Merge pull request #386 from secrethub/feature/config-migration

Create config migration commands for run and inject

Author: florisvdg

.circleci/config.yml

@@ -2,7 +2,7 @@ version: 2.1
 jobs:
   lint:
     docker:
-      - image: golangci/golangci-lint:v1.23.8-alpine
+      - image: golangci/golangci-lint:v1.41.1-alpine
     steps:
       - checkout
       - restore_cache:
@@ -67,6 +67,6 @@ workflows:
               arch: ["amd64", "386"]
             exclude:
               - os: darwin
-                arch: 386
+                arch: "386"
       - test
       - verify-goreleaser

go.sum

@@ -33,9 +33,7 @@ github.com/ChrisTrenkamp/goxpath v0.0.0-20170922090931-c385f95c6022 h1:y8Gs8CzNf
 github.com/ChrisTrenkamp/goxpath v0.0.0-20170922090931-c385f95c6022/go.mod h1:nuWgzSkT5PnyOd+272uUmV0dnAnAn42Mk7PiQC5VzN4=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/alecthomas/kingpin v1.3.8-0.20200323085623-b6657d9477a6/go.mod h1:b6br6/pDFSfMkBgC96TbpOji05q5pa+v5rIlS0Y6XtI=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc h1:cAKDfWh5VpdgMhJosfJnn5/FoN2SRZ4p7fJNX58YPaU=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZqLG4oE62mJzwPIB8+Tee4RNCL9ulrY=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf h1:eg0MeVzsP1G42dRafH3vf+al2vQIJU0YHX+1Tw87oco=
@@ -61,7 +59,6 @@ github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfc
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/danieljoos/wincred v1.0.2 h1:zf4bhty2iLuwgjgpraD2E9UbvO+fe54XXGJbOwe23fU=
 github.com/danieljoos/wincred v1.0.2/go.mod h1:SnuYRW9lp1oJrZX/dXJqr0cPK5gYXqx3EJbmjhLdK9U=
-github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -178,7 +175,6 @@ github.com/mattn/go-shellwords v1.0.6/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vq
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
@@ -204,9 +200,7 @@ github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6So
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
-github.com/secrethub/demo-app v0.5.1-0.20201221075813-cc159373e2d5 h1:8Uw+Rrui2SnITOhoWfWfJ8Hj2Vq/qPXW0Z3V5WckyXw=
 github.com/secrethub/demo-app v0.5.1-0.20201221075813-cc159373e2d5/go.mod h1:XR0VknPwSudqu/qphA4I4f7B7i2CPGydD59G02y8mBM=
-github.com/secrethub/demo-app v0.5.1-0.20201221173924-a1c686b2340e h1:cK/03EQgKYKxl/Yg7zPXOEh2nO1bysOGW+1RBznfMJc=
 github.com/secrethub/demo-app v0.5.1-0.20201221173924-a1c686b2340e/go.mod h1:WYS7Q0nigGv+iFdRsnWWXZYl3FpSrU5qtz9h7qBxbq0=
 github.com/secrethub/demo-app v0.5.1-0.20210105185858-ad55afc2cb87 h1:s7gYqlql2EV2LI7NwrSUomSXMFHs/v/rBUq6qTuFQwY=
 github.com/secrethub/demo-app v0.5.1-0.20210105185858-ad55afc2cb87/go.mod h1:3H4px7f30uHbwMLo19ooijzi4JZlZbGxvnL8VlIcAps=
@@ -228,14 +222,11 @@ github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnIn
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
-github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@@ -298,7 +289,6 @@ golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd h1:HuTn7WObtcDo9uEEU7rEqL0jYthdXAmZ6PP+meazmaU=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -333,9 +323,7 @@ golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a h1:1BGLXjeY4akVXGgbC9HugT3Jv3hCI0z56oJR5vAMgBU=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223 h1:DH4skfRX4EBpamg7iV4ZlCpblAHI6s6TDM39bFZumv8=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -354,14 +342,12 @@ golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200501052902-10377860bb8e h1:hq86ru83GdWTlfQFZGO4nZJTU4Bs2wfHl8oFHRaXsfc=
 golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68 h1:nxC68pudNYkKU6jWhgrqdreuFiOQWj1Fs7T3VrH4Pjw=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf h1:MZ2shdL+ZM/XzY3ZGOnh4Nlpnxz5GSOhOmtHo3iPU6M=
 golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
@@ -471,7 +457,6 @@ gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=

