49 lines
1.7 KiB
JavaScript
49 lines
1.7 KiB
JavaScript
/**
|
|
* Load secrets from Infisical using Machine Identity (Universal Auth)
|
|
* Writes secrets to .env.infisical file for sourcing
|
|
*/
|
|
import { InfisicalSDK } from "@infisical/sdk";
|
|
import { writeFileSync } from "fs";
|
|
|
|
const INFISICAL_API_URL = process.env.INFISICAL_API_URL;
|
|
const INFISICAL_CLIENT_ID = process.env.INFISICAL_CLIENT_ID;
|
|
const INFISICAL_CLIENT_SECRET = process.env.INFISICAL_CLIENT_SECRET;
|
|
const INFISICAL_PROJECT_ID = process.env.INFISICAL_PROJECT_ID;
|
|
const INFISICAL_ENV = process.env.INFISICAL_ENV || "prod";
|
|
|
|
if (!INFISICAL_API_URL || !INFISICAL_CLIENT_ID || !INFISICAL_CLIENT_SECRET || !INFISICAL_PROJECT_ID) {
|
|
process.stderr.write("Missing required Infisical environment variables\n");
|
|
process.exit(1);
|
|
}
|
|
|
|
const client = new InfisicalSDK({ siteUrl: INFISICAL_API_URL });
|
|
|
|
await client.auth().universalAuth.login({
|
|
clientId: INFISICAL_CLIENT_ID,
|
|
clientSecret: INFISICAL_CLIENT_SECRET,
|
|
});
|
|
|
|
process.stderr.write(`Loading secrets from Infisical (env: ${INFISICAL_ENV})...\n`);
|
|
|
|
const envLines = [];
|
|
|
|
for (const secretPath of ["/webapp", "/shared"]) {
|
|
const response = await client.secrets().listSecrets({
|
|
projectId: INFISICAL_PROJECT_ID,
|
|
environment: INFISICAL_ENV,
|
|
secretPath: secretPath,
|
|
expandSecretReferences: true,
|
|
});
|
|
|
|
for (const secret of response.secrets) {
|
|
// Escape special characters for shell
|
|
const escapedValue = secret.secretValue.replace(/'/g, "'\\''");
|
|
envLines.push(`export ${secret.secretKey}='${escapedValue}'`);
|
|
}
|
|
|
|
process.stderr.write(` ${secretPath}: ${response.secrets.length} secrets loaded\n`);
|
|
}
|
|
|
|
writeFileSync(".env.infisical", envLines.join("\n"));
|
|
process.stderr.write("Secrets written to .env.infisical\n");
|