f-marschall
diff --git a/‎test/tf/apim.tf‎ ‎.github/tf/apim.tf‎test/tf/apim.tf renamed to .github/tf/apim.tf b/‎test/tf/apim.tf‎ ‎.github/tf/apim.tf‎test/tf/apim.tf renamed to .github/tf/apim.tf
diff --git a/‎test/tf/backend.tf‎ ‎.github/tf/backend.tf‎test/tf/backend.tf renamed to .github/tf/backend.tf b/‎test/tf/backend.tf‎ ‎.github/tf/backend.tf‎test/tf/backend.tf renamed to .github/tf/backend.tf
diff --git a/‎.github/workflows/deploy-infra.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/deploy-infra.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/orchestrator.yml‎
Lines changed: 0 additions & 1 deletion b/‎.github/workflows/orchestrator.yml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎.github/workflows/test-go-app.yml‎
Lines changed: 19 additions & 95 deletions b/‎.github/workflows/test-go-app.yml‎
Lines changed: 19 additions & 95 deletions
diff --git a/‎README.md‎
Lines changed: 39 additions & 0 deletions b/‎README.md‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎cmd/backup.go‎
Lines changed: 30 additions & 11 deletions b/‎cmd/backup.go‎
Lines changed: 30 additions & 11 deletions
@@ -21,7 +21,7 @@ jobs:
 
     defaults:
       run:
-        working-directory: ./test/tf
+        working-directory: ./.github/tf
 
     steps:
       - name: Checkout code
 
@@ -45,7 +45,6 @@ jobs:
     uses: ./.github/workflows/test-go-app.yml
     with:
       environment: ${{ github.ref_name }}
-      terraform_version: "1.14.4"
     secrets: inherit
 
   release:
 
@@ -6,9 +6,6 @@ on:
       environment:
         required: true
         type: string
-      terraform_version:
-        required: true
-        type: string
 
 permissions:
   id-token: write
@@ -30,65 +27,23 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - name: Set up Terraform
-        uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: ${{ inputs.terraform_version }}
-          terraform_wrapper: false
-
       - name: Azure Login (OIDC)
         uses: azure/login@v2
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-      - name: Configure Terraform for Azure
-        run: |
-          echo "ARM_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }}" >> $GITHUB_ENV
-          echo "ARM_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}" >> $GITHUB_ENV
-          echo "ARM_SUBSCRIPTION_ID=${{ secrets.AZURE_SUBSCRIPTION_ID }}" >> $GITHUB_ENV
-          echo "ARM_USE_OIDC=true" >> $GITHUB_ENV
-
       - name: Build Go application
         run: go build -o kura .
 
-      - name: Terraform Init
-        working-directory: ./test/tf
-        run: |
-          terraform init \
-            -backend-config="resource_group_name=apim-kura" \
-            -backend-config="storage_account_name=apimkura" \
-            -backend-config="container_name=devops" \
-            -backend-config="key=${{ inputs.environment }}.tfstate"
-
       - name: Fetch subscription keys (before)
         run: |
-          set -euo pipefail
-          AZURE_SUB=${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          API_VERSION="2022-08-01"
-          RG="${{ env.RESOURCE_GROUP }}"
-          APIM="${{ env.APIM_NAME }}"
-          BASE_URL="https://management.azure.com/subscriptions/${AZURE_SUB}/resourceGroups/${RG}/providers/Microsoft.ApiManagement/service/${APIM}"
-
-          SUBS=$(az rest --method get --url "${BASE_URL}/subscriptions?api-version=${API_VERSION}")
-
-          RESULT="[]"
-          for SID in $(echo "$SUBS" | jq -r '.value[] | select(.properties.displayName | startswith("Built-in") | not) | .name'); do
-            SECRETS=$(az rest --method post --url "${BASE_URL}/subscriptions/${SID}/listSecrets?api-version=${API_VERSION}")
-            DISPLAY_NAME=$(echo "$SUBS" | jq -r --arg sid "$SID" '.value[] | select(.name == $sid) | .properties.displayName')
-            PRIMARY=$(echo "$SECRETS" | jq -r '.primaryKey')
-            SECONDARY=$(echo "$SECRETS" | jq -r '.secondaryKey')
-
-            RESULT=$(echo "$RESULT" | jq \
-              --arg dn "$DISPLAY_NAME" \
-              --arg pk "$PRIMARY" \
-              --arg sk "$SECONDARY" \
-              '. + [{"displayName": $dn, "primaryKey": $pk, "secondaryKey": $sk}]')
-          done
-
-          echo "$RESULT" | jq 'sort_by(.displayName)' > before.json
-          echo "Saved $(echo "$RESULT" | jq length) subscription keys to before.json"
+          ./kura backup \
+            --resource-group "${{ env.RESOURCE_GROUP }}" \
+            --apim-name "${{ env.APIM_NAME }}" \
+            --subscription "${{ secrets.AZURE_SUBSCRIPTION_ID }}" \
+            --output before.json
 
