From 9abaf71302578a6dbc5483835351a42f48e9900b Mon Sep 17 00:00:00 2001 From: Nik Date: Tue, 14 Jul 2026 22:58:13 -0600 Subject: [PATCH] security: move Infisical & Spaces secrets off command-line argv (M2, fleet-wide) Closes the AGENTS.md S2 finding that Machine-Identity + DO Spaces credentials were exposed on process argv (visible via ps / /proc//cmdline on the droplet). Infisical login: env-var auth instead of --client-secret on argv -- export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" infisical login --method=universal-auth [--plain --silent] (the CLI reads the INFISICAL_UNIVERSAL_AUTH_* env vars natively; matches the pattern openclaw's entrypoint already used). Tofu/OpenTofu: export AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY (the S3 backend reads them from env) and drop the -backend-config access_key/secret_key lines; sse_customer_key stays on -backend-config (no env equivalent). Scope: every *-docker template + rendered site (anythingllm, keycloak, owncloud, wordpress, searxng, signoz, sandbox, openclaw, devbox), otel-agent/, the scripts/*otel* helpers, and the doc examples that showed the old form. Handled all shapes: wrapped INFISICAL_TOKEN capture, bare login, swapped --silent --plain, in-heredoc / inline-ssh single-line, the if-retry loop, and the OTEL var names. Verification: bash -n + shellcheck -S error clean on all changed scripts; rendered ansible YAML parses; 0 remaining --client-secret= / backend-config secret_key in tracked code. Live deploy test (copier render -> ansible/tofu) is the human pre-merge gate. --- CHANGELOG.md | 4 +++ anythingllm-docker/DEPLOYMENT_GUIDE.md | 4 +-- .../sites/ai.weown.agency/ansible/deploy.yml | 21 +++++------ .../sites/ai.weown.agency/scripts/backup.sh | 7 ++-- .../sites/ai.weown.agency/scripts/restore.sh | 7 ++-- .../sites/ai.weown.agency/terraform/init.sh | 4 +-- .../dev-weown-anythingllm/ansible/deploy.yml | 21 +++++------ .../dev-weown-anythingllm/scripts/backup.sh | 7 ++-- .../scripts/entrypoint-infisical.sh | 7 ++-- .../dev-weown-anythingllm/scripts/restore.sh | 7 ++-- .../dev-weown-anythingllm/terraform/itofu.sh | 4 +-- .../sites/s004.ccc.bot/ansible/deploy.yml | 28 +++++++-------- .../sites/s004.ccc.bot/scripts/backup.sh | 7 ++-- .../sites/s004.ccc.bot/scripts/restore.sh | 7 ++-- .../sites/s004.ccc.bot/terraform/init.sh | 4 +-- .../sites/s004.ccc.bot/terraform/itofu.sh | 4 +-- .../template/ansible/deploy.yml.jinja | 35 ++++++++----------- .../template/scripts/backup.sh.jinja | 7 ++-- .../scripts/entrypoint-infisical.sh.jinja | 7 ++-- .../template/scripts/restore.sh.jinja | 7 ++-- .../template/terraform/itofu.sh.jinja | 4 +-- .../sites/dev-weown-devbox/terraform/init.sh | 4 +-- .../sites/dev-weown-devbox/terraform/itofu.sh | 4 +-- .../template/terraform/init.sh.jinja | 4 +-- docs/INFISICAL_OUTAGE_RUNBOOK.md | 7 ++-- .../sites/sso.weown.dev/ansible/deploy.yml | 14 ++++---- .../scripts/entrypoint-infisical.sh | 7 ++-- .../sites/sso.weown.dev/terraform/init.sh | 4 +-- .../template/ansible/deploy.yml.jinja | 14 ++++---- .../template/scripts/backup.sh.jinja | 7 ++-- .../scripts/entrypoint-infisical.sh.jinja | 7 ++-- .../template/scripts/restore.sh.jinja | 2 +- .../template/terraform/init.sh.jinja | 4 +-- .../sites/claw-weown-dev/ansible/deploy.yml | 21 +++++------ .../sites/claw-weown-dev/scripts/backup.sh | 7 ++-- .../sites/claw-weown-dev/scripts/restore.sh | 7 ++-- .../sites/claw-weown-dev/terraform/init.sh | 4 +-- .../sites/claw-weown-dev/terraform/itofu.sh | 4 +-- .../sites/claw-weown-tools/ansible/deploy.yml | 28 +++++++-------- .../sites/claw-weown-tools/scripts/backup.sh | 7 ++-- .../sites/claw-weown-tools/scripts/restore.sh | 7 ++-- .../sites/claw-weown-tools/terraform/init.sh | 4 +-- .../template/ansible/deploy.yml.jinja | 21 +++++------ .../template/scripts/backup.sh.jinja | 7 ++-- .../template/scripts/restore.sh.jinja | 7 ++-- .../template/terraform/init.sh.jinja | 4 +-- .../template/terraform/itofu.sh.jinja | 4 +-- otel-agent/README.md | 6 ++-- otel-agent/deploy.yml | 14 ++++---- owncloud-docker/template/README.md.jinja | 3 +- .../template/ansible/deploy.yml.jinja | 14 ++++---- .../template/scripts/backup.sh.jinja | 7 ++-- .../scripts/entrypoint-infisical.sh.jinja | 7 ++-- .../template/scripts/restore.sh.jinja | 4 ++- .../template/terraform/init.sh.jinja | 4 +-- .../template/ansible/deploy.yml.jinja | 14 ++++---- .../template/scripts/backup.sh.jinja | 7 ++-- .../scripts/entrypoint-infisical.sh.jinja | 7 ++-- .../template/scripts/restore.sh.jinja | 7 ++-- .../template/terraform/init.sh.jinja | 4 +-- scripts/bootstrap-otel-agent.sh | 7 ++-- scripts/deploy-otel-fleet.sh | 7 ++-- .../template/ansible/deploy.yml.jinja | 14 ++++---- .../template/scripts/backup.sh.jinja | 7 ++-- .../scripts/entrypoint-infisical.sh.jinja | 7 ++-- .../template/scripts/restore.sh.jinja | 2 +- .../template/terraform/init.sh.jinja | 4 +-- .../template/ansible/deploy.yml.jinja | 14 ++++---- .../template/scripts/backup.sh.jinja | 7 ++-- .../scripts/entrypoint-infisical.sh.jinja | 7 ++-- .../template/terraform/init.sh.jinja | 4 +-- .../docs/INFISICAL_INTEGRATION.md | 6 ++-- .../template/ansible/deploy.yml.jinja | 21 +++++------ .../template/scripts/backup.sh.jinja | 7 ++-- .../scripts/entrypoint-infisical.sh.jinja | 7 ++-- .../template/terraform/init.sh.jinja | 4 +-- 76 files changed, 278 insertions(+), 358 deletions(-) mode change 100755 => 100644 anythingllm-docker/sites/ai.weown.agency/terraform/init.sh mode change 100755 => 100644 anythingllm-docker/sites/s004.ccc.bot/scripts/backup.sh mode change 100755 => 100644 anythingllm-docker/sites/s004.ccc.bot/scripts/restore.sh mode change 100755 => 100644 anythingllm-docker/sites/s004.ccc.bot/terraform/init.sh mode change 100755 => 100644 anythingllm-docker/sites/s004.ccc.bot/terraform/itofu.sh mode change 100755 => 100644 anythingllm-docker/template/scripts/backup.sh.jinja mode change 100755 => 100644 anythingllm-docker/template/scripts/restore.sh.jinja mode change 100755 => 100644 anythingllm-docker/template/terraform/itofu.sh.jinja mode change 100755 => 100644 keycloak-docker/sites/sso.weown.dev/scripts/entrypoint-infisical.sh mode change 100755 => 100644 keycloak-docker/sites/sso.weown.dev/terraform/init.sh mode change 100755 => 100644 openclaw-docker/sites/claw-weown-dev/terraform/itofu.sh mode change 100755 => 100644 openclaw-docker/template/terraform/itofu.sh.jinja mode change 100755 => 100644 scripts/bootstrap-otel-agent.sh mode change 100755 => 100644 scripts/deploy-otel-fleet.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index f6b2a193..c55226a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,10 @@ Application-specific changes live in per-directory CHANGELOGs. See the index bel Changes in this section will be promoted to a dated release entry on merge to `main`. +### Security + +- **M2 fleet-wide — Infisical Machine-Identity secrets & DO Spaces creds moved off command-line argv (2026-07-14)** — closes the AGENTS.md S2 finding that `infisical login --client-secret="$INFISICAL_CLIENT_SECRET"` and `tofu init -backend-config="secret_key=…"` exposed secrets on process argv (readable via `ps` / `/proc//cmdline` on the droplet). **Infisical login** now uses env-var auth — `export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID/_SECRET` before a flagless `infisical login --method=universal-auth` (the CLI reads them natively), matching the pattern openclaw's entrypoint already used. **Tofu/OpenTofu** now exports `AWS_ACCESS_KEY_ID`/`AWS_SECRET_ACCESS_KEY` (the S3 backend reads them from env) and drops the two `-backend-config` access/secret lines; `sse_customer_key` stays on `-backend-config` (no env equivalent). Applied across every `*-docker` template and rendered site (anythingllm, keycloak, owncloud, wordpress, searxng, signoz, sandbox, openclaw, devbox) plus `otel-agent/` and the `scripts/*otel*` helpers, and the doc examples that showed the old form. Only `--plain`/`--silent` and non-secret flags remain on argv. **Compliance**: NIST CSF 2.0 PR.DS-1/PR.AC-4; CIS v8 3.11. **Verification**: `bash -n` + `shellcheck -S error` clean on all changed scripts; rendered ansible YAML parses; 0 remaining `--client-secret=`/`-backend-config="secret_key="` in tracked code. **Note**: needs a live deploy test (copier render → ansible/tofu path) before promotion — the human pre-merge gate. + ### Added - **Open-branch consolidation — 10 branches integrated to `main`, 19 retired (2026-07-14)** — a single signed integration of every mergeable open branch, each individually code-reviewed (secrets/public-repo, correctness, template-standard), rebased onto current `main` so the latest template versions (incl. #78 Minimus fail-loud registry login) are preserved. **New:** `supabase-docker/` copier template (v0.1 — Postgres 15 + pgvector); `anythingllm-docker/sites/dev-weown-anythingllm/` (INT-P07/P08 do.weown.tools); `devbox-docker/sites/dev-weown-devbox/` (shared Zed remote-dev droplet, SSH-only, key-only sshd); `keycloak-docker/sites/sso.weown.dev/` migrated to Path-C serving `sso.weown.id`; `openclaw-docker/sites/claw-weown-dev/` + template hardening. **Changed/Fixed:** anythingllm template defaults per Jason (DeepSeek V4 Flash, SearXNG agent-search); searxng bound loopback-only; wordpress core-plugin-bundle fetch task; owncloud oCIS template hardening (backup-name injection guard, `ignore_changes=[user_data,tags]`, corrected security-model claims); smoke-test framework across all 7 templates (fails on unhealthy containers, correct auth-file path). **Security/public-repo scrubs:** real ProtonVPN egress IP → RFC5737; real Infisical project UUIDs → placeholders; offboarded-dev emails → `alerts@example.com`; openclaw ADR-006 auth file `0644`→`0600`/UID-1000; keycloak image pinned `:24.0` + cloud-init `{% raw %}` rotation-breaker fixed. **Retired (skipped + branches deleted):** branches already folded into `e8496d1`, the retired `sites/s004`, obsolete pre-copier flat layouts, and (owner-decided) the `zeroToHundred` webapp and the superseded `security-hardening-ssh` inventory. **Deferred:** M2 Infisical `--client-secret` argv pattern (pre-existing fleet-wide) tracked as a separate hardening pass. diff --git a/anythingllm-docker/DEPLOYMENT_GUIDE.md b/anythingllm-docker/DEPLOYMENT_GUIDE.md index ea9fd598..e551645d 100644 --- a/anythingllm-docker/DEPLOYMENT_GUIDE.md +++ b/anythingllm-docker/DEPLOYMENT_GUIDE.md @@ -98,8 +98,8 @@ this split is the key to the whole flow. (mints v2, swaps the file, revokes v1) so the secret that briefly lived in Terraform state / droplet metadata is invalidated. - At every `docker compose up`, the deploy does - `export INFISICAL_TOKEN="$(infisical login --method=universal-auth - --client-id=… --client-secret=… --plain --silent)"` then + `export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID=… INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET=…; + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)"` then `infisical run --projectId= --env=prod -- docker compose up -d`. Secrets are fetched fresh into the **container environment only** — never written to disk. Restart the container and rotated secrets flow in. diff --git a/anythingllm-docker/sites/ai.weown.agency/ansible/deploy.yml b/anythingllm-docker/sites/ai.weown.agency/ansible/deploy.yml index 1a395485..a204c048 100644 --- a/anythingllm-docker/sites/ai.weown.agency/ansible/deploy.yml +++ b/anythingllm-docker/sites/ai.weown.agency/ansible/deploy.yml @@ -111,10 +111,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" infisical run \ --projectId={{ infisical_project_id }} \ --env={{ infisical_env }} \ @@ -171,10 +170,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" cd {{ app_dir }} infisical run \ --projectId={{ infisical_project_id }} \ @@ -233,10 +231,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" cd {{ app_dir }} infisical run \ --projectId={{ infisical_project_id }} \ diff --git a/anythingllm-docker/sites/ai.weown.agency/scripts/backup.sh b/anythingllm-docker/sites/ai.weown.agency/scripts/backup.sh index a27437d3..e5f3004b 100644 --- a/anythingllm-docker/sites/ai.weown.agency/scripts/backup.sh +++ b/anythingllm-docker/sites/ai.weown.agency/scripts/backup.sh @@ -159,10 +159,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='$PROJECT_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/backup.sh" EOF diff --git a/anythingllm-docker/sites/ai.weown.agency/scripts/restore.sh b/anythingllm-docker/sites/ai.weown.agency/scripts/restore.sh index 4679f0e2..2269b89e 100644 --- a/anythingllm-docker/sites/ai.weown.agency/scripts/restore.sh +++ b/anythingllm-docker/sites/ai.weown.agency/scripts/restore.sh @@ -192,10 +192,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='int_p01_anythingllm' BACKUP_NAME='$BACKUP_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/restore.sh" "$BACKUP_NAME" EOF diff --git a/anythingllm-docker/sites/ai.weown.agency/terraform/init.sh b/anythingllm-docker/sites/ai.weown.agency/terraform/init.sh old mode 100755 new mode 100644 index c9962d01..1b18ea9d --- a/anythingllm-docker/sites/ai.weown.agency/terraform/init.sh +++ b/anythingllm-docker/sites/ai.weown.agency/terraform/init.sh @@ -46,9 +46,9 @@ if [[ -z "$SPACES_ACCESS_KEY" ]] || [[ -z "$SPACES_SECRET_KEY" ]] || [[ -z "$SPA fi echo "==> Initializing OpenTofu with DO Spaces backend..." +export AWS_ACCESS_KEY_ID="${SPACES_ACCESS_KEY}" +export AWS_SECRET_ACCESS_KEY="${SPACES_SECRET_KEY}" tofu init \ - -backend-config="access_key=${SPACES_ACCESS_KEY}" \ - -backend-config="secret_key=${SPACES_SECRET_KEY}" \ -backend-config="sse_customer_key=${SPACES_ENCRYPTION_KEY}" echo "" diff --git a/anythingllm-docker/sites/dev-weown-anythingllm/ansible/deploy.yml b/anythingllm-docker/sites/dev-weown-anythingllm/ansible/deploy.yml index cf812160..9b2f7a78 100644 --- a/anythingllm-docker/sites/dev-weown-anythingllm/ansible/deploy.yml +++ b/anythingllm-docker/sites/dev-weown-anythingllm/ansible/deploy.yml @@ -185,10 +185,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" infisical run \ --projectId={{ infisical_project_id }} \ --env={{ infisical_env }} \ @@ -241,10 +240,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" install -d -m 0700 -o root -g root /root/.ssh infisical run --projectId={{ infisical_project_id }} --env={{ infisical_env }} -- bash -c ' keys="${OPS_AUTHORIZED_KEYS:-}" @@ -282,10 +280,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" infisical run \ --projectId={{ infisical_project_id }} \ --env={{ infisical_env }} \ diff --git a/anythingllm-docker/sites/dev-weown-anythingllm/scripts/backup.sh b/anythingllm-docker/sites/dev-weown-anythingllm/scripts/backup.sh index 67998d26..10f63eb3 100644 --- a/anythingllm-docker/sites/dev-weown-anythingllm/scripts/backup.sh +++ b/anythingllm-docker/sites/dev-weown-anythingllm/scripts/backup.sh @@ -166,10 +166,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='$PROJECT_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/backup.sh" EOF diff --git