Update gen_secrets.sh

Author: tinyfish-github-terraform[bot]

gen_secrets.sh

@@ -0,0 +1,238 @@
+#!/usr/bin/env bash
+# This file is managed by Terraform in github-control repository
+# Do not edit this file, all changes will be overwritten
+# If you need to change this file, create a pull request in
+# https://github.com/tinyfish-io/github-control
+#
+# gen_secrets.sh
+#
+# Generates a .env file by resolving secret references in a env.config file.
+#
+# env.config format:
+#   aws_profile=<profile>       # consumed by this script, not written to dest
+#   KEY=@aws_secret_name        # fetched via ih-secrets at run time
+#   KEY=@aws_secret_name:key    # fetched and extracted from JSON response
+#   KEY=~hex:32                 # locally generated via openssl rand -hex <n>
+#   KEY=~base64:32              # locally generated via openssl rand -base64 <n>
+#   KEY=value                   # written verbatim
+#   # comment / blank lines     # written verbatim
+#
+# Default behavior (fill mode): if the dest file already exists, keys that
+# already have a non-empty value are kept as-is. Only absent or empty keys
+# are fetched/generated. Keys present only in the dest file are also preserved.
+# Use --regen to overwrite everything.
+#
+# Usage:
+#   ./gen_secrets.sh [--config env.config] [--dest .env.local] [--regen] [--force]
+
+set -euo pipefail
+
+CONFIG="env.config"
+DEST=".env.local"
+FORCE=0
+REGEN=0
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --config)
+      [[ $# -gt 1 ]] || { echo "ERROR: --config requires an argument" >&2; exit 1; }
+      CONFIG="$2"; shift 2 ;;
+    --dest)
+      [[ $# -gt 1 ]] || { echo "ERROR: --dest requires an argument" >&2; exit 1; }
+      DEST="$2"; shift 2 ;;
+    --force)  FORCE=1;     shift ;;
+    --regen)  REGEN=1;     shift ;;
+    -h|--help)
+      sed -n '/^#/p' "$0" | sed 's/^# \{0,1\}//'
+      exit 0
+      ;;
+    *) echo "Unknown option: $1" >&2; exit 1 ;;
+  esac
+done
+
+if [[ ! -f "$CONFIG" ]]; then
+  echo "ERROR: Config file '$CONFIG' not found." >&2
+  exit 1
+fi
+
+# First pass: extract aws_profile
+AWS_PROFILE=""
+while IFS= read -r line || [[ -n "$line" ]]; do
+  if [[ "$line" =~ ^aws_profile=(.+)$ ]]; then
+    AWS_PROFILE="${BASH_REMATCH[1]}"
+    break
+  fi
+done < "$CONFIG"
+
+if [[ -z "$AWS_PROFILE" ]]; then
+  echo "ERROR: 'aws_profile' not set in $CONFIG" >&2
+  exit 1
+fi
+
+# In fill mode, check if dest exists to decide whether we're filling or generating fresh
+FILL=0
+if [[ -f "$DEST" && "$REGEN" -eq 0 ]]; then
+  FILL=1
+fi
+
+# In regen mode, prompt before overwriting an existing dest
+if [[ -f "$DEST" && "$REGEN" -eq 1 && "$FORCE" -eq 0 ]]; then
+  printf "'%s' already exists. Overwrite? [y/N] " "$DEST"
+  reply=""
+  read -r reply || true
+  [[ "$reply" =~ ^[Yy]$ ]] || { echo "Aborted."; exit 0; }
+fi
+
+# Return the raw KEY=value line from the existing dest file, or empty if absent.
+# Uses awk for exact key matching (avoids treating k as a regex).
+lookup_raw_line() {
+  local k="$1"
+  awk -v k="$k" -F= '$1==k {print; exit}' "$DEST" 2>/dev/null || true
+}
+
+# Return true if the key has a non-empty value in the existing dest file.
+has_existing_value() {
+  local raw
+  raw=$(lookup_raw_line "$1")
+  [[ -n "$raw" ]] && [[ "${raw#*=}" != "" ]]
+}
+
+# Return true if the key is in the PROCESSED_KEYS array.
+_key_processed() {
+  local k="$1" pk
+  for pk in "${PROCESSED_KEYS[@]+"${PROCESSED_KEYS[@]}"}"; do
+    [[ "$pk" == "$k" ]] && return 0
+  done
+  return 1
+}
+
+TMPFILE=$(mktemp)
+trap 'rm -f "$TMPFILE"' EXIT
+
+FETCHED=0
+FAILED=0
+PASSED=0
+KEPT=0
+FAILED_KEYS=()
+PROCESSED_KEYS=()
+
+if [[ "$FILL" -eq 1 ]]; then
+  echo "Filling $DEST from $CONFIG (profile: $AWS_PROFILE) ..."