       - name: Run kura backup
         run: |
@@ -98,14 +53,11 @@ jobs:
             --subscription "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
 
       - name: Delete all subscription resources
-        working-directory: ./test/tf
         run: |
-          terraform destroy \
-            -target='azurerm_api_management_subscription.global_subscription' \
-            -target='azurerm_api_management_subscription.product_subscription' \
-            -target='azurerm_api_management_subscription.api_subscription' \
-            -var="environment=${{ inputs.environment }}" \
-            -auto-approve
+          ./kura delete \
+            --resource-group "${{ env.RESOURCE_GROUP }}" \
+            --apim-name "${{ env.APIM_NAME }}" \
+            --subscription "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
 
       - name: Run kura restore
         run: |
@@ -117,46 +69,18 @@ jobs:
 
       - name: Fetch subscription keys (after)
         run: |
-          set -euo pipefail
-          AZURE_SUB=$(az account show --query id -o tsv)
-          API_VERSION="2022-08-01"
-          RG="${{ env.RESOURCE_GROUP }}"
-          APIM="${{ env.APIM_NAME }}"
-          BASE_URL="https://management.azure.com/subscriptions/${AZURE_SUB}/resourceGroups/${RG}/providers/Microsoft.ApiManagement/service/${APIM}"
-
-          SUBS=$(az rest --method get --url "${BASE_URL}/subscriptions?api-version=${API_VERSION}")
-
-          RESULT="[]"
-          for SID in $(echo "$SUBS" | jq -r '.value[] | select(.properties.displayName | startswith("Built-in") | not) | .name'); do
-            SECRETS=$(az rest --method post --url "${BASE_URL}/subscriptions/${SID}/listSecrets?api-version=${API_VERSION}")
-            DISPLAY_NAME=$(echo "$SUBS" | jq -r --arg sid "$SID" '.value[] | select(.name == $sid) | .properties.displayName')
-            PRIMARY=$(echo "$SECRETS" | jq -r '.primaryKey')
-            SECONDARY=$(echo "$SECRETS" | jq -r '.secondaryKey')
-
-            RESULT=$(echo "$RESULT" | jq \
-              --arg dn "$DISPLAY_NAME" \
-              --arg pk "$PRIMARY" \
-              --arg sk "$SECONDARY" \
-              '. + [{"displayName": $dn, "primaryKey": $pk, "secondaryKey": $sk}]')
-          done
-
-          echo "$RESULT" | jq 'sort_by(.displayName)' > after.json
-          echo "Saved $(echo "$RESULT" | jq length) subscription keys to after.json"
+          ./kura backup \
+            --resource-group "${{ env.RESOURCE_GROUP }}" \
+            --apim-name "${{ env.APIM_NAME }}" \
+            --subscription "${{ secrets.AZURE_SUBSCRIPTION_ID }}" \
+            --output after.json
 
       - name: Compare subscription keys
         run: |
-          echo "=== Before (subscription count): $(jq length before.json) ==="
-          echo "=== After  (subscription count): $(jq length after.json) ==="
-
-          if diff <(jq -S . before.json) <(jq -S . after.json); then
-            echo "✓ All subscription keys match! Backup and restore successful."
-          else
-            echo ""
-            echo "✗ Subscription keys do not match after restore!"
-            echo ""
-            echo "--- Before ---"
-            jq . before.json
-            echo "--- After ---"
-            jq . after.json
+          # test if before.json and after.json are not empty
+          if [ ! -s before.json ] || [ ! -s after.json ]; then
+            echo "One of the backup files is empty!"
             exit 1
           fi
+
+          ./kura compare before.json after.json
@@ -13,6 +13,8 @@ Azure API Management subscription keys are critical credentials that grant acces
   - [backup](#backup)
   - [restore](#restore)
   - [list](#list)
+  - [compare](#compare)
+  - [delete](#delete)
   - [clean](#clean)
 - [Backup Storage Layout](#backup-storage-layout)
 - [Typical Workflow](#typical-workflow)
@@ -25,6 +27,20 @@ Azure API Management subscription keys are critical credentials that grant acces
 
