fly-secrets-hydrate.sh

gistfile1.txt

#!/usr/bin/env bash
set -euo pipefail

# Sync secrets from 1Password to Fly.io
# Usage: ./fly-secrets-hydrate.sh <prod|stage>

# Pre-requisites:
# flyctl https://fly.io/docs/flyctl/install/
# 1Password op https://developer.1password.com/docs/cli/get-started/

# REPLACE YOUR-APP-NAME-HERE with your app name
APP="YOUR-APP-NAME-HERE-$ENV"

# **EXPECTS these to exist in the same directory as the script**
# app-prod.env
# app-stage.env
#
# app-prod.env example:
# DATABASE_URL=op://your-app-prod/databases/ENV/DATABASE_URL

ENV_FILE="$(dirname "$0")/app-$ENV.env"

# Validate environment
ENV="${1:?Usage: $0 <prod|stage>}"
[[ "$ENV" =~ ^(prod|stage)$ ]] || { echo "Error: Invalid environment '$ENV'"; exit 1; }

# Check dependencies
for cmd in op fly; do
  command -v $cmd &>/dev/null || { echo "Error: $cmd CLI not found"; exit 1; }
done

[[ -f "$ENV_FILE" ]] || { echo "Error: $ENV_FILE not found"; exit 1; }

echo "Syncing secrets to $APP from $ENV_FILE..."

failed=false
while IFS='=' read -r key op_ref || [[ -n "$key" ]]; do
  # Skip comments and empty lines
  [[ -z "$key" || "$key" =~ ^[[:space:]]*# ]] && continue

  printf "%-30s" "$key..."

  if value=$(op read "$op_ref" 2>/dev/null); then
    if fly secrets set "$key=$value" --app "$APP" &>/dev/null; then
      echo "✓"
    else
      echo "✗ (fly set failed)"
      failed=true
    fi
  else
    echo "✗ (1Password read failed)"
    failed=true
  fi
done < "$ENV_FILE"

echo
$failed && { echo "✗ Some secrets failed"; exit 1; }
echo "✓ All secrets synced successfully"