themoxman · April 18, 2021 14:33
diff --git a/Dockerfile b/Dockerfile
 FROM codeship/ruby

 MAINTAINER Dave Mox <[email protected]>

 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
  git \
  vim

 COPY Makefile /src/

 COPY Gemfile* /src/

 WORKDIR /src

 RUN make install

 COPY . /src

 CMD ["bin/in_s3_env", "bin/burgundy"]
diff --git a/get_s3_env b/get_s3_env
 #!/usr/bin/env ruby

 require 'aws-sdk'

 # basic S3 client
 # note: the client will use the instance profile credentials
 #       when this script is called from the ec2 instance
 s3_client = Aws::S3::Client.new(region: 'us-east-1')

 # kms client
 # note: the client will use the instance profile credentials
 #       when this script is called from the ec2 instance
 kms_client = Aws::KMS::Client.new(region: 'us-east-1')

 # retrieve cmk key id
 aliases = kms_client.list_aliases.aliases
 key = aliases.find { |alias_struct| alias_struct.alias_name == "alias/chime-secrets" }
 key_id = key.target_key_id

 # encryption client
 s3_encryption_client = Aws::S3::Encryption::Client.new(
  client: s3_client,
  kms_key_id: key_id,
  kms_client: kms_client,
 )

 # retrieve and decrypt .env from s3
 response = s3_encryption_client.get_object(bucket: 'chime-secrets', key: '.env')

 # build string of env vars to be exported.
 exports = ""
 response.body.read.each_line { |line| exports << "export #{line.chomp};" }

 puts exports
diff --git a/in_s3_env b/in_s3_env
 #!/usr/bin/env bash

 set -e

 eval "$(bin/get_s3_env)"

 exec "$@"
	FROM codeship/ruby

	MAINTAINER Dave Mox <[email protected]>

	RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
	git \
	vim

	COPY Makefile /src/

	COPY Gemfile* /src/

	WORKDIR /src

	RUN make install

	COPY . /src

	CMD ["bin/in_s3_env", "bin/burgundy"]
	#!/usr/bin/env ruby

	require 'aws-sdk'

	# basic S3 client
	# note: the client will use the instance profile credentials
	# when this script is called from the ec2 instance
	s3_client = Aws::S3::Client.new(region: 'us-east-1')

	# kms client
	# note: the client will use the instance profile credentials
	# when this script is called from the ec2 instance
	kms_client = Aws::KMS::Client.new(region: 'us-east-1')

	# retrieve cmk key id
	aliases = kms_client.list_aliases.aliases
	key = aliases.find { \|alias_struct\| alias_struct.alias_name == "alias/chime-secrets" }
	key_id = key.target_key_id

	# encryption client
	s3_encryption_client = Aws::S3::Encryption::Client.new(
	client: s3_client,
	kms_key_id: key_id,
	kms_client: kms_client,
	)

	# retrieve and decrypt .env from s3
	response = s3_encryption_client.get_object(bucket: 'chime-secrets', key: '.env')

	# build string of env vars to be exported.
	exports = ""
	response.body.read.each_line { \|line\| exports << "export #{line.chomp};" }

	puts exports