53 lines
2.2 KiB
Bash
53 lines
2.2 KiB
Bash
|
|
#!/usr/bin/env bash
|
||
|
|
# -----------------------------------------------------------------------------
|
||
|
|
# checks/env.sh — required environment for a `pulumi up` (CONTRACT_001 §1, §1.3).
|
||
|
|
# * PULUMI_CONFIG_PASSPHRASE : set & non-empty (the single external secret, D2).
|
||
|
|
# NEVER printed — only its presence is reported.
|
||
|
|
# * SSH_PRIVATE_KEY_PATH : path to the VM key (default ~/.ssh/id_rsa) exists.
|
||
|
|
# Exits non-zero if a required var is missing/empty or the key file is absent.
|
||
|
|
# -----------------------------------------------------------------------------
|
||
|
|
set -euo pipefail
|
||
|
|
PF_DIR=$(cd "$(dirname "$0")/.." && pwd)
|
||
|
|
# shellcheck source=../lib/common.sh
|
||
|
|
. "$PF_DIR/lib/common.sh"
|
||
|
|
|
||
|
|
echo "[env] required environment variables and secrets (CONTRACT_001 §1.3)"
|
||
|
|
|
||
|
|
# --- PULUMI_CONFIG_PASSPHRASE: presence only, value is sacred (D2) ---
|
||
|
|
if [ -n "${PULUMI_CONFIG_PASSPHRASE:-}" ]; then
|
||
|
|
pf_pass "PULUMI_CONFIG_PASSPHRASE is set (value not shown — D2)"
|
||
|
|
elif [ -n "${PULUMI_CONFIG_PASSPHRASE_FILE:-}" ]; then
|
||
|
|
if [ -f "${PULUMI_CONFIG_PASSPHRASE_FILE}" ]; then
|
||
|
|
pf_pass "PULUMI_CONFIG_PASSPHRASE_FILE set and file exists (value not shown)"
|
||
|
|
else
|
||
|
|
pf_fail "PULUMI_CONFIG_PASSPHRASE_FILE='${PULUMI_CONFIG_PASSPHRASE_FILE}' does not exist"
|
||
|
|
fi
|
||
|
|
else
|
||
|
|
pf_fail "PULUMI_CONFIG_PASSPHRASE is unset/empty (and no PULUMI_CONFIG_PASSPHRASE_FILE)"
|
||
|
|
fi
|
||
|
|
|
||
|
|
# --- SSH_PRIVATE_KEY_PATH: file must exist (CONTRACT_001 default ~/.ssh/id_rsa) ---
|
||
|
|
ssh_key="${SSH_PRIVATE_KEY_PATH:-$HOME/.ssh/id_rsa}"
|
||
|
|
# Expand a leading ~ if the operator exported it literally.
|
||
|
|
case "$ssh_key" in
|
||
|
|
"~/"*) ssh_key="$HOME/${ssh_key#~/}" ;;
|
||
|
|
"~") ssh_key="$HOME" ;;
|
||
|
|
esac
|
||
|
|
if [ -f "$ssh_key" ]; then
|
||
|
|
if [ -z "${SSH_PRIVATE_KEY_PATH:-}" ]; then
|
||
|
|
pf_pass "SSH private key found at default path: $ssh_key"
|
||
|
|
else
|
||
|
|
pf_pass "SSH private key found: $ssh_key"
|
||
|
|
fi
|
||
|
|
# Permission hygiene: warn (do not fail) on world/group-readable key.
|
||
|
|
perms=$(ls -l "$ssh_key" 2>/dev/null | cut -c1-10)
|
||
|
|
case "$perms" in
|
||
|
|
*------) : ;; # owner-only-ish; fine
|
||
|
|
*) pf_warn "SSH key $ssh_key permissions look loose ($perms); 'chmod 600' recommended" ;;
|
||
|
|
esac
|
||
|
|
else
|
||
|
|
pf_fail "SSH private key not found at '$ssh_key' (set SSH_PRIVATE_KEY_PATH or create ~/.ssh/id_rsa)"
|
||
|
|
fi
|
||
|
|
|
||
|
|
pf_summary "env"
|