62 lines
2.3 KiB
Bash
Executable File
62 lines
2.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
PROJECT=aptivaai-dev
|
|
ENV=dev
|
|
|
|
add_ver() {
|
|
local name="$1" ; shift
|
|
gcloud secrets versions add "${name}_${ENV}" --data-file=- --project="$PROJECT" >/dev/null
|
|
echo "✅ ${name}_${ENV} rotated"
|
|
}
|
|
|
|
echo "🔐 Rotating DEV secrets in ${PROJECT}"
|
|
|
|
# ── Generate fresh randoms
|
|
openssl rand -hex 32 | add_ver JWT_SECRET
|
|
|
|
# ── Paste new third-party keys (press Enter to skip any you don't want to rotate)
|
|
read -s -p "OPENAI_API_KEY_${ENV}: " OPENAI && echo
|
|
[[ -n "${OPENAI}" ]] && printf "%s" "$OPENAI" | add_ver OPENAI_API_KEY
|
|
|
|
read -p "ONET_USERNAME_${ENV}: " ONETU && echo
|
|
[[ -n "${ONETU}" ]] && printf "%s" "$ONETU" | add_ver ONET_USERNAME
|
|
|
|
read -s -p "ONET_PASSWORD_${ENV}: " ONETP && echo
|
|
[[ -n "${ONETP}" ]] && printf "%s" "$ONETP" | add_ver ONET_PASSWORD
|
|
|
|
read -s -p "STRIPE_SECRET_KEY_${ENV}: " SSK && echo
|
|
[[ -n "${SSK}" ]] && printf "%s" "$SSK" | add_ver STRIPE_SECRET_KEY
|
|
|
|
read -p "STRIPE_PUBLISHABLE_KEY_${ENV}: " SPK && echo
|
|
[[ -n "${SPK}" ]] && printf "%s" "$SPK" | add_ver STRIPE_PUBLISHABLE_KEY
|
|
|
|
read -s -p "STRIPE_WH_SECRET_${ENV}: " SWH && echo
|
|
[[ -n "${SWH}" ]] && printf "%s" "$SWH" | add_ver STRIPE_WH_SECRET
|
|
|
|
read -s -p "SUPPORT_SENDGRID_API_KEY_${ENV}: " SG && echo
|
|
[[ -n "${SG}" ]] && printf "%s" "$SG" | add_ver SUPPORT_SENDGRID_API_KEY
|
|
|
|
read -s -p "EMAIL_INDEX_SECRET_${ENV}: " EIDX && echo
|
|
[[ -n "${EIDX}" ]] && printf "%s" "$EIDX" | add_ver EMAIL_INDEX_SECRET
|
|
|
|
read -p "TWILIO_ACCOUNT_SID_${ENV}: " TSID && echo
|
|
[[ -n "${TSID}" ]] && printf "%s" "$TSID" | add_ver TWILIO_ACCOUNT_SID
|
|
|
|
read -s -p "TWILIO_AUTH_TOKEN_${ENV}: " TAUT && echo
|
|
[[ -n "${TAUT}" ]] && printf "%s" "$TAUT" | add_ver TWILIO_AUTH_TOKEN
|
|
|
|
read -p "TWILIO_MESSAGING_SERVICE_SID_${ENV}: " TMSS && echo
|
|
[[ -n "${TMSS}" ]] && printf "%s" "$TMSS" | add_ver TWILIO_MESSAGING_SERVICE_SID
|
|
|
|
# Optional: rotate Maps if it was in the leaked image
|
|
read -s -p "GOOGLE_MAPS_API_KEY_${ENV} (optional): " GMAPS && echo
|
|
[[ -n "${GMAPS}" ]] && printf "%s" "$GMAPS" | add_ver GOOGLE_MAPS_API_KEY
|
|
|
|
echo "🔁 Rebuilding DEV with fresh secrets…"
|
|
ENV=dev ./deploy_all.sh
|
|
|
|
echo "🧪 Verifying runtime env inside containers:"
|
|
docker compose exec -T server1 sh -lc 'printenv | egrep "JWT_SECRET|OPENAI|ONET|STRIPE_(SECRET|PUBLISH|WH)|SENDGRID|EMAIL_INDEX|TWILIO|TOKEN_MAX_AGE_MS|ACCESS_COOKIE_NAME|COOKIE_(SECURE|SAMESITE)"'
|
|
echo "✅ Done."
|