feat: use doppler for secrets

aps831 · Dec 24, 2023 · 007c66b · 007c66b
1 parent 257f15d
commit 007c66b
Show file tree

Hide file tree

Showing 14 changed files with 213 additions and 169 deletions.
diff --git a/.chezmoi.toml.tmpl b/.chezmoi.toml.tmpl
@@ -8,11 +8,6 @@ sourceDir = {{ .chezmoi.sourceDir | quote }}
     codespaces = {{ $codespaces }}
     devcontainers = {{ $devcontainers }}
 
-encryption = "age"
-[age]
-    identity = "~/.age/chezmoi.age.txt"
-    recipient = "age1y5r0l5qffkrug0nka649pq8a5k5ucpez2gtrm3m0f5pdrdsc3gtsszphrv"
-
 [diff]
     exclude = ["scripts"]
 
diff --git a/dot_aws/encrypted_private_config.age b/dot_aws/encrypted_private_config.age
diff --git a/dot_aws/private_config.tmpl b/dot_aws/private_config.tmpl
@@ -0,0 +1,138 @@
+[default]
+sso_start_url=https://spratters.awsapps.com/start/
+sso_region=eu-west-2
+region=eu-west-2
+output=json
+
+[profile andrew-p-spratley-admin]
+sso_start_url=https://spratters.awsapps.com/start/
+sso_region=eu-west-2
+sso_account_id={{ doppler "AWS_ACCOUNT_ID_ANDREW_P_SPRATLEY" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}
+sso_role_name=AdministratorAccess
+region=eu-west-2
+output=json
+
+[profile andrew-p-spratley-power]
+sso_start_url=https://spratters.awsapps.com/start/
+sso_region=eu-west-2
+sso_account_id={{ doppler "AWS_ACCOUNT_ID_ANDREW_P_SPRATLEY" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}
+sso_role_name=PowerUserAccess
+region=eu-west-2
+output=json
+
+[profile andrew-p-spratley-account-analysis]
+sso_start_url=https://spratters.awsapps.com/start/
+sso_region=eu-west-2
+sso_account_id={{ doppler "AWS_ACCOUNT_ID_ANDREW_P_SPRATLEY" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}
+sso_role_name=AccountAnalysisAccess
+region=eu-west-2
+output=json
+
+[profile andrew-p-spratley-driftctl]
+source_profile=andrew-p-spratley-account-analysis
+role_arn=arn:aws:iam::{{ doppler "AWS_ACCOUNT_ID_ANDREW_P_SPRATLEY" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}:role/DriftctlRole
+
+[profile spratleyap-admin]
+sso_start_url=https://spratters.awsapps.com/start/
+sso_region=eu-west-2
+sso_account_id={{ doppler "AWS_ACCOUNT_ID_SPRATLEY_AP" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}
+sso_role_name=AdministratorAccess
+region=eu-west-2
+output=json
+
+[profile spratleyap-power]
+sso_start_url=https://spratters.awsapps.com/start/
+sso_region=eu-west-2
+sso_account_id={{ doppler "AWS_ACCOUNT_ID_SPRATLEY_AP" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}
+sso_role_name=PowerUserAccess
+region=eu-west-2
+output=json
+
+[profile spratleyap-account-analysis]
+sso_start_url=https://spratters.awsapps.com/start/
+sso_region=eu-west-2
+sso_account_id={{ doppler "AWS_ACCOUNT_ID_SPRATLEY_AP" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}
+sso_role_name=AccountAnalysisAccess
+region=eu-west-2
+output=json
+
+[profile spratleyap-driftctl]
+source_profile=spratleyap-account-analysis
+role_arn=arn:aws:iam::{{ doppler "AWS_ACCOUNT_ID_SPRATLEY_AP" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}:role/DriftctlRole
+
+[profile aps831-admin]
+sso_start_url=https://spratters.awsapps.com/start/
+sso_region=eu-west-2
+sso_account_id={{ doppler "AWS_ACCOUNT_ID_APS831" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}
+sso_role_name=AdministratorAccess
+region=eu-west-2
+output=json
+
+[profile aps831-power]
+sso_start_url=https://spratters.awsapps.com/start/
+sso_region=eu-west-2
+sso_account_id={{ doppler "AWS_ACCOUNT_ID_APS831" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}
+sso_role_name=PowerUserAccess
+region=eu-west-2
+output=json
+
+[profile aps831-account-analysis]
+sso_start_url=https://spratters.awsapps.com/start/
+sso_region=eu-west-2
+sso_account_id={{ doppler "AWS_ACCOUNT_ID_APS831" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}
+sso_role_name=AccountAnalysisAccess
+region=eu-west-2
+output=json
+
+[profile aps831-driftctl]
+source_profile=aps831-account-analysis
