noqcks/decrypt.sh

## decrypt.sh
#!/bin/sh

# This is a secret decryption script that will decrypt ejson-kms secrets and
# export them to the shell environment.
#
# It expects two sane defaults:
# 1. That $ENV has been set already, so that we know which environment we're in
#    and what secrets to export.
# 2. That the location of your secrets are either relative at
#    _infra/secrets/$ENV.json or absolutely located at /opt/_infra/secrets/$ENV.json.

set -eo pipefail

echo "Decrypting secrets..."

# install ejson-kms
export EJSON_KMS_VERSION="3.0.0"
curl -s -Lo ejson-kms https://github.com/adrienkohlbecker/ejson-kms/releases/download/$EJSON_KMS_VERSION/ejson-kms-$EJSON_KMS_VERSION-linux-amd64
chmod +x ejson-kms
mv ejson-kms /usr/local/bin/ejson-kms

# set AWS_REGION. For now, we always store our secrets in AWS KMS region us-east-1 because
# we don't want developers to worry about something like setting AWS_REGION for their secrets.
# The higher latency of calling a single AWS Region should be marginally long in this scenario.
export AWS_REGION=us-east-1

# exit if $ENV doesn't exist. We're not sure what environment to decrypt!
if [[ -z "${ENV}" ]]; then
  echo -e "WARN: >>> SKIPPING SECRET DECRYPTION <<<"
  echo -e "WARN: secrets not decrypted. You haven't specified "\$ENV", so we don't know what environment to decrypt."
  exit 0
fi


# exit if there are no secrets at the 2 locations we know about
if [[ ! -f _infra/secrets/$ENV.json && ! -f /opt/_infra/secrets/$ENV.json ]]; then
  echo -e "WARN: >>> SKIPPING SECRET DECRYPTION <<<"
  echo -e "WARN: secrets not decrypted. Secrets do not exist at _infra/secrets/$ENV.json or /opt/_infra/secrets/$ENV.json"
  exit 0
fi

# set the path to the secrets we've found
if [ -e _infra/secrets/$ENV.json ]; then
  path=_infra/secrets/$ENV.json
fi
if [ -e /opt/_infra/secrets/$ENV.json ]; then
  path=/opt/_infra/secrets/$ENV.json
fi

# bring secrets into environment variables
set -a
eval "$(ejson-kms export --path=$path)"
set +x
	#!/bin/sh

	# This is a secret decryption script that will decrypt ejson-kms secrets and
	# export them to the shell environment.
	#
	# It expects two sane defaults:
	# 1. That $ENV has been set already, so that we know which environment we're in
	# and what secrets to export.
	# 2. That the location of your secrets are either relative at
	# _infra/secrets/$ENV.json or absolutely located at /opt/_infra/secrets/$ENV.json.

	set -eo pipefail

	echo "Decrypting secrets..."

	# install ejson-kms
	export EJSON_KMS_VERSION="3.0.0"
	curl -s -Lo ejson-kms https://github.com/adrienkohlbecker/ejson-kms/releases/download/$EJSON_KMS_VERSION/ejson-kms-$EJSON_KMS_VERSION-linux-amd64
	chmod +x ejson-kms
	mv ejson-kms /usr/local/bin/ejson-kms

	# set AWS_REGION. For now, we always store our secrets in AWS KMS region us-east-1 because
	# we don't want developers to worry about something like setting AWS_REGION for their secrets.
	# The higher latency of calling a single AWS Region should be marginally long in this scenario.
	export AWS_REGION=us-east-1

	# exit if $ENV doesn't exist. We're not sure what environment to decrypt!
	if [[ -z "${ENV}" ]]; then
	echo -e "WARN: >>> SKIPPING SECRET DECRYPTION <<<"
	echo -e "WARN: secrets not decrypted. You haven't specified "\$ENV", so we don't know what environment to decrypt."
	exit 0
	fi


	# exit if there are no secrets at the 2 locations we know about
	if [[ ! -f _infra/secrets/$ENV.json && ! -f /opt/_infra/secrets/$ENV.json ]]; then
	echo -e "WARN: >>> SKIPPING SECRET DECRYPTION <<<"
	echo -e "WARN: secrets not decrypted. Secrets do not exist at _infra/secrets/$ENV.json or /opt/_infra/secrets/$ENV.json"
	exit 0
	fi

	# set the path to the secrets we've found
	if [ -e _infra/secrets/$ENV.json ]; then
	path=_infra/secrets/$ENV.json
	fi
	if [ -e /opt/_infra/secrets/$ENV.json ]; then
	path=/opt/_infra/secrets/$ENV.json
	fi

	# bring secrets into environment variables
	set -a
	eval "$(ejson-kms export --path=$path)"
	set +x