a/anythingllm-docker/sites/dev-weown-anythingllm/scripts/entrypoint-infisical.sh b/anythingllm-docker/sites/dev-weown-anythingllm/scripts/entrypoint-infisical.sh index 39ec711f..d5bd74d9 100644 --- a/anythingllm-docker/sites/dev-weown-anythingllm/scripts/entrypoint-infisical.sh +++ b/anythingllm-docker/sites/dev-weown-anythingllm/scripts/entrypoint-infisical.sh @@ -36,10 +36,9 @@ fi # Step 2: Login to Infisical export INFISICAL_TOKEN -INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" if [ -z "$INFISICAL_TOKEN" ]; then echo "ERROR: Failed to authenticate with Infisical" >&2 diff --git a/anythingllm-docker/sites/dev-weown-anythingllm/scripts/restore.sh b/anythingllm-docker/sites/dev-weown-anythingllm/scripts/restore.sh index 9da86636..3a7c49d8 100644 --- a/anythingllm-docker/sites/dev-weown-anythingllm/scripts/restore.sh +++ b/anythingllm-docker/sites/dev-weown-anythingllm/scripts/restore.sh @@ -192,10 +192,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='dev_weown_anythingllm_anythingllm' BACKUP_NAME='$BACKUP_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/restore.sh" "$BACKUP_NAME" EOF diff --git a/anythingllm-docker/sites/dev-weown-anythingllm/terraform/itofu.sh b/anythingllm-docker/sites/dev-weown-anythingllm/terraform/itofu.sh index 82f2eb64..9358edf5 100644 --- a/anythingllm-docker/sites/dev-weown-anythingllm/terraform/itofu.sh +++ b/anythingllm-docker/sites/dev-weown-anythingllm/terraform/itofu.sh @@ -53,9 +53,7 @@ case "$1" in # from the Infisical-injected env to -backend-config. Single quotes are # intentional - these expand inside `infisical run`, not here. # shellcheck disable=SC2016 - irun bash -c 'exec tofu init -reconfigure \ - -backend-config="access_key=$TF_VAR_spaces_access_key" \ - -backend-config="secret_key=$TF_VAR_spaces_secret_key" \ + irun bash -c 'export AWS_ACCESS_KEY_ID="$TF_VAR_spaces_access_key"; export AWS_SECRET_ACCESS_KEY="$TF_VAR_spaces_secret_key"; exec tofu init -reconfigure \ -backend-config="sse_customer_key=$TF_VAR_spaces_encryption_key" "$@"' itofu "$@" ;; plan) diff --git a/anythingllm-docker/sites/s004.ccc.bot/ansible/deploy.yml b/anythingllm-docker/sites/s004.ccc.bot/ansible/deploy.yml index e501c915..887589f0 100644 --- a/anythingllm-docker/sites/s004.ccc.bot/ansible/deploy.yml +++ b/anythingllm-docker/sites/s004.ccc.bot/ansible/deploy.yml @@ -121,10 +121,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" infisical run \ --projectId={{ infisical_project_id }} \ --env={{ infisical_env }} \ @@ -177,10 +176,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" install -d -m 0700 -o root -g root /root/.ssh infisical run --projectId={{ infisical_project_id }} --env={{ infisical_env }} -- bash -c ' keys="${OPS_AUTHORIZED_KEYS:-}" @@ -237,10 +235,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" cd {{ app_dir }} infisical run \ --projectId={{ infisical_project_id }} \ @@ -299,10 +296,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" cd {{ app_dir }} infisical run \ --projectId={{ infisical_project_id }} \ diff --git a/anythingllm-docker/sites/s004.ccc.bot/scripts/backup.sh b/anythingllm-docker/sites/s004.ccc.bot/scripts/backup.sh old mode 100755 new mode 100644 index 8800deed..beb6efc4 --- a/anythingllm-docker/sites/s004.ccc.bot/scripts/backup.sh +++ b/anythingllm-docker/sites/s004.ccc.bot/scripts/backup.sh @@ -166,10 +166,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='$PROJECT_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/backup.sh" EOF diff --git a/anythingllm-docker/sites/s004.ccc.bot/scripts/restore.sh b/anythingllm-docker/sites/s004.ccc.bot/scripts/restore.sh old mode 100755 new mode 100644 index f39e41d3..2a0196c0 --- a/anythingllm-docker/sites/s004.ccc.bot/scripts/restore.sh +++ b/anythingllm-docker/sites/s004.ccc.bot/scripts/restore.sh @@ -192,10 +192,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='int_s004_anythingllm' BACKUP_NAME='$BACKUP_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/restore.sh" "$BACKUP_NAME" EOF diff --git a/anythingllm-docker/sites/s004.ccc.bot/terraform/init.sh b/anythingllm-docker/sites/s004.ccc.bot/terraform/init.sh old mode 100755 new mode 100644 index 6ddd06c2..2e7504c0 --- a/anythingllm-docker/sites/s004.ccc.bot/terraform/init.sh +++ b/anythingllm-docker/sites/s004.ccc.bot/terraform/init.sh @@ -47,9 +47,9 @@ if [[ -z "$SPACES_ACCESS_KEY" ]] || [[ -z "$SPACES_SECRET_KEY" ]] || [[ -z "$SPA fi echo "==> Initializing OpenTofu with DO Spaces backend..." +export AWS_ACCESS_KEY_ID="${SPACES_ACCESS_KEY}" +export AWS_SECRET_ACCESS_KEY="${SPACES_SECRET_KEY}" tofu init \ - -backend-config="access_key=${SPACES_ACCESS_KEY}" \ - -backend-config="secret_key=${SPACES_SECRET_KEY}" \ -backend-config="sse_customer_key=${SPACES_ENCRYPTION_KEY}" echo "" diff --git a/anythingllm-docker/sites/s004.ccc.bot/terraform/itofu.sh b/anythingllm-docker/sites/s004.ccc.bot/terraform/itofu.sh old mode 100755 new mode 100644 index 2102b647..2692c2d0 --- a/anythingllm-docker/sites/s004.ccc.bot/terraform/itofu.sh +++ b/anythingllm-docker/sites/s004.ccc.bot/terraform/itofu.sh @@ -49,9 +49,7 @@ case "$1" in # from the Infisical-injected env to -backend-config. Single quotes are # intentional - these expand inside `infisical run`, not here. # shellcheck disable=SC2016 - irun bash -c 'exec tofu init -reconfigure \ - -backend-config="access_key=$TF_VAR_spaces_access_key" \ - -backend-config="secret_key=$TF_VAR_spaces_secret_key" \ + irun bash -c 'export AWS_ACCESS_KEY_ID="$TF_VAR_spaces_access_key"; export AWS_SECRET_ACCESS_KEY="$TF_VAR_spaces_secret_key"; exec tofu init -reconfigure \ -backend-config="sse_customer_key=$TF_VAR_spaces_encryption_key" "$@"' itofu "$@" ;; plan) diff --git a/anythingllm-docker/template/ansible/deploy.yml.jinja b/anythingllm-docker/template/ansible/deploy.yml.jinja index 880333b9..cfdf43eb 100644 --- a/anythingllm-docker/template/ansible/deploy.yml.jinja +++ b/anythingllm-docker/template/ansible/deploy.yml.jinja @@ -154,10 +154,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" infisical run \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ --env={{ '{{' }} infisical_env {{ '}}' }} \ @@ -210,10 +209,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" install -d -m 0700 -o root -g root /root/.ssh infisical run --projectId={{ '{{' }} infisical_project_id {{ '}}' }} --env={{ '{{' }} infisical_env {{ '}}' }} -- bash -c ' keys="${OPS_AUTHORIZED_KEYS:-}" @@ -251,10 +249,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" infisical run \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ --env={{ '{{' }} infisical_env {{ '}}' }} \ @@ -326,10 +323,9 @@ ansible.builtin.shell: | set -euo pipefail source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent export ANYTHINGLLM_IMAGE=$(infisical secrets get ANYTHINGLLM_IMAGE \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ --env={{ '{{' }} infisical_env {{ '}}' }} \ @@ -399,10 +395,9 @@ ansible.builtin.shell: | set -euo pipefail source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent export ANYTHINGLLM_IMAGE=$(infisical secrets get ANYTHINGLLM_IMAGE \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ --env={{ '{{' }} infisical_env {{ '}}' }} \ diff --git a/anythingllm-docker/template/scripts/backup.sh.jinja b/anythingllm-docker/template/scripts/backup.sh.jinja old mode 100755 new mode 100644 index cc73b6fa..5b4b1174 --- a/anythingllm-docker/template/scripts/backup.sh.jinja +++ b/anythingllm-docker/template/scripts/backup.sh.jinja @@ -166,10 +166,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='$PROJECT_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/backup.sh" EOF diff --git a/anythingllm-docker/template/scripts/entrypoint-infisical.sh.jinja b/anythingllm-docker/template/scripts/entrypoint-infisical.sh.jinja index 7706dcca..dd123031 100644 --- a/anythingllm-docker/template/scripts/entrypoint-infisical.sh.jinja +++ b/anythingllm-docker/template/scripts/entrypoint-infisical.sh.jinja @@ -36,10 +36,9 @@ fi # Step 2: Login to Infisical export INFISICAL_TOKEN -INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" if [ -z "$INFISICAL_TOKEN" ]; then echo "ERROR: Failed to authenticate with Infisical" >&2 diff --git a/anythingllm-docker/template/scripts/restore.sh.jinja b/anythingllm-docker/template/scripts/restore.sh.jinja old mode 100755 new mode 100644 index fa3eca80..eff6c1da --- a/anythingllm-docker/template/scripts/restore.sh.jinja +++ b/anythingllm-docker/template/scripts/restore.sh.jinja @@ -192,10 +192,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='{{ project_name | replace('-', '_') }}' BACKUP_NAME='$BACKUP_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/restore.sh" "$BACKUP_NAME" EOF diff --git a/anythingllm-docker/template/terraform/itofu.sh.jinja b/anythingllm-docker/template/terraform/itofu.sh.jinja old mode 100755 new mode 100644 index 82f2eb64..9358edf5 --- a/anythingllm-docker/template/terraform/itofu.sh.jinja +++ b/anythingllm-docker/template/terraform/itofu.sh.jinja @@ -53,9 +53,7 @@ case "$1" in # from the Infisical-injected env to -backend-config. Single quotes are # intentional - these expand inside `infisical run`, not here. # shellcheck disable=SC2016 - irun bash -c 'exec tofu init -reconfigure \ - -backend-config="access_key=$TF_VAR_spaces_access_key" \ - -backend-config="secret_key=$TF_VAR_spaces_secret_key" \ + irun bash -c 'export AWS_ACCESS_KEY_ID="$TF_VAR_spaces_access_key"; export AWS_SECRET_ACCESS_KEY="$TF_VAR_spaces_secret_key"; exec tofu init -reconfigure \ -backend-config="sse_customer_key=$TF_VAR_spaces_encryption_key" "$@"' itofu "$@" ;; plan) diff --git a/devbox-docker/sites/dev-weown-devbox/terraform/init.sh b/devbox-docker/sites/dev-weown-devbox/terraform/init.sh index 0e6d2ea8..26ea26d7 100644 --- a/devbox-docker/sites/dev-weown-devbox/terraform/init.sh +++ b/devbox-docker/sites/dev-weown-devbox/terraform/init.sh @@ -47,9 +47,9 @@ if [[ -z "$SPACES_ACCESS_KEY" ]] || [[ -z "$SPACES_SECRET_KEY" ]] || [[ -z "$SPA fi echo "==> Initializing