foundation/preflight/checks/env.sh

53 lines
2.2 KiB
Bash
Raw Permalink Normal View History

#!/usr/bin/env bash
# -----------------------------------------------------------------------------
# checks/env.sh — required environment for a `pulumi up` (CONTRACT_001 §1, §1.3).
# * PULUMI_CONFIG_PASSPHRASE : set & non-empty (the single external secret, D2).
# NEVER printed — only its presence is reported.
# * SSH_PRIVATE_KEY_PATH : path to the VM key (default ~/.ssh/id_rsa) exists.
# Exits non-zero if a required var is missing/empty or the key file is absent.
# -----------------------------------------------------------------------------
set -euo pipefail
PF_DIR=$(cd "$(dirname "$0")/.." && pwd)
# shellcheck source=../lib/common.sh
. "$PF_DIR/lib/common.sh"
echo "[env] required environment variables and secrets (CONTRACT_001 §1.3)"
# --- PULUMI_CONFIG_PASSPHRASE: presence only, value is sacred (D2) ---
if [ -n "${PULUMI_CONFIG_PASSPHRASE:-}" ]; then
pf_pass "PULUMI_CONFIG_PASSPHRASE is set (value not shown — D2)"
elif [ -n "${PULUMI_CONFIG_PASSPHRASE_FILE:-}" ]; then
if [ -f "${PULUMI_CONFIG_PASSPHRASE_FILE}" ]; then
pf_pass "PULUMI_CONFIG_PASSPHRASE_FILE set and file exists (value not shown)"
else
pf_fail "PULUMI_CONFIG_PASSPHRASE_FILE='${PULUMI_CONFIG_PASSPHRASE_FILE}' does not exist"
fi
else
pf_fail "PULUMI_CONFIG_PASSPHRASE is unset/empty (and no PULUMI_CONFIG_PASSPHRASE_FILE)"
fi
# --- SSH_PRIVATE_KEY_PATH: file must exist (CONTRACT_001 default ~/.ssh/id_rsa) ---
ssh_key="${SSH_PRIVATE_KEY_PATH:-$HOME/.ssh/id_rsa}"
# Expand a leading ~ if the operator exported it literally.
case "$ssh_key" in
"~/"*) ssh_key="$HOME/${ssh_key#~/}" ;;
"~") ssh_key="$HOME" ;;
esac
if [ -f "$ssh_key" ]; then
if [ -z "${SSH_PRIVATE_KEY_PATH:-}" ]; then
pf_pass "SSH private key found at default path: $ssh_key"
else
pf_pass "SSH private key found: $ssh_key"
fi
# Permission hygiene: warn (do not fail) on world/group-readable key.
perms=$(ls -l "$ssh_key" 2>/dev/null | cut -c1-10)
case "$perms" in
*------) : ;; # owner-only-ish; fine
*) pf_warn "SSH key $ssh_key permissions look loose ($perms); 'chmod 600' recommended" ;;
esac
else
pf_fail "SSH private key not found at '$ssh_key' (set SSH_PRIVATE_KEY_PATH or create ~/.ssh/id_rsa)"
fi
pf_summary "env"