#!/bin/bash if [ $ENVIRONMENT == "production" -o $ENVIRONMENT == "staging" ]; then echo "Environment: $ENVIRONMENT is not allowed..." exit 1 fi echo "Creating Vault Secrets for environment '$ENVIRONMENT'..." export VAULT_ADDR=https://vault-cicd.safersoftware.net:8200 export VAULT_TOKEN=$(aws ssm get-parameter --name "/cicd-primary-vault-root-token" --with-decryption --query "Parameter.{Name:Value}" --region $AWS_REGION --output text) echo "Creating Secrets Engines..." vault secrets enable -path "$ENVIRONMENT" kv-v2 2>/dev/null || true echo "Getting all Parameters from SSM" databaseurl=$(aws ssm get-parameter --with-decryption --region $AWS_REGION --query "Parameter.{Name:Value}" --output text --name "/qa-devops/common/DATABASE_URI" | sed -E "s@(\?ssl)@p81-$ENVIRONMENT\1@") mongodburl=$(aws ssm get-parameter --with-decryption --region $AWS_REGION --query "Parameter.{Name:Value}" --output text --name "/qa-devops/common/MONGO_DB_URL" | sed -E "s@(\?ssl)@activitylog-$ENVIRONMENT\1@") mongodbsaferxurl=$(aws ssm get-parameter --with-decryption --region $AWS_REGION --query "Parameter.{Name:Value}" --output text --name "/qa-devops/common/MONGO_DB_SAFERX_BE" | sed -E "s@(\?ssl)@saferx-backend\1@") mongopasswordsaferxbe=$(aws ssm get-parameter --with-decryption --region $AWS_REGION --query "Parameter.{Name:Value}" --output text --name "/qa-devops/common/MONGO_PASSWORD_SAFERX_BE") mongojarvis="EMPTY_FOR_NOW" #$(aws ssm get-parameter --with-decryption --region $AWS_REGION --query "Parameter.{Name:Value}" --output text --name "/qa-devops/common/MONGO_JARVIS" | sed -E "s@(\?ssl)@jarvis-$ENVIRONMENT\1@") mongosdpc=$(aws ssm get-parameter --with-decryption --region $AWS_REGION --query "Parameter.{Name:Value}" --output text --name "/qa-devops/common/MONGO_SDPC" | sed -E "s@(\?ssl)@sdpc-$ENVIRONMENT\1@") vaulttoken=$(aws ssm get-parameter --with-decryption --region $AWS_REGION --query "Parameter.{Name:Value}" --output text --name "/$ENVIRONMENT/common/VAULT_TOKEN") mysqldsn=$(aws ssm get-parameter --with-decryption --region $AWS_REGION --query "Parameter.{Name:Value}" --output text --name "/$ENVIRONMENT/common/MYSQL_DSN") messagebrokerhost=$(aws ssm get-parameter --with-decryption --region $AWS_REGION --query "Parameter.{Name:Value}" --output text --name "/$ENVIRONMENT/common/MESSAGE_BROKER_HOST") consulencryptionkey=$(aws ssm get-parameter --with-decryption --region $AWS_REGION --query "Parameter.{Name:Value}" --output text --name "/$ENVIRONMENT/common/CONSUL_ENCRYPTION_KEY") #tcpcacert=$(aws ssm get-parameter --with-decryption --region $AWS_REGION --query "Parameter.{Name:Value}" --output text --name "/$ENVIRONMENT/common/TCP_CA_CERT") #tcpservercert=$(aws ssm get-parameter --with-decryption --region $AWS_REGION --query "Parameter.{Name:Value}" --output text --name "/$ENVIRONMENT/common/TCP_SERVER_CERT") #tcpserverkey=$(aws ssm get-parameter --with-decryption --region $AWS_REGION --query "Parameter.{Name:Value}" --output text --name "/$ENVIRONMENT/common/TCP_SERVER_KEY") echo "Done getting all params..." echo "Getting vault p0 token" #export VAULT_CLIENT_KEY=/Users/natiaviv/Desktop/desktop/Desktop/vault-certs/intergration/p81zero/private.key #export VAULT_CLIENT_CERT=/Users/natiaviv/Desktop/desktop/Desktop/vault-certs/intergration/p81zero/public.crt #export VAULT_ADDR=https://vault1.p81zero.int.safersoftware.net:8200 #export VAULT_CAPATH=/Users/natiaviv/Desktop/desktop/Desktop/vault-certs/intergration/p81zero/ca.crt #run vault login and put token #### speificy namespace to work on #export VAULT_NAMESPACE=platform-leia #vault token create -policy=platform-padme -period=672h VAULT_P81ZERO_NAMESPACE_TOKEN="Get the token Peleg" vault kv put "$ENVIRONMENT/common/" \ DATABASE_URI=$databaseurl \ MONGO_DB_URL=$mongodburl \ MONGO_DB_SAFERX_BE=$mongodbsaferxurl \ MONGO_PASSWORD_SAFERX_BE=$mongopasswordsaferxbe \ MONGO_JARVIS="EMPTY_FOR_NOW" \ MONGO_SDPC=$mongosdpc \ VAULT_TOKEN=$vaulttoken \ MYSQL_DSN=$mysqldsn \ MESSAGE_BROKER_HOST=$messagebrokerhost \ #VAULT_P81ZERO_NAMESPACE_TOKEN="${VAULT_P81ZERO_NAMESPACE_TOKEN}" \ #TCP_CA_CERT=$tcpcacert \ #TCP_SERVER_CERT=$tcpservercert \ #TCP_SERVER_KEY=$tcpserverkey \ vault kv put "$ENVIRONMENT/saferx-backend/" \ SX_VAULT_TOKEN=$vaulttoken \ SX_CONSUL_P0_ENCRYPTION_KEY=$consulencryptionkey \ SX_LOKI_PUSH_URL="" \ SX_PSK="" vault kv put "$ENVIRONMENT/radius-api/" \ MONGO_DB_LEGACY=$(aws ssm get-parameter --with-decryption --region $AWS_REGION --query "Parameter.{Name:Value}" --output text --name "/$ENVIRONMENT/common/MONGO_DB_SAFERX_BE") \ MONGO_DB_SVPN=$(aws ssm get-parameter --with-decryption --region $AWS_REGION --query "Parameter.{Name:Value}" --output text --name "/$ENVIRONMENT/common/MONGO_DB_SAFERX_BE") \ MYSQL_RADIUS_PASSWORD="$MYSQL_RADIUS_PASSWORD" echo "Inserting Lambda secrets to Vault" SNOWFLAKE_PRV_KEY=$(vault kv get -fiedl=$ENVIRONMENT "global/core_env_tokens") vault kv put "$ENVIRONMENT/lambdas/" \ active_session_db_uri=$(aws ssm get-parameter --with-decryption --region $AWS_REGION --query "Parameter.{Name:Value}" --output text --name "/$ENVIRONMENT/common/DATABASE_URI") \ snowflake_prv_key="$SNOWFLAKE_PRV_KEY" echo "Inserting DO token to SSM" DO_TOKEN=$(vault kv get -fiedl=$ENVIRONMENT "global/core_env_tokens") aws ssm put-parameter --name "/$ENVIRONMENT/common/DIGITAL_OCEAN_API_TOKEN" --value "$DO_TOKEN" --key-id "$KMS_KEY_ID" --type "SecureString" --tier "Advanced" --overwrite