OpenTofu with DO Spaces backend..." +export AWS_ACCESS_KEY_ID="${SPACES_ACCESS_KEY}" +export AWS_SECRET_ACCESS_KEY="${SPACES_SECRET_KEY}" tofu init \ - -backend-config="access_key=${SPACES_ACCESS_KEY}" \ - -backend-config="secret_key=${SPACES_SECRET_KEY}" \ -backend-config="sse_customer_key=${SPACES_ENCRYPTION_KEY}" echo "" diff --git a/devbox-docker/sites/dev-weown-devbox/terraform/itofu.sh b/devbox-docker/sites/dev-weown-devbox/terraform/itofu.sh index 69f20300..47ea3574 100644 --- a/devbox-docker/sites/dev-weown-devbox/terraform/itofu.sh +++ b/devbox-docker/sites/dev-weown-devbox/terraform/itofu.sh @@ -53,9 +53,7 @@ case "$1" in # from the Infisical-injected env to -backend-config. Single quotes are # intentional - these expand inside `infisical run`, not here. # shellcheck disable=SC2016 - irun bash -c 'exec tofu init -reconfigure \ - -backend-config="access_key=$TF_VAR_spaces_access_key" \ - -backend-config="secret_key=$TF_VAR_spaces_secret_key" \ + irun bash -c 'export AWS_ACCESS_KEY_ID="$TF_VAR_spaces_access_key"; export AWS_SECRET_ACCESS_KEY="$TF_VAR_spaces_secret_key"; exec tofu init -reconfigure \ -backend-config="sse_customer_key=$TF_VAR_spaces_encryption_key" "$@"' itofu "$@" ;; plan) diff --git a/devbox-docker/template/terraform/init.sh.jinja b/devbox-docker/template/terraform/init.sh.jinja index eba1b330..a18705b4 100644 --- a/devbox-docker/template/terraform/init.sh.jinja +++ b/devbox-docker/template/terraform/init.sh.jinja @@ -47,9 +47,9 @@ if [[ -z "$SPACES_ACCESS_KEY" ]] || [[ -z "$SPACES_SECRET_KEY" ]] || [[ -z "$SPA fi echo "==> Initializing OpenTofu with DO Spaces backend..." +export AWS_ACCESS_KEY_ID="${SPACES_ACCESS_KEY}" +export AWS_SECRET_ACCESS_KEY="${SPACES_SECRET_KEY}" tofu init \ - -backend-config="access_key=${SPACES_ACCESS_KEY}" \ - -backend-config="secret_key=${SPACES_SECRET_KEY}" \ -backend-config="sse_customer_key=${SPACES_ENCRYPTION_KEY}" echo "" diff --git a/docs/INFISICAL_OUTAGE_RUNBOOK.md b/docs/INFISICAL_OUTAGE_RUNBOOK.md index 77b21adc..fd0196d9 100644 --- a/docs/INFISICAL_OUTAGE_RUNBOOK.md +++ b/docs/INFISICAL_OUTAGE_RUNBOOK.md @@ -325,10 +325,9 @@ cd /opt//backups # Upload to Spaces (requires Infisical) source /opt//.infisical-auth.env -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" infisical run --projectId= --env=prod -- \ aws s3 cp .tar.gz \ diff --git a/keycloak-docker/sites/sso.weown.dev/ansible/deploy.yml b/keycloak-docker/sites/sso.weown.dev/ansible/deploy.yml index 87450dcc..46c06c45 100644 --- a/keycloak-docker/sites/sso.weown.dev/ansible/deploy.yml +++ b/keycloak-docker/sites/sso.weown.dev/ansible/deploy.yml @@ -121,10 +121,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent infisical run \ --projectId={{ infisical_project_id }} \ --env={{ infisical_env }} \ @@ -157,10 +156,9 @@ ansible.builtin.shell: | set -euo pipefail source {{ app_dir }}/.infisical-auth.env - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent MINIMUS_TOKEN=$(infisical secrets get MINIMUS_TOKEN \ --projectId={{ infisical_project_id }} \ --env={{ infisical_env }} \ diff --git a/keycloak-docker/sites/sso.weown.dev/scripts/entrypoint-infisical.sh b/keycloak-docker/sites/sso.weown.dev/scripts/entrypoint-infisical.sh old mode 100755 new mode 100644 index 1f02d86c..4a490b52 --- a/keycloak-docker/sites/sso.weown.dev/scripts/entrypoint-infisical.sh +++ b/keycloak-docker/sites/sso.weown.dev/scripts/entrypoint-infisical.sh @@ -36,10 +36,9 @@ fi # Step 2: Login to Infisical export INFISICAL_TOKEN -INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" if [ -z "$INFISICAL_TOKEN" ]; then echo "ERROR: Failed to authenticate with Infisical" >&2 diff --git a/keycloak-docker/sites/sso.weown.dev/terraform/init.sh b/keycloak-docker/sites/sso.weown.dev/terraform/init.sh old mode 100755 new mode 100644 index 6925bca8..c487c098 --- a/keycloak-docker/sites/sso.weown.dev/terraform/init.sh +++ b/keycloak-docker/sites/sso.weown.dev/terraform/init.sh @@ -46,9 +46,9 @@ if [[ -z "$SPACES_ACCESS_KEY" ]] || [[ -z "$SPACES_SECRET_KEY" ]] || [[ -z "$SPA fi echo "==> Initializing OpenTofu with DO Spaces backend..." +export AWS_ACCESS_KEY_ID="${SPACES_ACCESS_KEY}" +export AWS_SECRET_ACCESS_KEY="${SPACES_SECRET_KEY}" tofu init \ - -backend-config="access_key=${SPACES_ACCESS_KEY}" \ - -backend-config="secret_key=${SPACES_SECRET_KEY}" \ -backend-config="sse_customer_key=${SPACES_ENCRYPTION_KEY}" echo "" diff --git a/keycloak-docker/template/ansible/deploy.yml.jinja b/keycloak-docker/template/ansible/deploy.yml.jinja index e3266a4e..557fa6f7 100644 --- a/keycloak-docker/template/ansible/deploy.yml.jinja +++ b/keycloak-docker/template/ansible/deploy.yml.jinja @@ -121,10 +121,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent infisical run \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ --env={{ '{{' }} infisical_env {{ '}}' }} \ @@ -157,10 +156,9 @@ ansible.builtin.shell: | set -euo pipefail source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent MINIMUS_TOKEN=$(infisical secrets