+else
+  echo "Generating $DEST from $CONFIG (profile: $AWS_PROFILE) ..."
+fi
+echo ""
+
+while IFS= read -r line || [[ -n "$line" ]]; do
+  # Skip the aws_profile directive — it's for this script only
+  if [[ "$line" =~ ^aws_profile= ]]; then
+    continue
+  fi
+
+  # Blank lines and comments pass through verbatim
+  if [[ -z "$line" || "$line" =~ ^[[:space:]]*# ]]; then
+    echo "$line" >> "$TMPFILE"
+    continue
+  fi
+
+  # Determine the key for any KEY=... line
+  current_key="${line%%=*}"
+  PROCESSED_KEYS+=("$current_key")
+
+  # In fill mode, preserve the raw existing line if the key already has a value
+  if [[ "$FILL" -eq 1 ]] && has_existing_value "$current_key"; then
+    raw_line=$(lookup_raw_line "$current_key")
+    printf "  [KEEP]    %s\n" "$current_key"
+    echo "$raw_line" >> "$TMPFILE"
+    KEPT=$((KEPT + 1))
+    continue
+  fi
+
+  # Secret reference: KEY=@aws_secret_name or KEY=@aws_secret_name:json_key
+  if [[ "$line" =~ ^([A-Za-z_][A-Za-z0-9_]*)=@([^[:space:]:]+)(:([^[:space:]]+))?$ ]]; then
+    key="${BASH_REMATCH[1]}"
+    secret="${BASH_REMATCH[2]}"
+    json_key="${BASH_REMATCH[4]}"
+    printf "  [FETCH]   %-45s ... " "$key"
+    if raw=$(ih-secrets --aws-profile "$AWS_PROFILE" get "$secret" 2>&1); then
+      if [[ -n "$json_key" ]]; then
+        if ! value=$(python3 -c "import json,sys; print(json.loads(sys.argv[1])[sys.argv[2]])" "$raw" "$json_key" 2>&1); then
+          printf '%s=\n' "$key" >> "$TMPFILE"
+          echo "FAILED (key '$json_key' not found in JSON)"
+          FAILED=$((FAILED + 1))
+          FAILED_KEYS+=("$key ($secret:$json_key)")
+          continue
+        fi
+      else
+        value="$raw"
+      fi
+      printf '%s=%s\n' "$key" "$value" >> "$TMPFILE"
+      echo "OK"
+      FETCHED=$((FETCHED + 1))
+    else
+      printf '%s=\n' "$key" >> "$TMPFILE"
+      echo "FAILED"
+      FAILED=$((FAILED + 1))
+      FAILED_KEYS+=("$key ($secret)")
+    fi
+    continue
+  fi
+
+  # Generated value: KEY=~hex:32 or KEY=~base64:32
+  if [[ "$line" =~ ^([A-Za-z_][A-Za-z0-9_]*)=~(hex|base64):([0-9]+)$ ]]; then
+    key="${BASH_REMATCH[1]}"
+    encoding="${BASH_REMATCH[2]}"
+    length="${BASH_REMATCH[3]}"
+    printf "  [GEN]     %-45s ... " "$key"
+    if value=$(openssl rand -"$encoding" "$length" 2>&1); then
+      printf '%s=%s\n' "$key" "$value" >> "$TMPFILE"
+      echo "OK"
+      PASSED=$((PASSED + 1))
+    else
+      printf '%s=\n' "$key" >> "$TMPFILE"
+      echo "FAILED"
+      FAILED=$((FAILED + 1))
+      FAILED_KEYS+=("$key (generate)")
+    fi
+    continue
+  fi
+
+  # Static value — pass through verbatim
+  key="${line%%=*}"
+  printf "  [PASS]    %s\n" "$key"
+  echo "$line" >> "$TMPFILE"
+  PASSED=$((PASSED + 1))
+done < "$CONFIG"
+
+# In fill mode, preserve any keys from DEST that weren't present in CONFIG
+if [[ "$FILL" -eq 1 ]]; then
+  while IFS= read -r dest_line || [[ -n "$dest_line" ]]; do
+    if [[ "$dest_line" =~ ^([A-Za-z_][A-Za-z0-9_]*)= ]]; then
+      dest_key="${BASH_REMATCH[1]}"
+      if ! _key_processed "$dest_key"; then
+        echo "$dest_line" >> "$TMPFILE"
+      fi
+    fi
+  done < "$DEST"
+fi
+
+mv "$TMPFILE" "$DEST"
+trap - EXIT
+
+echo ""
+if [[ "$FILL" -eq 1 ]]; then
+  echo "Done: $FETCHED fetched, $FAILED failed, $PASSED passed through, $KEPT kept from existing."
+else
+  echo "Done: $FETCHED fetched, $FAILED failed, $PASSED passed through."
+fi
+echo "Written to $DEST"
+
+if [[ "$FAILED" -gt 0 ]]; then
+  echo ""
+  echo "WARNING: $FAILED secret(s) could not be fetched (written as empty):"
+  for k in "${FAILED_KEYS[@]}"; do
+    echo "  - $k"
+  done
+  echo "Check your access to AWS profile '$AWS_PROFILE'."
+  exit 1
+fi