[AWS encrypt and decrypt] #AWS #Bash

aws_decrypt.sh

#!/bin/bash

set -euf -o pipefail

usage() {
    echo "Usage: $0 -e [dev|test|preprod|prod] -t [encrypted text in base64]" 1>&2; 
    exit 1;
}

[ $# -eq 0 ] && usage

while getopts e:t: option; do 
 case "${option}" in
    e) APP_ENV=${OPTARG};;
    t) ENCRYPTED_BASE64_TEXT=${OPTARG};;
    *) usage;;
 esac
done

if [[ "$APP_ENV" != "dev" ]] && [[ "$APP_ENV" != "test" ]] && [[ "$APP_ENV" != "preprod" ]] && [[ "$APP_ENV" != "prod" ]] ; then
  usage
  exit 1;
fi

REGION=ap-southeast-2
STACK=$APP_ENV-support-infrastructure

if [[ "$APP_ENV" == "prod" ]] ; then
  export AWS_PROFILE=<PROD_PROFILE>
else
  export AWS_PROFILE=<NON_PROD_PROFILE>
fi

echo "Decrypting... ($REGION, $STACK)"
echo ""
echo `aws kms decrypt --ciphertext-blob fileb://<(echo "$ENCRYPTED_BASE64_TEXT" | base64 --decode) --output text --query Plaintext | base64 --decode`

aws_encrypt.sh

#!/bin/bash

set -euf -o pipefail

usage() {
    echo "Usage: $0 -e [dev|test|preprod|prod] -t [text]" 1>&2; 
    exit 1;
}

[ $# -eq 0 ] && usage

while getopts e:t: option; do 
 case "${option}" in
    e) APP_ENV=${OPTARG};;
    t) PLAIN_TEXT=${OPTARG};;
    *) usage;;
 esac
done

if [[ "$APP_ENV" != "dev" ]] && [[ "$APP_ENV" != "test" ]] && [[ "$APP_ENV" != "preprod" ]] && [[ "$APP_ENV" != "prod" ]] ; then
  usage
  exit 1;
fi

REGION=ap-southeast-2
STACK=$APP_ENV-support-infrastructure

if [[ "$APP_ENV" == "prod" ]] ; then
  export AWS_PROFILE=<PROFILE_NAME>
else
  export AWS_PROFILE=<PROD_PROFILE_NAME>
fi

KMS_KEY_ID=$(aws cloudformation --region $REGION describe-stacks --stack-name $APP_ENV-support-infrastructure --query "Stacks[0].Outputs[?OutputKey=='CustomerMasterKeyId'].OutputValue" --output text)

echo "Encrypting... ($REGION, $STACK)"
echo ""
aws kms encrypt --key-id $KMS_KEY_ID --plaintext $PLAIN_TEXT --output text --query CiphertextBlob
echo ""