+role_arn=arn:aws:iam::{{ doppler "AWS_ACCOUNT_ID_APS831" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}:role/DriftctlRole
+
+[profile operations-reports-831-admin]
+sso_start_url=https://spratters.awsapps.com/start/
+sso_region=eu-west-2
+sso_account_id={{ doppler "AWS_ACCOUNT_ID_OPERATIONS_REPORTS_831" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}
+sso_role_name=AdministratorAccess
+region=eu-west-2
+output=json
+
+[profile operations-reports-831-power]
+sso_start_url=https://spratters.awsapps.com/start/
+sso_region=eu-west-2
+sso_account_id={{ doppler "AWS_ACCOUNT_ID_OPERATIONS_REPORTS_831" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}
+sso_role_name=PowerUserAccess
+region=eu-west-2
+output=json
+
+[profile operations-reports-831-deployment]
+sso_start_url=https://spratters.awsapps.com/start/
+sso_region=eu-west-2
+sso_account_id={{ doppler "AWS_ACCOUNT_ID_OPERATIONS_REPORTS_831" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}
+sso_role_name=OperationsReportsDeployment
+region=eu-west-2
+output=json
+
+[profile operations-reports-831-backend-deployment]
+source_profile=operations-reports-831-deployment
+role_arn=arn:aws:iam::{{ doppler "AWS_ACCOUNT_ID_OPERATIONS_REPORTS_831" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}:role/OperationsReportsBackendDeploymentRole
+
+[profile operations-reports-831-frontend-deployment]
+source_profile=operations-reports-831-deployment
+role_arn=arn:aws:iam::{{ doppler "AWS_ACCOUNT_ID_OPERATIONS_REPORTS_831" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}:role/OperationsReportsFrontendDeploymentRole
+
+[profile operations-reports-831-account-analysis]
+sso_start_url=https://spratters.awsapps.com/start/
+sso_region=eu-west-2
+sso_account_id={{ doppler "AWS_ACCOUNT_ID_OPERATIONS_REPORTS_831" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}
+sso_role_name=AccountAnalysisAccess
+region=eu-west-2
+output=json
+
+[profile operations-reports-831-driftctl]
+source_profile=operations-reports-831-account-analysis
+role_arn=arn:aws:iam::{{ doppler "AWS_ACCOUNT_ID_OPERATIONS_REPORTS_831" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}:role/DriftctlRole
+
+[profile localstack]
+region=eu-west-2
+output=json
+
diff --git a/dot_bash_aliases → dot_bash_aliases.tmpl b/dot_bash_aliases → dot_bash_aliases.tmpl
diff --git a/dot_m2/encrypted_private_settings-security.xml.age b/dot_m2/encrypted_private_settings-security.xml.age
diff --git a/dot_m2/encrypted_private_settings.xml.tmpl.age b/dot_m2/encrypted_private_settings.xml.tmpl.age
diff --git a/dot_m2/private_settings-security.xml.tmpl b/dot_m2/private_settings-security.xml.tmpl
@@ -0,0 +1,3 @@
+<settingsSecurity>
+  <master>{{ doppler "MAVEN_MASTER_PASSWORD" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}</master>
+</settingsSecurity>
diff --git a/dot_m2/private_settings.xml.tmpl b/dot_m2/private_settings.xml.tmpl
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
+    <activeProfiles>
+        <activeProfile>github</activeProfile>
+    </activeProfiles>
+    <profiles>
+        <profile>
+            <id>github</id>
+            <repositories>
+                <repository>
+                    <id>central</id>
+                    <url>https://repo1.maven.org/maven2</url>
+                </repository>
+                <repository>
+                    <id>github-aps831</id>
+                    <url>https://maven.pkg.github.com/aps831/*</url>
+                    <snapshots>
+                        <enabled>true</enabled>
+                    </snapshots>
+                </repository>
+            </repositories>
+        </profile>
+    </profiles>
+    <servers>
+        <server>
+            <id>github-aps831</id>
+            <username>aps831</username>
+            <password>{{ doppler "MAVEN_GITHUB_APS831_PASSWORD" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}</password>
+        </server>
+    </servers>
+</settings>
diff --git a/install.sh b/install.sh
@@ -17,5 +17,23 @@ else
   chezmoi=chezmoi
 fi
 
