#!/usr/bin/env bash # Reproducible foundation deploy. Master passphrase = the single external secret. set -euo pipefail DIR="$(cd "$(dirname "$0")" && pwd)" # Pin the backend PER-PROCESS via env — NEVER `pulumi login` (that mutates the # GLOBAL backend pointer in ~/.pulumi and would misdirect other projects' run.sh). export PULUMI_BACKEND_URL="file://${DIR}/state" export PULUMI_CONFIG_PASSPHRASE="$(pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE)" export SSH_PRIVATE_KEY_PATH="${SSH_PRIVATE_KEY_PATH:-${HOME}/.ssh/foundation-test_ed25519}" cd "$DIR" pulumi stack select foundation 2>/dev/null || pulumi stack init foundation pulumi "$@" # After a successful `up`, capture Vault's unseal keys + root token (emitted by the # foundation-vault-init command as secret stack outputs) back into the # passphrase-encrypted config (vaultCredentials:*). This is the proven # olsitec-core/run.sh pattern and the ONE bootstrap secret that cannot live in # Vault (CONTRACT_002 §2.4). Idempotent: only writes when the value actually # changes, so Pulumi.foundation.yaml is not churned on every deploy. if [ "${1:-}" = "up" ]; then uk=$(pulumi stack output vaultUnsealKeys --show-secrets 2>/dev/null || true) rt=$(pulumi stack output vaultRootToken --show-secrets 2>/dev/null || true) if [ -n "$uk" ] && [ -n "$rt" ]; then cur=$(pulumi config get vaultCredentials:unsealKeys 2>/dev/null || true) if [ "$cur" != "$uk" ]; then pulumi config set vaultCredentials:unsealKeys --secret "$uk" pulumi config set vaultCredentials:rootToken --secret "$rt" echo "run.sh: captured Vault unseal keys + root token into encrypted config" fi fi fi