#!/usr/bin/env bash
# Compare a KV secret between two Vault clusters (works for KV v1 and v2)
# Usage: ./vault-secret-diff.sh secret/path

set -euo pipefail

# --- Vault cluster configuration ---
VAULT_ADDR_1="https://vault-cluster1.example.com"
VAULT_TOKEN_1="token_for_cluster1"

VAULT_ADDR_2="https://vault-cluster2.example.com"
VAULT_TOKEN_2="token_for_cluster2"

if [ $# -ne 1 ]; then
    echo "Usage: $0 secret/path"
    exit 1
fi

SECRET_PATH="$1"

# --- Get secret from both clusters ---
VAULT_ADDR="$VAULT_ADDR_1" VAULT_TOKEN="$VAULT_TOKEN_1" \
    vault kv get -format=json "$SECRET_PATH" > /tmp/vault1.json

VAULT_ADDR="$VAULT_ADDR_2" VAULT_TOKEN="$VAULT_TOKEN_2" \
    vault kv get -format=json "$SECRET_PATH" > /tmp/vault2.json

# --- Normalize JSON for reliable diff ---
jq -S . /tmp/vault1.json > /tmp/vault1_sorted.json
jq -S . /tmp/vault2.json > /tmp/vault2_sorted.json

# --- Compare ---
if diff -u /tmp/vault1_sorted.json /tmp/vault2_sorted.json; then
    echo "Secrets match"
else
    echo "Secrets differ"
fi