#!/usr/bin/env bash
# scripts/tg — wrapper: decrypt secrets then run terragrunt
# Usage: scripts/tg apply --non-interactive
#        scripts/tg run --all -- plan
set -euo pipefail

REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
SOPS_FILE="$REPO_ROOT/secrets.sops.json"
OUT_FILE="$REPO_ROOT/secrets.auto.tfvars.json"

# Decrypt if needed (skips if already decrypted and up-to-date)
if [ -f "$SOPS_FILE" ]; then
  if [ ! -f "$OUT_FILE" ] || [ "$SOPS_FILE" -nt "$OUT_FILE" ]; then
    TEMP=$(mktemp "$OUT_FILE.XXXXXX")
    trap "rm -f '$TEMP'" EXIT
    sops -d "$SOPS_FILE" > "$TEMP"
    mv "$TEMP" "$OUT_FILE"
    echo "Decrypted secrets.sops.json → secrets.auto.tfvars.json"
  fi
fi

# If running apply with --non-interactive, add -auto-approve for Terraform
args=("$@")
has_apply=false
has_non_interactive=false
for arg in "${args[@]}"; do
  case "$arg" in
    apply) has_apply=true ;;
    --non-interactive) has_non_interactive=true ;;
  esac
done

if $has_apply && $has_non_interactive; then
  # Rebuild args: insert -auto-approve after apply
  new_args=()
  for arg in "${args[@]}"; do
    new_args+=("$arg")
    if [ "$arg" = "apply" ]; then
      new_args+=("-auto-approve")
    fi
  done
  exec terragrunt "${new_args[@]}"
else
  exec terragrunt "$@"
fi