foundation/bootstrap/run.sh

32 lines
1.6 KiB
Bash
Raw Normal View History

#!/usr/bin/env bash
# Reproducible foundation deploy. Master passphrase = the single external secret.
set -euo pipefail
DIR="$(cd "$(dirname "$0")" && pwd)"
# Pin the backend PER-PROCESS via env — NEVER `pulumi login` (that mutates the
# GLOBAL backend pointer in ~/.pulumi and would misdirect other projects' run.sh).
export PULUMI_BACKEND_URL="file://${DIR}/state"
export PULUMI_CONFIG_PASSPHRASE="$(pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE)"
export SSH_PRIVATE_KEY_PATH="${SSH_PRIVATE_KEY_PATH:-${HOME}/.ssh/foundation-test_ed25519}"
cd "$DIR"
pulumi stack select foundation 2>/dev/null || pulumi stack init foundation
pulumi "$@"
# After a successful `up`, capture Vault's unseal keys + root token (emitted by the
# foundation-vault-init command as secret stack outputs) back into the
# passphrase-encrypted config (vaultCredentials:*). This is the proven
# olsitec-core/run.sh pattern and the ONE bootstrap secret that cannot live in
# Vault (CONTRACT_002 §2.4). Idempotent: only writes when the value actually
# changes, so Pulumi.foundation.yaml is not churned on every deploy.
if [ "${1:-}" = "up" ]; then
uk=$(pulumi stack output vaultUnsealKeys --show-secrets 2>/dev/null || true)
rt=$(pulumi stack output vaultRootToken --show-secrets 2>/dev/null || true)
if [ -n "$uk" ] && [ -n "$rt" ]; then
cur=$(pulumi config get vaultCredentials:unsealKeys 2>/dev/null || true)
if [ "$cur" != "$uk" ]; then
pulumi config set vaultCredentials:unsealKeys --secret "$uk"
pulumi config set vaultCredentials:rootToken --secret "$rt"
echo "run.sh: captured Vault unseal keys + root token into encrypted config"
fi
fi
fi