94 lines
2.6 KiB
Bash
94 lines
2.6 KiB
Bash
|
#!/bin/bash
|
||
|
|
#
|
||
|
|
# Phase 8: Secrets Configuration
|
||
|
|
# Store secrets in Azure Key Vault
|
||
|
|
# Note: Some secrets may need to be set manually
|
||
|
|
#
|
||
|
|
|
||
|
|
set -euo pipefail
|
||
|
|
|
||
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||
|
|
source "${SCRIPT_DIR}/config.sh"
|
||
|
|
|
||
|
|
log_info "=========================================="
|
||
|
|
log_info "Phase 8: Secrets Configuration"
|
||
|
|
log_info "=========================================="
|
||
|
|
|
||
|
|
# Verify Key Vault exists
|
||
|
|
log_step "8.1 Verifying Azure Key Vault..."
|
||
|
|
|
||
|
|
KV_EXISTS=$(az keyvault show \
|
||
|
|
--name "${KEY_VAULT_NAME}" \
|
||
|
|
--resource-group "${AKS_RESOURCE_GROUP}" \
|
||
|
|
--query name -o tsv 2>/dev/null || echo "")
|
||
|
|
|
||
|
|
if [ -z "${KV_EXISTS}" ]; then
|
||
|
|
error_exit "Key Vault ${KEY_VAULT_NAME} not found. Create it first with Terraform."
|
||
|
|
fi
|
||
|
|
|
||
|
|
log_success "Key Vault found: ${KEY_VAULT_NAME}"
|
||
|
|
|
||
|
|
# Store database URL if provided
|
||
|
|
if [ -n "${DATABASE_URL:-}" ]; then
|
||
|
|
log_step "8.2 Storing database URL..."
|
||
|
|
az keyvault secret set \
|
||
|
|
--vault-name "${KEY_VAULT_NAME}" \
|
||
|
|
--name "database-url-${ENVIRONMENT}" \
|
||
|
|
--value "${DATABASE_URL}" \
|
||
|
|
|| log_warning "Failed to store database URL"
|
||
|
|
log_success "Database URL stored"
|
||
|
|
fi
|
||
|
|
|
||
|
|
# Check for Entra secrets
|
||
|
|
log_step "8.3 Checking Entra ID secrets..."
|
||
|
|
|
||
|
|
ENTRA_SECRETS=("entra-tenant-id" "entra-client-id" "entra-client-secret" "entra-credential-manifest-id")
|
||
|
|
MISSING_SECRETS=()
|
||
|
|
|
||
|
|
for secret in "${ENTRA_SECRETS[@]}"; do
|
||
|
|
if ! az keyvault secret show \
|
||
|
|
--vault-name "${KEY_VAULT_NAME}" \
|
||
|
|
--name "${secret}" \
|
||
|
|
--query value -o tsv &> /dev/null; then
|
||
|
|
MISSING_SECRETS+=("${secret}")
|
||
|
|
fi
|
||
|
|
done
|
||
|
|
|
||
|
|
if [ ${#MISSING_SECRETS[@]} -gt 0 ]; then
|
||
|
|
log_warning "Missing Entra ID secrets: ${MISSING_SECRETS[*]}"
|
||
|
|
log_info "Run: ./scripts/deploy/store-entra-secrets.sh"
|
||
|
|
else
|
||
|
|
log_success "All Entra ID secrets found"
|
||
|
|
fi
|
||
|
|
|
||
|
|
# Store JWT secret if not exists
|
||
|
|
log_step "8.4 Storing JWT secret..."
|
||
|
|
|
||
|
|
if ! az keyvault secret show \
|
||
|
|
--vault-name "${KEY_VAULT_NAME}" \
|
||
|
|
--name "jwt-secret" \
|
||
|
|
--query value -o tsv &> /dev/null; then
|
||
|
|
|
||
|
|
JWT_SECRET=$(openssl rand -base64 32)
|
||
|
|
az keyvault secret set \
|
||
|
|
--vault-name "${KEY_VAULT_NAME}" \
|
||
|
|
--name "jwt-secret" \
|
||
|
|
--value "${JWT_SECRET}" \
|
||
|
|
|| error_exit "Failed to store JWT secret"
|
||
|
|
log_success "JWT secret generated and stored"
|
||
|
|
else
|
||
|
|
log_success "JWT secret already exists"
|
||
|
|
fi
|
||
|
|
|
||
|
|
log_info "Secrets configuration complete"
|
||
|
|
log_info "Note: Additional secrets may need to be set manually"
|
||
|
|
log_info "See docs/deployment/DEPLOYMENT_GUIDE.md Phase 8 for complete list"
|
||
|
|
|
||
|
|
# Save state
|
||
|
|
save_state "phase8" "complete"
|
||
|
|
|
||
|
|
log_success "=========================================="
|
||
|
|
log_success "Phase 8: Secrets Configuration - COMPLETE"
|
||
|
|
log_success "=========================================="
|
||
|
|
|