-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauth.sh
59 lines (46 loc) · 3.13 KB
/
auth.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/bin/sh
# PRE-REQs
# 1. jq installed
# 2. vault CLI installed
# 3. VAULT_ADDR and VAULT_SKIP_VERIFY env vars set
# 4. logged into Vault with sufficient access to secrets engines used in this script
# HOW TO USE:
# 1. Run "source ./auth.sh"
# TODO: Interpolate paths to secrets based on DC (don't hard-code DC)
printf "Environment (nonprod or prod): "
read env
printf "Cluster type (web, streaming, etc.): "
read cluster
printf "Data center (dal-w01-dc01, tmi-w01-dc01, etc.): "
read datacenter
#vSphere provider credentials
export TF_VAR_vsphere_server=$(vault read -format=json ops/data/vsphere | jq '.data.data.vsphere_tmi_dc01_address' | tr -d '"')
export TF_VAR_vsphere_user=$(vault read -format=json ops/data/vsphere | jq '.data.data.vsphere_tmi_dc01_terraform_username' | tr -d '"')
export TF_VAR_vsphere_pass=$(vault read -format=json ops/data/vsphere | jq '.data.data.vsphere_tmi_dc01_terraform_password' | tr -d '"')
echo "vSphere credentials set"
#Consul cloud auto-join credentials
export TF_VAR_consul_user=$(vault read -format=json ops/data/vsphere | jq '.data.data.vsphere_tmi_dc01_consul_username' | tr -d '"')
export TF_VAR_consul_pass=$(vault read -format=json ops/data/vsphere | jq '.data.data.vsphere_tmi_dc01_consul_password' | tr -d '"')
echo "Consul cloud auto-join credentials set"
#Terraform provisioners' username
export TF_VAR_local_exec_user=$(vault read -format=json ops/data/vsphere | jq '.data.data.username' | tr -d '"')
export TF_VAR_remote_exec_user=$(vault read -format=json ops/data/vsphere | jq '.data.data.username' | tr -d '"')
echo "Terraform provisioner credentials set"
#This is used to authenticate to Consul via the Consul provider to retrieve the secret ID of a token based on accessor ID
export TF_VAR_consul_provider_token=$(vault read -format=json consul/creds/operator | jq '.data.token' | tr -d '"')
echo "Consul provider credentials set"
#This is used for the Consul agent to initially authenticate to the cluster
export TF_VAR_consul_acl_token=$(vault read -format=json consul/creds/${env}-${cluster}-node | jq '.data.token' | tr -d '"')
echo "Consul agent credentials set"
#This is used for encrypted gossip communication (Serf) in the Consul cluster
export TF_VAR_consul_raw_key=$(vault read -format=json ops/data/consul | jq '.data.data.gossip_key' | tr -d '"')
echo "Consul gossip key set"
#These vars are used for Vault Agent to authenticate to Vault
export TF_VAR_vault_agent_role_id=$(vault read -format=json auth/approle/role/${env}-agent-role/role-id | jq '.data.role_id' | tr -d '"' )
export TF_VAR_vault_agent_secret_id=$(vault write -f -format=json auth/approle/role/${env}-agent-role/secret-id | jq '.data.secret_id' | tr -d '"' )
echo "Vault Agent auto-auth credentials set"
#These are used by the Vault provider to authenticate to Vault
export TF_VAR_vault_server_url="https://vault.service.${datacenter}.consul:8200"
export TF_VAR_vault_approle_id=$(vault read -format=json auth/approle/role/terraform/role-id | jq '.data.role_id' | tr -d '"' )
export TF_VAR_vault_approle_secret_id=$(vault write -f -format=json auth/approle/role/terraform/secret-id | jq '.data.secret_id' | tr -d '"' )
echo "Vault provider credentials set"