noqcks · January 6, 2019 19:59
diff --git a/decrypt.sh b/decrypt.sh
 #!/bin/sh

 # This is a secret decryption script that will decrypt ejson-kms secrets and
 # export them to the shell environment.
 #
 # It expects two sane defaults:
 # 1. That $ENV has been set already, so that we know which environment we're in
 #    and what secrets to export.
 # 2. That the location of your secrets are either relative at
 #    _infra/secrets/$ENV.json or absolutely located at /opt/_infra/secrets/$ENV.json.

 set -eo pipefail

 echo "Decrypting secrets..."

 # install ejson-kms
 export EJSON_KMS_VERSION="3.0.0"
 curl -s -Lo ejson-kms https://github.com/adrienkohlbecker/ejson-kms/releases/download/$EJSON_KMS_VERSION/ejson-kms-$EJSON_KMS_VERSION-linux-amd64
 chmod +x ejson-kms
 mv ejson-kms /usr/local/bin/ejson-kms

 # set AWS_REGION. For now, we always store our secrets in AWS KMS region us-east-1 because
 # we don't want developers to worry about something like setting AWS_REGION for their secrets.
 # The higher latency of calling a single AWS Region should be marginally long in this scenario. 
 export AWS_REGION=us-east-1

 # exit if $ENV doesn't exist. We're not sure what environment to decrypt!
 if [[ -z "${ENV}" ]]; then
  echo -e "WARN: >>> SKIPPING SECRET DECRYPTION <<<"
  echo -e "WARN: secrets not decrypted. You haven't specified "\$ENV", so we don't know what environment to decrypt."
  exit 0
 fi


 # exit if there are no secrets at the 2 locations we know about
 if [[ ! -f _infra/secrets/$ENV.json && ! -f /opt/_infra/secrets/$ENV.json ]]; then
  echo -e "WARN: >>> SKIPPING SECRET DECRYPTION <<<"
  echo -e "WARN: secrets not decrypted. Secrets do not exist at _infra/secrets/$ENV.json or /opt/_infra/secrets/$ENV.json"
  exit 0
 fi

 # set the path to the secrets we've found
 if [ -e _infra/secrets/$ENV.json ]; then
  path=_infra/secrets/$ENV.json
 fi
 if [ -e /opt/_infra/secrets/$ENV.json ]; then
  path=/opt/_infra/secrets/$ENV.json
 fi

 # bring secrets into environment variables
 set -a
 eval "$(ejson-kms export --path=$path)"
 set +x
	#!/bin/sh

	# This is a secret decryption script that will decrypt ejson-kms secrets and
	# export them to the shell environment.
	#
	# It expects two sane defaults:
	# 1. That $ENV has been set already, so that we know which environment we're in
	# and what secrets to export.
	# 2. That the location of your secrets are either relative at
	# _infra/secrets/$ENV.json or absolutely located at /opt/_infra/secrets/$ENV.json.

	set -eo pipefail

	echo "Decrypting secrets..."

	# install ejson-kms
	export EJSON_KMS_VERSION="3.0.0"
	curl -s -Lo ejson-kms https://github.com/adrienkohlbecker/ejson-kms/releases/download/$EJSON_KMS_VERSION/ejson-kms-$EJSON_KMS_VERSION-linux-amd64
	chmod +x ejson-kms
	mv ejson-kms /usr/local/bin/ejson-kms

	# set AWS_REGION. For now, we always store our secrets in AWS KMS region us-east-1 because
	# we don't want developers to worry about something like setting AWS_REGION for their secrets.
	# The higher latency of calling a single AWS Region should be marginally long in this scenario.
	export AWS_REGION=us-east-1

	# exit if $ENV doesn't exist. We're not sure what environment to decrypt!
	if [[ -z "${ENV}" ]]; then
	echo -e "WARN: >>> SKIPPING SECRET DECRYPTION <<<"
	echo -e "WARN: secrets not decrypted. You haven't specified "\$ENV", so we don't know what environment to decrypt."
	exit 0
	fi


	# exit if there are no secrets at the 2 locations we know about
	if [[ ! -f _infra/secrets/$ENV.json && ! -f /opt/_infra/secrets/$ENV.json ]]; then
	echo -e "WARN: >>> SKIPPING SECRET DECRYPTION <<<"
	echo -e "WARN: secrets not decrypted. Secrets do not exist at _infra/secrets/$ENV.json or /opt/_infra/secrets/$ENV.json"
	exit 0
	fi

	# set the path to the secrets we've found
	if [ -e _infra/secrets/$ENV.json ]; then
	path=_infra/secrets/$ENV.json
	fi
	if [ -e /opt/_infra/secrets/$ENV.json ]; then
	path=/opt/_infra/secrets/$ENV.json
	fi

	# bring secrets into environment variables
	set -a
	eval "$(ejson-kms export --path=$path)"
	set +x