mgmt/scripts/utilities/tofu-secrets-uploader-simple.sh

#!/bin/bash

# 简化版 OpenTofu 密钥上传脚本
set -euo pipefail

# 配置
CONSUL_ADDR="${CONSUL_ADDR:-http://master:8500}"
ENVIRONMENT="${ENVIRONMENT:-dev}"
TFVARS_FILE="tofu/environments/${ENVIRONMENT}/terraform.tfvars"

# 颜色输出
RED='\033[0;31m'
GREEN='\033[0;32m'
BLUE='\033[0;34m'
NC='\033[0m'

log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }

# 检查 Consul 连接
check_consul() {
    log_info "检查 Consul 连接..."
    if ! curl -s "${CONSUL_ADDR}/v1/status/leader" > /dev/null; then
        log_error "无法连接到 Consul: ${CONSUL_ADDR}"
        exit 1
    fi
    log_success "Consul 连接正常"
}

# 上传配置
upload_configs() {
    local uploaded_count=0
    
    log_info "开始解析并上传配置..."
    
    # 直接解析 tfvars 文件
    while IFS= read -r line; do
        # 跳过注释和空行
        if [[ "$line" =~ ^[[:space:]]*# ]] || [[ -z "${line// }" ]]; then
            continue
        fi
        
        # 匹配变量赋值
        if [[ "$line" =~ ^[[:space:]]*([a-zA-Z_][a-zA-Z0-9_]*)[[:space:]]*=[[:space:]]*\"([^\"]*)\"|^[[:space:]]*([a-zA-Z_][a-zA-Z0-9_]*)[[:space:]]*=[[:space:]]*([^[:space:]#]+) ]]; then
            local var_name="${BASH_REMATCH[1]:-${BASH_REMATCH[3]}}"
            local var_value="${BASH_REMATCH[2]:-${BASH_REMATCH[4]}}"
            
            # 跳过空值
            if [[ -z "$var_value" || "$var_value" == "null" ]]; then
                continue
            fi
            
            # 确定配置分类和路径
            local consul_path=""
            if [[ "$var_name" =~ ^oci_ ]]; then
                consul_path="config/${ENVIRONMENT}/oracle/${var_name#oci_}"
            elif [[ "$var_name" =~ ^huawei_ ]]; then
                consul_path="config/${ENVIRONMENT}/huawei/${var_name#huawei_}"
            elif [[ "$var_name" =~ ^aws_ ]]; then
                consul_path="config/${ENVIRONMENT}/aws/${var_name#aws_}"
            elif [[ "$var_name" =~ ^do_ ]]; then
                consul_path="config/${ENVIRONMENT}/digitalocean/${var_name#do_}"
            elif [[ "$var_name" =~ ^gcp_ ]]; then
                consul_path="config/${ENVIRONMENT}/gcp/${var_name#gcp_}"
            else
                consul_path="config/${ENVIRONMENT}/general/${var_name}"
            fi
            
            # 上传到 Consul
            if curl -s -X PUT "${CONSUL_ADDR}/v1/kv/${consul_path}" -d "$var_value" > /dev/null; then
                log_info "上传: ${consul_path}"
                ((uploaded_count++))
            else
                log_error "上传失败: ${consul_path}"
            fi
        fi
    done < "$TFVARS_FILE"
    
    log_success "总共上传了 $uploaded_count 个配置项到 Consul"
}

# 列出配置
list_configs() {
    log_info "列出 Consul 中的配置..."
    
    local keys=$(curl -s "${CONSUL_ADDR}/v1/kv/config/${ENVIRONMENT}/?keys" | jq -r '.[]' 2>/dev/null || echo "")
    
    if [[ -z "$keys" ]]; then
        log_error "没有找到配置"
        return
    fi
    
    echo "=== 环境 ${ENVIRONMENT} 的配置 ==="
    echo "$keys" | while read -r key; do
        local value=$(curl -s "${CONSUL_ADDR}/v1/kv/${key}?raw" 2>/dev/null || echo "无法读取")
        # 隐藏敏感信息
        if [[ "$key" =~ (secret|key|token|password|ocid) ]]; then
            echo "$key: [已隐藏]"
        else
            echo "$key: $value"
        fi
    done
}

# 主函数
main() {
    if [[ ! -f "$TFVARS_FILE" ]]; then
        log_error "找不到配置文件: $TFVARS_FILE"
        exit 1
    fi
    
    check_consul
    
    case "${1:-upload}" in
        "upload")
            upload_configs
            ;;
        "list")
            list_configs
            ;;
        *)
            echo "用法: $0 [upload|list]"
            ;;
    esac
}

main "$@"