+export DOPPLER_PROJECT=development
+echo "Set DOPPLER_PROJECT=$DOPPLER_PROJECT"
+
+if [ -z "$CODESPACES" ]; then
+  export DOPPLER_CONFIG=codespaces
+else
+  export DOPPLER_CONFIG=$(hostname)
+fi
+echo "Set DOPPLER_CONFIG=$DOPPLER_CONFIG"
+
+if [ -z "$DOPPLER_DOTFILES_TOKEN" ]; then
+  echo "Set DOPPLER_TOKEN from CLI authentication"    
+  export DOPPLER_TOKEN=$(doppler configure --json | yq '.. | select(has("token"))' | yq '.token')
+else
+  echo "Set DOPPLER_TOKEN from environment"  
+  export DOPPLER_TOKEN=$DOPPLER_DOTFILES_TOKEN
+fi
+
 script_dir="$(cd -P -- "$(dirname -- "$(command -v -- "$0")")" && pwd -P)"
 exec "$chezmoi" init --apply "--source=$script_dir"
diff --git a/private_dot_docker/config.json.tmpl b/private_dot_docker/config.json.tmpl
@@ -0,0 +1,19 @@
+{
+	"auths": {
+		"{{ doppler "AWS_ACCOUNT_ID_OPERATIONS_REPORTS_831" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}.dkr.ecr.eu-west-2.amazonaws.com": {},
+		"ghcr.io": {},
+		"https://index.docker.io/v1/": {},
+		"titan.local:5000": {}
+	},
+	"credsStore": "pass",
+	"credHelpers": {
+		"asia.gcr.io": "gcloud",
+		"docker.io": "pass",
+		"eu.gcr.io": "gcloud",
+		"gcr.io": "gcloud",
+		"marketplace.gcr.io": "gcloud",
+		"staging-k8s.gcr.io": "gcloud",
+		"titan.local:5000": "pass",
+		"us.gcr.io": "gcloud"
+	}
+}
diff --git a/private_dot_docker/encrypted_private_config.json.age b/private_dot_docker/encrypted_private_config.json.age
diff --git a/private_dot_ngrok2/encrypted_private_ngrok.yml.age b/private_dot_ngrok2/encrypted_private_ngrok.yml.age
diff --git a/private_dot_ngrok2/ngrok.yml.tmpl b/private_dot_ngrok2/ngrok.yml.tmpl
@@ -0,0 +1,2 @@
+authtoken: {{ doppler "NGROK_AUTH_TOKEN" (expandenv "$DOPPLER_PROJECT") (expandenv "$DOPPLER_CONFIG") }}
+region: eu