From 111e1d38e5ac177bcf4defe70aee1e853206bc6d Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Fri, 21 Apr 2023 19:13:48 +0300
Subject: feat(corp/ops): configure state bucket for terraform

This was a bit trickier than I anticipated, because there's no good
ways to avoid passing the credentials around manually.

What's basically happening now is that the credentials for the state
bucket are checked in (encrypted), and sourcing `creds.fish` uses the
cloud HSM to decrypt and load them into the environment.

Change-Id: I3f5ce1c9bd9d5efbf1013414f94771a09ea3a488
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8494
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
---
 corp/ops/creds.fish | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 corp/ops/creds.fish

(limited to 'corp/ops/creds.fish')

diff --git a/corp/ops/creds.fish b/corp/ops/creds.fish
new file mode 100644
index 0000000000..2985b28808
--- /dev/null
+++ b/corp/ops/creds.fish
@@ -0,0 +1,5 @@
+export YC_TOKEN=(yc iam create-token)
+export YC_CLOUD_ID=(yc config get cloud-id)
+export YC_FOLDER_ID=(yc config get folder-id)
+export AWS_ACCESS_KEY_ID="YCAJE6eRLY8Az-9kveNRtz4sh"
+export AWS_SECRET_ACCESS_KEY=(yc kms symmetric-crypto decrypt --name tvl-credentials --cloud-id b1ggu5m1btue982app12 --folder-name default --ciphertext-file encrypted-state-secret.key --plaintext-file /dev/stdout | head -n1)
-- 
cgit 1.4.1