feat(corp/ops): configure state bucket for terraform r/6109

This was a bit trickier than I anticipated, because there's no good ways to avoid passing the credentials around manually. What's basically happening now is that the credentials for the state bucket are checked in (encrypted), and sourcing `creds.fish` uses the cloud HSM to decrypt and load them into the environment. Change-Id: I3f5ce1c9bd9d5efbf1013414f94771a09ea3a488 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8494 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
author: Vincent Ambo <mail@tazj.in> 2023-04-21T16·13+0300
committer: tazjin <tazjin@tvl.su> 2023-04-24T10·56+0000
commit: 111e1d38e5ac177bcf4defe70aee1e853206bc6d (patch)
tree: 0670c6f3067a319859cd3d48b07d012e3ee11402 /corp/ops/creds.fish
parent: 0637ab3add4f57359842a451ca9ffd70194524e2 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/corp/ops/creds.fish b/corp/ops/creds.fish
new file mode 100644
index 000000000000..2985b2880864
--- /dev/null
+++ b/corp/ops/creds.fish
@@ -0,0 +1,5 @@
+export YC_TOKEN=(yc iam create-token)
+export YC_CLOUD_ID=(yc config get cloud-id)
+export YC_FOLDER_ID=(yc config get folder-id)
+export AWS_ACCESS_KEY_ID="YCAJE6eRLY8Az-9kveNRtz4sh"
+export AWS_SECRET_ACCESS_KEY=(yc kms symmetric-crypto decrypt --name tvl-credentials --cloud-id b1ggu5m1btue982app12 --folder-name default --ciphertext-file encrypted-state-secret.key --plaintext-file /dev/stdout | head -n1)
author	Vincent Ambo <mail@tazj.in>	2023-04-21T16·13+0300
committer	tazjin <tazjin@tvl.su>	2023-04-24T10·56+0000
commit	111e1d38e5ac177bcf4defe70aee1e853206bc6d (patch)
tree	0670c6f3067a319859cd3d48b07d012e3ee11402 /corp/ops/creds.fish
parent	0637ab3add4f57359842a451ca9ffd70194524e2 (diff)