internals/secrethub/migrate.go

@@ -36,6 +36,68 @@ type plan struct {
 	vaults         map[string]*vault
 }
 
+type referenceMapping map[string]string
+
+func newReferenceMapping(p *plan) referenceMapping {
+	index := make(map[string]string)
+	for _, vault := range p.vaults {
+		for _, item := range vault.Items {
+			for _, field := range item.Fields {
+				opPath := fmt.Sprintf("op://%s/%s/%s", vault.Name, item.Name, field.Name)
+				index[field.Reference] = opPath
+			}
+		}
+	}
+	return referenceMapping(index)
+}
+
+// addVarPossibilities adds variations to the index for all values in the passed in vars map
+func (m referenceMapping) addVarPossibilities(vars map[string][]string) error {
+	exists := make(map[string]string)
+	for varname, possibleValues := range vars {
+		varname = strings.ToUpper(varname)
+		for _, value := range possibleValues {
+			if otherVarname := exists[value]; otherVarname != "" && otherVarname != varname {
+				return fmt.Errorf("you've ran into a limitation of the migration tool. You can't have multiple variables with the same value: '%s' now occurs in both '%s' and '%s'", value, varname, otherVarname)
+			}
+			exists[value] = varname
+		}
+	}
+
+	for varname, possibleValues := range vars {
+		uppercaseVarname := strings.ToUpper(varname)
+
+		for _, value := range possibleValues {
+			for secrethubRef, opRef := range m {
+				if strings.Contains(secrethubRef, value) && strings.Contains(opRef, value) {
+					// Add syntax variations to the index
+					variations := map[string]string{
+						"$" + varname:                 "$" + uppercaseVarname,
+						"$" + uppercaseVarname:        "$" + uppercaseVarname,
+						"${" + varname + "}":          "${" + uppercaseVarname + "}",
+						"${" + uppercaseVarname + "}": "${" + uppercaseVarname + "}",
+					}
+					for secretHubVariation, opVariation := range variations {
+						m[strings.ReplaceAll(secrethubRef, value, secretHubVariation)] = strings.ReplaceAll(opRef, value, opVariation)
+					}
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
+// stripSecretHubURIScheme removes the secrethub:// prefix from the index keys so it can be
+// used for secrethub.env files and config file templates.
+func (m referenceMapping) stripSecretHubURIScheme() {
+	for secrethubRef, opRef := range m {
+		stripped := strings.TrimPrefix(secrethubRef, secretReferencePrefix)
+		delete(m, secrethubRef)
+		m[stripped] = opRef
+	}
+}
+
 type vault struct {
 	Name  string `yaml:"vault-name"`
 	Items []item

internals/secrethub/migrate_config.go

@@ -16,6 +16,9 @@ func NewMigrateConfigCommand(io ui.IO) *MigrateConfigCommand {
 }
 
 func (cmd *MigrateConfigCommand) Register(r cli.Registerer) {
-	clause := r.Command("config", "Helper functions to migrate your configuration to use 1Password Secrets Automation syntax.")
+	clause := r.Command("config", "Helper functions to migrate your configuration code to make it work with 1Password.\n\nNote: These commands should be considered best effort and the output should be carefully tested and reviewed before using in production.")
 	NewMigrateConfigK8sCommand(cmd.io).Register(clause)
+	NewMigrateConfigReferencesCommand(cmd.io).Register(clause)
+	NewMigrateConfigTemplatesCommand(cmd.io).Register(clause)
+	NewMigrateConfigEnvfileCommand(cmd.io).Register(clause)
 }

internals/secrethub/migrate_config_envfile.go

@@ -0,0 +1,89 @@
+package secrethub
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"regexp"
+
+	"github.com/secrethub/secrethub-cli/internals/cli"
+	"github.com/secrethub/secrethub-cli/internals/cli/ui"
+)
+
+func (cmd *MigrateConfigEnvfileCommand) Run() error {
+	plan, err := getPlan(cmd.planFile)
+	if err != nil {
+		return err
+	}
+
+	vars := parseVarPossibilities(cmd.vars)
+	refMapping := newReferenceMapping(plan)
+	err = refMapping.addVarPossibilities(vars)
+	if err != nil {
+		return err
+	}
+	refMapping.stripSecretHubURIScheme()
+
+	filepath := cmd.inFile.Value
+	if filepath == "" {
+		filepath = "secrethub.env"
+	}
+
+	inFileContents, err := ioutil.ReadFile(filepath)
+	if err != nil {
+		return ErrReadFile(filepath, err)
+	}
+
+	err = checkForCompositeSecrets(inFileContents)
+	if err != nil {
+		return err
+	}
+
+	outFile, err := os.Create(".env")
+	if err != nil {
+		return fmt.Errorf("cannot create output .env file: %s", err)
+	}
+	defer outFile.Close()
+
+	replaceCount, err := migrateTemplateTags(bytes.NewBuffer(inFileContents), outFile, refMapping, "%s")
+	if err != nil {
+		return err
+	}
+
+	fmt.Fprintf(cmd.io.Output(), "Created new .env file with %d op:// references\n", len(replaceCount))
+
+	return nil
+}
+
+var regexpCompositeSecrets = regexp.MustCompile(`{{.+?}}[^\s]+`)
+
+func checkForCompositeSecrets(inFileContents []byte) error {
+	if match := regexpCompositeSecrets.Find(inFileContents); match != nil {
+		return fmt.Errorf("composite environment variables are not supported anymore with Dotenv: %s\nMake sure one environment variable corresponds to just a single secret", match)
+	}
+	return nil
+}
+
+type MigrateConfigEnvfileCommand struct {
+	io ui.IO
+
+	inFile   cli.StringValue
+	planFile string
+	vars     map[string]string
+}
+
+func NewMigrateConfigEnvfileCommand(io ui.IO) *MigrateConfigEnvfileCommand {
+	return &MigrateConfigEnvfileCommand{
+		io: io,
+	}
+}
+
+func (cmd *MigrateConfigEnvfileCommand) Register(r cli.Registerer) {
+	clause := r.Command("envfile", "Migrate secrethub.env file by turning SecretHub paths into 1Password op:// references, resulting in a new Dotenv (.env) file.")
+	clause.Flags().StringVar(&cmd.planFile, "plan-file", defaultPlanPath, "Path to the file used to migrate your secrets.")
+	clause.Flags().StringToStringVarP(&cmd.vars, "var", "v", nil, "Define the possible values for a template variable, e.g. --var env=dev,staging,prod --var region=us-east-1,eu-west-1")
+	clause.BindArguments([]cli.Argument{{Value: &cmd.inFile, Name: "in-file", Required: false, Placeholder: "<path to secrethub.env>", Description: "The path to the secrethub.env file you'd like to migrate."}})
+
+	clause.BindAction(cmd.Run)
+}

