forked from cloud-gov/cg-scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
generate-concourse-environment.sh
executable file
·94 lines (77 loc) · 2.61 KB
/
generate-concourse-environment.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/bin/bash
set -eu
RED='\033[0;31m'
CYAN='\033[0;36m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
PURPLE='\033[0;35m'
NC='\033[0m'
if [[ -z $CG_PIPELINE ]]
then
echo -e "${RED}ERROR${NC} Please set a ${YELLOW}\$CG_PIPELINE${NC} variable pointing to a clone of ${YELLOW}https://github.com/18F/cg-pipeline-tasks${NC}"
echo -e "eg, ${PURPLE}CG_PIPELINE=~/dev/cg-pipeline-tasks ./generate-concourse-environment.sh"
exit 98
fi
if [[ -z $SECRETS_BUCKET ]]
then
echo -e "${RED}ERROR${NC} Please set a ${YELLOW}\$SECRETS_BUCKET${NC} with the name of the ${YELLOW}s3 bucket where secrets are stored${NC}"
echo -e "eg, ${PURPLE}SECRETS_BUCKET=my-aws-bucket ./generate-concourse-environment.sh"
exit 98
fi
if [[ -z $CI_ENV ]]
then
echo -e "${RED}ERROR${NC} Please set a ${YELLOW}\$CI_ENV${NC} with the name of the ${YELLOW}concourse target where the secret-rotationpipeline is stored${NC}"
echo -e "eg, ${PURPLE}CG_PIPELINE=~/dev/cg-pipeline-tasks ./generate-concourse-environment.sh"
exit 98
fi
# create a combined secrets file
echo "bogus_key: bogus" > secrets-combined.yml
# get environment secrets files
for ENVIRONMENT in $(echo ${ENVIRONMENTS:-"common master tooling development staging production"}); do
# download from s3
aws s3 cp s3://"${SECRETS_BUCKET}"/secrets-"${ENVIRONMENT}".yml secrets-"${ENVIRONMENT}".yml
# fish passphrase out of secret-rotation pipeline
PASSPHRASE=$(
fly --target "${CI_ENV}" \
get-pipeline \
--pipeline secret-rotation \
| spruce json \
| jq --arg SECRETS "secrets-in-${ENVIRONMENT}" -r '
.resources[] |
select ( .name == $SECRETS ) |
.source.secrets_passphrase
'
)
# decrypt secrets file
INPUT_FILE="secrets-${ENVIRONMENT}.yml" \
OUTPUT_FILE="secrets-${ENVIRONMENT}-decrypted.yml" \
PASSPHRASE="${PASSPHRASE}" \
"${CG_PIPELINE}"/decrypt.sh
# tag secrets per environment
spruce json secrets-${ENVIRONMENT}-decrypted.yml \
| jq --arg SOURCE "${ENVIRONMENT}_" '.secrets | with_entries(.key |= $SOURCE + .)' \
| spruce merge \
> secrets-${ENVIRONMENT}-updated.yml
# merge into combined secrets
spruce merge \
--prune bogus_key \
secrets-${ENVIRONMENT}-updated.yml \
secrets-combined.yml \
> tmp.yml
mv tmp.yml secrets-combined.yml
# remove temporary files
rm -f secrets-${ENVIRONMENT}*yml
done
# merge environment secrets files & other concourse vars
if [ $# -gt 0 ]
then
spruce merge \
secrets-combined.yml \
"$@" \
> concourse-environment.yml
echo "added vars from $@"
rm secrets-combined.yml
else
mv secrets-combined.yml concourse-environment.yml
fi
echo "output concourse-environment.yml"