 ## Installation
 
+### Pre-built binaries
+
+Download the latest release from the [GitHub Releases](https://github.com/f-marschall/apim-kura/releases) page. Binaries are available for Linux, macOS, and Windows across multiple architectures.
+
+For example, on Linux (amd64):
+
+```bash
+curl -Lo kura https://github.com/f-marschall/apim-kura/releases/latest/download/kura-linux-amd64
+chmod +x kura
+sudo mv kura /usr/local/bin/
+```
+
+### Build from source
+
 ```bash
 git clone https://github.com/f-marschall/apim-kura.git
 cd apim-kura
@@ -100,6 +116,29 @@ When `--product-id` is provided, the output is filtered to subscriptions scoped
 | `--product-id` | `-p` | No | Filter output to a single product |
 | `--subscription` | `-s` | No | Azure subscription ID (defaults to current CLI context) |
 
+### compare
+
+```
+kura compare <file1> <file2>
+```
+
+The compare command reads two backup JSON files and displays the differences between them. Use this to audit changes, verify backup consistency, or compare subscription keys across different snapshots.
+
+### delete
+
+```
+kura delete --resource-group <rg> --apim-name <apim> --subscription-id <id> [--subscription <sub-id>]
+```
+
+The delete command removes a subscription from an APIM instance. Specify the subscription ID (GUID) to delete.
+
+| Flag | Short | Required | Description |
+|------|-------|----------|----------|
+| `--resource-group` | `-g` | Yes | Azure resource group containing the APIM instance |
+| `--apim-name` | `-a` | Yes | Name of the APIM instance |
+| `--subscription-id` | `-i` | Yes | The subscription ID (GUID) to delete |
+| `--subscription` | `-s` | No | Azure subscription ID (defaults to current CLI context) |
+
 ### clean
 
 ```
 
@@ -16,13 +16,15 @@ var backupCmd = &cobra.Command{
 	Use:   "backup",
 	Short: "Backup subscription keys from Azure API Management",
 	Long: `Backup retrieves subscription keys from an Azure API Management instance
-and saves them to a local backup directory.
+and saves them to a local backup directory or file.
 
-The backup is stored under: backup/<resource-group>/<apim-name>[/<product-id>]
+By default, backups are stored under: backup/<resource-group>/<apim-name>[/<product-id>]
+Use --output to save to a custom file path instead.
 
 Example:
   kura backup --resource-group mygroup --apim-name myapim
-  kura backup --resource-group mygroup --apim-name myapim --product-id myproduct`,
+  kura backup --resource-group mygroup --apim-name myapim --product-id myproduct
+  kura backup -g mygroup -a myapim --output ./my-backup.json`,
 	RunE: runBackup,
 }
 
@@ -31,6 +33,7 @@ var (
 	backupAPIMName      string
 	backupSubscription  string
 	backupProductID     string
+	backupOutput        string
 )
 
 func init() {
@@ -41,6 +44,7 @@ func init() {
 	backupCmd.Flags().StringVarP(&backupAPIMName, "apim-name", "a", "", "Azure API Management instance name (required)")
 	backupCmd.Flags().StringVarP(&backupSubscription, "subscription", "s", "", "Azure subscription ID")
 	backupCmd.Flags().StringVarP(&backupProductID, "product-id", "p", "", "Azure APIM product ID (optional, scopes backup to a product)")
+	backupCmd.Flags().StringVarP(&backupOutput, "output", "o", "", "Output file path (if not specified, defaults to backup folder structure)")
 
 	// Mark required flags
 	backupCmd.MarkFlagRequired("resource-group")
@@ -58,12 +62,20 @@ func runBackup(cmd *cobra.Command, args []string) error {
 		fmt.Printf("Product ID: %s\n", backupProductID)
 	}
 
-	// Create backup directory structure
-	backupDir, err := backup.EnsureBackupDir(backupResourceGroup, backupAPIMName, backupProductID)
-	if err != nil {
-		return fmt.Errorf("failed to create backup directory: %w", err)
+	// Determine output file path
+	var filePath string
+	if backupOutput != "" {
+		filePath = backupOutput
+		fmt.Printf("Output file: %s\n", filePath)
+	} else {
+		// Create backup directory structure
+		backupDir, err := backup.EnsureBackupDir(backupResourceGroup, backupAPIMName, backupProductID)
+		if err != nil {
+			return fmt.Errorf("failed to create backup directory: %w", err)
+		}
+		filePath = filepath.Join(backupDir, "subscriptions.json")
+		fmt.Printf("Backup directory: %s\n", backupDir)
 	}
-	fmt.Printf("Backup directory: %s\n", backupDir)
 
 	// Authenticate with Azure CLI
 	ctx := context.Background()
@@ -73,8 +85,6 @@ func runBackup(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return fmt.Errorf("authentication failed: %w", err)
 	}
-	fmt.Println("Successfully authenticated with Azure CLI")
-
 	fmt.Println("\nFetching subscriptions...")
 	subs, err := client.ListSubscriptions(ctx, backupProductID)
 
@@ -85,7 +95,16 @@ func runBackup(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to marshal subscriptions to JSON: %w", err)
 	}
 
-	filePath := filepath.Join(backupDir, "subscriptions.json")
+	// Ensure parent directories exist if using custom output path
+	if backupOutput != "" {
+		dir := filepath.Dir(filePath)
+		if dir != "." && dir != "" {
+			if err := os.MkdirAll(dir, 0755); err != nil {
+				return fmt.Errorf("failed to create output directory: %w", err)
+			}
+		}
+	}
+
 	if err := os.WriteFile(filePath, prettyJSON, 0644); err != nil {
 		return fmt.Errorf("failed to write backup file: %w", err)
 	}