internals/secrethub/migrate_config_references.go

@@ -0,0 +1,90 @@
+package secrethub
+
+import (
+	"fmt"
+	"io/ioutil"
+	"regexp"
+	"strings"
+
+	"github.com/secrethub/secrethub-cli/internals/cli"
+	"github.com/secrethub/secrethub-cli/internals/cli/ui"
+)
+
+var regexpSecretsRef = regexp.MustCompile(`([^A-Za-z0-9_\.-]|^)(secrethub:\/\/[A-Za-z0-9_\.\-]{2,}\/[A-Za-z0-9_\.\-]{2,}\/[A-Za-z0-9_\.\-\/]{2,})([^A-Za-z0-9_\.-]|$)`)
+
+func (cmd *MigrateConfigReferencesCommand) Run() error {
+	plan, err := getPlan(cmd.planFile)
+	if err != nil {
+		return err
+	}
+
+	refMapping := newReferenceMapping(plan)
+	for _, filepath := range cmd.inFiles {
+		replaceCount, err := migrateReferences(filepath, filepath, refMapping)
+		if err != nil {
+			return err
+		}
+
+		fmt.Fprintf(cmd.io.Output(), "Updated %s with %d op:// references\n", filepath, len(replaceCount))
+	}
+
+	return nil
+}
+
+func migrateReferences(inFile string, outFile string, mapping referenceMapping) ([]string, error) {
+	raw, err := ioutil.ReadFile(inFile)
+	if err != nil {
+		return nil, ErrReadFile(inFile, err)
+	}
+
+	var hits, misses []string
+	output := regexpSecretsRef.ReplaceAllStringFunc(string(raw), func(match string) string {
+		submatches := regexpSecretsRef.FindStringSubmatch(match)[1:]
+
+		matchIndexRef := 1
+		secretHubRef := submatches[matchIndexRef]
+
+		opRef, ok := mapping[secretHubRef]
+		if !ok {
+			misses = append(misses, secretHubRef)
+			return secretHubRef
+		}
+
+		hits = append(hits, opRef)
+
+		submatches[matchIndexRef] = opRef
+		return strings.Join(submatches, "")
+	})
+
+	if len(misses) != 0 {
+		return nil, fmt.Errorf("no 1Password equivalent present in your migration plan for the following secrets:\n- %s", strings.Join(misses, "\n- "))
+	}
+
+	err = ioutil.WriteFile(outFile, []byte(output), 0666)
+	if err != nil {
+		return nil, err
+	}
+
+	return hits, nil
+}
+
+type MigrateConfigReferencesCommand struct {
+	io ui.IO
+
+	inFiles  cli.StringListValue
+	planFile string
+}
+
+func NewMigrateConfigReferencesCommand(io ui.IO) *MigrateConfigReferencesCommand {
+	return &MigrateConfigReferencesCommand{
+		io: io,
+	}
+}
+
+func (cmd *MigrateConfigReferencesCommand) Register(r cli.Registerer) {
+	clause := r.Command("references", "Migrate secrethub:// references in configuration code to 1Password op:// references.")
+	clause.Flags().StringVar(&cmd.planFile, "plan-file", defaultPlanPath, "Path to the file used to migrate your secrets.")
+	clause.BindArgumentsArr(cli.Argument{Value: &cmd.inFiles, Name: "in-file", Required: true, Placeholder: "<filepath>...", Description: "The paths to one or more files you'd like to migrate."})
+
+	clause.BindAction(cmd.Run)
+}