform.tfstate if it exists
if [[ -f terraform.tfstate ]]; then
    echo "Encrypting terraform.tfstate..."
    sops -e terraform.tfstate > terraform.tfstate.enc
    success "terraform.tfstate → terraform.tfstate.enc"

    # Securely delete unencrypted state
    shred -u terraform.tfstate 2>/dev/null || rm -f terraform.tfstate
    success "Deleted unencrypted terraform.tfstate"
else
    warn "terraform.tfstate not found (this is normal if you haven't run 'tofu apply' yet)"
fi

# Encrypt terraform.tfvars if it exists
if [[ -f terraform.tfvars ]]; then
    echo "Encrypting terraform.tfvars..."
    sops -e terraform.tfvars > terraform.tfvars.enc
    success "terraform.tfvars → terraform.tfvars.enc"

    # Keep original tfvars (don't delete, just warn)
    warn "Remember to not commit unencrypted terraform.tfvars to Git"
else
    warn "terraform.tfvars not found"
fi

# Encrypt backup state files if they exist
for backup in terraform.tfstate.backup terraform.tfstate.*.backup; do
    if [[ -f "$backup" ]]; then
        echo "Encrypting $backup..."
        sops -e "$backup" > "${backup}.enc"
        success "$backup → ${backup}.enc"
        shred -u "$backup" 2>/dev/null || rm -f "$backup"
        success "Deleted unencrypted $backup"
    fi
done

echo
success "All Terraform files encrypted successfully!"
echo
echo "Next steps:"
echo "  1. git add *.enc"
echo "  2. git commit -m 'Update encrypted Terraform state'"
echo "  3. git push"