Merge pull request #35 from Financial-Times/vault-env-patch

Update Vault .env task to use shared keys
Financial-Times · Jun 28, 2017 · a32cf4b · a32cf4b
2 parents d218939 + 6cf1132
commit a32cf4b
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 13 deletions.
diff --git a/index.mk b/index.mk
@@ -180,20 +180,11 @@ endif
 	@if [ ! -z $(CIRCLECI) ]; then (echo $(ENV_MSG_CIRCLECI) && exit 1); fi
 	@$(call CONFIG_VARS,development,env) > .env && perl -pi -e 's/="(.*)"/=\1/' .env && $(DONE) || (echo $(ENV_MSG_CANT_GET) && rm .env && exit 1);
 
-.env-vault: vault-cli
+.env-vault: vault-token
 	@if [[ $(shell grep --count *.env* .gitignore) -eq 0 ]]; then (echo $(ENV_MSG_IGNORE_ENV) && exit 1); fi
 	@if [ ! -e package.json ]; then (echo $(ENV_MSG_PACKAGE_JSON) && exit 1); fi
 	@if [ ! -z $(CIRCLECI) ]; then (echo $(ENV_MSG_CIRCLECI) && exit 1); fi
-	@vault read secret/teams/next/$$(echo $(APP_NAME) | sed 's/^ft-//')/development \
-		| tail -n +4 \
-		| sed -e '$$ d' \
-		| perl -pe 's/^([^ \t]+)\s+(.+)$$/\1=\2/' \
-		> .env
-	@vault read secret/teams/next/shared/development \
-		| tail -n +4 \
-		| sed -e '$$ d' \
-		| perl -pe 's/^([^ \t]+)\s+(.+)$$/\1=\2/' \
-		>> .env
+	node scripts/env-vault.js $(call APP_NAME)
 	@$(DONE)
 
 MSG_HEROKU_CLI = "Please make sure the Heroku CLI toolbelt is installed - see https://toolbelt.heroku.com/. And make sure you are authenticated by running ‘heroku login’. If this is not an app, delete Procfile."
@@ -203,8 +194,8 @@ heroku-cli:
 heroku-login-check:
 	@if [[ `heroku whoami 2>/dev/null` != *'@ft.com' ]]; then (HEROKU_ORGANIZATION=financial-times heroku login --sso); fi
 
-MSG_VAULT_CLI = "Please make sure the Vault CLI is installed - see https://github.com/Financial-Times/vault/wiki/Getting-Started. And make sure you are authenticated."
-vault-cli:
+MSG_VAULT_CLI = "Please make sure the Vault CLI is installed - see https://github.com/Financial-Times/vault/wiki/Getting-Started. And make sure you are authenticated, a valid token should exist at ~/vault-token."
+vault-token:
 	@if [ -e Procfile ] && [[ $$(vault token-lookup 2>&1 | grep -c error) -gt 0 ]]; then (echo $(MSG_VAULT_CLI) && exit 1); fi
 
 # VERIFY SUB-TASKS

diff --git a/package.json b/package.json
@@ -19,6 +19,7 @@
   "homepage": "https://github.com/Financial-Times/n-gage#readme",
   "dependencies": {
     "@financial-times/secret-squirrel": "^2.0.4",
+    "node-fetch": "^1.7.1",
     "pre-git": "^3.14.0"
   },
   "devDependencies": {

diff --git a/scripts/env-vault.js b/scripts/env-vault.js
@@ -0,0 +1,32 @@
+const fetch = require('node-fetch');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const app = process.argv[2].replace(/^ft-/, '');
+const token = fs.readFileSync(path.join(os.homedir(), '.vault-token'), { encoding: 'utf8' });
+
+const vault = path => fetch('https://vault.in.ft.com/v1/' + path, { headers: { 'X-Vault-Token': token } })
+    .then(res => res.json())
+    .then(json => json.data || {});
+
+Promise.all([
+    vault(`secret/teams/next/${app}/development`),
+    vault(`secret/teams/next/${app}/shared`),
+    vault('secret/teams/next/shared/development'),
+])
+    .then(([app, appShared, envShared]) => {        
+        const shared = appShared.env.reduce((keys, key) => {
+            if (key in envShared) {
+                keys[key] = envShared[key];
+            }
+
+            return keys;
+        }, {});
+
+        const keys = Object.assign({}, shared, app);
+
+        const variables = Object.keys(keys).sort().reduce((file, key) => file + `${key}='${keys[key]}'\n`, '');
+
+        fs.writeFileSync(path.join(process.cwd(), '.env'), variables);
+    })