#!/bin/bash # Provision Admin Vault for Sankofa Admin Portal # Creates the admin vault and migrates all secrets set -euo pipefail # Configuration VAULT_ADDR="${VAULT_ADDR:-http://192.168.11.200:8200}" VAULT_TOKEN="${VAULT_TOKEN:-${VAULT_ROOT_TOKEN:-}}" ADMIN_ORG_NAME="${ADMIN_ORG_NAME:-Sankofa Admin}" ADMIN_VAULT_NAME="${ADMIN_VAULT_NAME:-sankofa-admin}" ADMIN_LEVEL="${ADMIN_LEVEL:-super_admin}" # Colors GREEN='\033[0;32m' BLUE='\033[0;34m' YELLOW='\033[1;33m' NC='\033[0m' log_info() { echo -e "${BLUE}[INFO]${NC} $1" } log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1" } log_warn() { echo -e "${YELLOW}[WARN]${NC} $1" } # Check prerequisites if [ -z "$VAULT_TOKEN" ]; then log_warn "VAULT_TOKEN not set. Please set it before running." exit 1 fi log_info "=== Provisioning Admin Vault ===" log_info "Organization: $ADMIN_ORG_NAME" log_info "Vault Name: $ADMIN_VAULT_NAME" log_info "Admin Level: $ADMIN_LEVEL" echo "" # Check if we can use Node.js/TypeScript script if command -v node &> /dev/null && [ -f "dbis_core/scripts/provision-admin-vault.ts" ]; then log_info "Using TypeScript provisioning script..." cd dbis_core export VAULT_TOKEN export VAULT_ADDR npx tsx scripts/provision-admin-vault.ts \ --org "$ADMIN_ORG_NAME" \ --name "$ADMIN_VAULT_NAME" \ --level "$ADMIN_LEVEL" cd .. else log_warn "TypeScript script not available. Using direct Vault API calls..." # Direct Vault API provisioning ORG_ID=$(echo "$ADMIN_ORG_NAME" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/--*/-/g' | cut -c1-32) VAULT_PATH="secret/data/admin/${ORG_ID}/${ADMIN_VAULT_NAME}" log_info "Creating admin vault at: $VAULT_PATH" # Create initial structure curl -s -X POST \ -H "X-Vault-Token: $VAULT_TOKEN" \ -H "Content-Type: application/json" \ -d "{\"data\":{\"initialized\":true,\"adminVault\":true,\"createdAt\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"}}" \ "$VAULT_ADDR/v1/$VAULT_PATH" > /dev/null log_success "Admin vault created at: $VAULT_PATH" fi echo "" log_info "Next steps:" log_info "1. Run migration script: ./scripts/migrate-secrets-to-admin-vault.sh" log_info "2. Store credentials securely" log_info "3. Update applications to use admin vault"