get MINIMUS_TOKEN \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ --env={{ '{{' }} infisical_env {{ '}}' }} \ diff --git a/keycloak-docker/template/scripts/backup.sh.jinja b/keycloak-docker/template/scripts/backup.sh.jinja index ebc75a1e..ea609b1e 100644 --- a/keycloak-docker/template/scripts/backup.sh.jinja +++ b/keycloak-docker/template/scripts/backup.sh.jinja @@ -175,10 +175,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='$PROJECT_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +infisical login --method=universal-auth --silent exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/backup.sh" EOF diff --git a/keycloak-docker/template/scripts/entrypoint-infisical.sh.jinja b/keycloak-docker/template/scripts/entrypoint-infisical.sh.jinja index 7706dcca..dd123031 100644 --- a/keycloak-docker/template/scripts/entrypoint-infisical.sh.jinja +++ b/keycloak-docker/template/scripts/entrypoint-infisical.sh.jinja @@ -36,10 +36,9 @@ fi # Step 2: Login to Infisical export INFISICAL_TOKEN -INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" if [ -z "$INFISICAL_TOKEN" ]; then echo "ERROR: Failed to authenticate with Infisical" >&2 diff --git a/keycloak-docker/template/scripts/restore.sh.jinja b/keycloak-docker/template/scripts/restore.sh.jinja index bc753e25..cf4cd557 100644 --- a/keycloak-docker/template/scripts/restore.sh.jinja +++ b/keycloak-docker/template/scripts/restore.sh.jinja @@ -168,7 +168,7 @@ SCRIPT echo "==> Running restore on remote: ${host}" # For remote execution, we SSH and then run infisical run on the host # because the backup script must have DB_PASSWORD available - ssh "$host" "source /opt/$PROJECT_NAME/.infisical-auth.env && export INFISICAL_TOKEN=\"\$(infisical login --method=universal-auth --client-id=\"\$INFISICAL_CLIENT_ID\" --client-secret=\"\$INFISICAL_CLIENT_SECRET\" --plain --silent)\" && infisical run --projectId=\$INFISICAL_PROJECT_ID --env=\$INFISICAL_ENV -- bash -c '$RESTORE_CMDS'" + ssh "$host" "source /opt/$PROJECT_NAME/.infisical-auth.env && export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID=\"\$INFISICAL_CLIENT_ID\" && export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET=\"\$INFISICAL_CLIENT_SECRET\" && export INFISICAL_TOKEN=\"\$(infisical login --method=universal-auth --plain --silent)\" && infisical run --projectId=\$INFISICAL_PROJECT_ID --env=\$INFISICAL_ENV -- bash -c '$RESTORE_CMDS'" else echo "==> Running restore locally" eval "$RESTORE_CMDS" diff --git a/keycloak-docker/template/terraform/init.sh.jinja b/keycloak-docker/template/terraform/init.sh.jinja index 0a457487..c66a5b99 100644 --- a/keycloak-docker/template/terraform/init.sh.jinja +++ b/keycloak-docker/template/terraform/init.sh.jinja @@ -46,9 +46,9 @@ if [[ -z "$SPACES_ACCESS_KEY" ]] || [[ -z "$SPACES_SECRET_KEY" ]] || [[ -z "$SPA fi echo "==> Initializing OpenTofu with DO Spaces backend..." +export AWS_ACCESS_KEY_ID="${SPACES_ACCESS_KEY}" +export AWS_SECRET_ACCESS_KEY="${SPACES_SECRET_KEY}" tofu init \ - -backend-config="access_key=${SPACES_ACCESS_KEY}" \ - -backend-config="secret_key=${SPACES_SECRET_KEY}" \ -backend-config="sse_customer_key=${SPACES_ENCRYPTION_KEY}" echo "" diff --git a/openclaw-docker/sites/claw-weown-dev/ansible/deploy.yml b/openclaw-docker/sites/claw-weown-dev/ansible/deploy.yml index 505192c5..2dff4ed8 100644 --- a/openclaw-docker/sites/claw-weown-dev/ansible/deploy.yml +++ b/openclaw-docker/sites/claw-weown-dev/ansible/deploy.yml @@ -160,10 +160,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" infisical run \ --projectId={{ infisical_project_id }} \ --env={{ infisical_env }} \ @@ -200,10 +199,9 @@ source {{ app_dir }}/.infisical-auth.env # --plain captures the token without storing a CLI session (a headless # `infisical login` without --plain prompts for a vault backend → hangs). - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" # MINIMUS_TOKEN is org-wide → lives in the /Shared folder, not the root. MINIMUS_TOKEN=$(infisical secrets get MINIMUS_TOKEN \ --projectId={{ infisical_project_id }} \ @@ -247,10 +245,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" install -d -m 0700 -o root -g root /root/.ssh infisical run --projectId={{ infisical_project_id }} --env={{ infisical_env }} --path=/Shared --path=/claw-weown-dev -- bash -c ' keys="${OPS_AUTHORIZED_KEYS:-}" diff --git a/openclaw-docker/sites/claw-weown-dev/scripts/backup.sh b/openclaw-docker/sites/claw-weown-dev/scripts/backup.sh index 5cdffc0e..5b6ab19f 100644 --- a/openclaw-docker/sites/claw-weown-dev/scripts/backup.sh +++ b/openclaw-docker/sites/claw-weown-dev/scripts/backup.sh @@ -201,10 +201,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='$PROJECT_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/backup.sh" EOF diff --git a/openclaw-docker/sites/claw-weown-dev/scripts/restore.sh b/openclaw-docker/sites/claw-weown-dev/scripts/restore.sh index 1e70d4b7..4e88d31d 100644 --- a/openclaw-docker/sites/claw-weown-dev/scripts/restore.sh +++ b/openclaw-docker/sites/claw-weown-dev/scripts/restore.sh @@ -224,10 +224,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='claw_weown_dev' BACKUP_NAME='$BACKUP_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/restore.sh" "$BACKUP_NAME" EOF diff --git a/openclaw-docker/sites/claw-weown-dev/terraform/init.sh b/openclaw-docker/sites/claw-weown-dev/terraform/init.sh index 98cfe35c..390b0a14 100644 --- a/openclaw-docker/sites/claw-weown-dev/terraform/init.sh +++ b/openclaw-docker/sites/claw-weown-dev/terraform/init.sh @@ -45,9 +45,9 @@ if [[ -z "$SPACES_ACCESS_KEY" ]] || [[ -z "$SPACES_SECRET_KEY" ]] || [[ -z "$SPA fi echo "==> Initializing OpenTofu with DO Spaces backend..." +export AWS_ACCESS_KEY_ID="${SPACES_ACCESS_KEY}" +export AWS_SECRET_ACCESS_KEY="${SPACES_SECRET_KEY}" tofu init \ - -backend-config="access_key=${SPACES_ACCESS_KEY}" \ - -backend-config="secret_key=${SPACES_SECRET_KEY}" \ -backend-config="sse_customer_key=${SPACES_ENCRYPTION_KEY}" echo "" diff --git a/openclaw-docker/sites/claw-weown-dev/terraform/itofu.sh b/openclaw-docker/sites/claw-weown-dev/terraform/itofu.sh old mode 100755 new mode 100644 index 220ca62a..40cc0f26 --- a/openclaw-docker/sites/claw-weown-dev/terraform/itofu.sh +++ b/openclaw-docker/sites/claw-weown-dev/terraform/itofu.sh @@ -52,9 +52,7 @@ case "$1" in # from the Infisical-injected env to -backend-config. Single quotes are # intentional - these expand inside `infisical run`, not here. # shellcheck disable=SC2016 - irun bash -c 'exec tofu init -reconfigure \ - -backend-config="access_key=$TF_VAR_spaces_access_key" \ - -backend-config="secret_key=$TF_VAR_spaces_secret_key" \ + irun bash -c 'export AWS_ACCESS_KEY_ID="$TF_VAR_spaces_access_key"; export AWS_SECRET_ACCESS_KEY="$TF_VAR_spaces_secret_key"; exec tofu init -reconfigure \ -backend-config="sse_customer_key=$TF_VAR_spaces_encryption_key" "$@"' itofu "$@" ;; plan) diff --git a/openclaw-docker/sites/claw-weown-tools/ansible/deploy.yml b/openclaw-docker/sites/claw-weown-tools/ansible/deploy.yml index 56767c8f..71a287d2 100644 --- a/openclaw-docker/sites/claw-weown-tools/ansible/deploy.yml +++ b/openclaw-docker/sites/claw-weown-tools/ansible/deploy.yml @@ -112,10 +112,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" infisical run \ --projectId={{ infisical_project_id }} \ --env={{ infisical_env }} \ @@ -168,10 +167,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" install -d -m 0700 -o root -g root /root/.ssh infisical run --projectId={{ infisical_project_id }} --env={{ infisical_env }} -- bash -c ' keys="${OPS_AUTHORIZED_KEYS:-}" @@ -230,10 +228,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" cd {{ app_dir }} infisical run \ --projectId={{ infisical_project_id }} \ @@ -293,10 +290,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ app_dir }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" cd {{ app_dir }} infisical run \ --projectId={{ infisical_project_id }} \ diff --git a/openclaw-docker/sites/claw-weown-tools/scripts/backup.sh b/openclaw-docker/sites/claw-weown-tools/scripts/backup.sh index 2d24fee1..5c557932 100644 --- a/openclaw-docker/sites/claw-weown-tools/scripts/backup.sh +++ b/openclaw-docker/sites/claw-weown-tools/scripts/backup.sh @@ -156,10 +156,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='$PROJECT_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/backup.sh" EOF diff --git a/openclaw-docker/sites/claw-weown-tools/scripts/restore.sh b/openclaw-docker/sites/claw-weown-tools/scripts/restore.sh index 0f4cd8aa..f790f74d 100644 --- a/openclaw-docker/sites/claw-weown-tools/scripts/restore.sh +++ b/openclaw-docker/sites/claw-weown-tools/scripts/restore.sh @@ -185,10 +185,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='claw_weown_tools' BACKUP_NAME='$BACKUP_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/restore.sh" "$BACKUP_NAME" EOF diff --git a/openclaw-docker/sites/claw-weown-tools/terraform/init.sh b/openclaw-docker/sites/claw-weown-tools/terraform/init.sh index 6dad83d8..bec976d4 100644 --- a/openclaw-docker/sites/claw-weown-tools/terraform/init.sh +++ b/openclaw-docker/sites/claw-weown-tools/terraform/init.sh @@ -46,9 +46,9 @@ if [[ -z "$SPACES_ACCESS_KEY" ]] || [[ -z "$SPACES_SECRET_KEY" ]] || [[ -z "$SPA fi echo "==> Initializing OpenTofu with DO Spaces backend..." +export AWS_ACCESS_KEY_ID="${SPACES_ACCESS_KEY}" +export AWS_SECRET_ACCESS_KEY="${SPACES_SECRET_KEY}" tofu init \ - -backend-config="access_key=${SPACES_ACCESS_KEY}" \ - -backend-config="secret_key=${SPACES_SECRET_KEY}" \ -backend-config="sse_customer_key=${SPACES_ENCRYPTION_KEY}" echo "" diff --git a/openclaw-docker/template/ansible/deploy.yml.jinja b/openclaw-docker/template/ansible/deploy.yml.jinja index cee5049e..f4e97e19 100644 --- a/openclaw-docker/template/ansible/deploy.yml.jinja +++ b/openclaw-docker/template/ansible/deploy.yml.jinja @@ -160,10 +160,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" infisical run \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ --env={{ '{{' }} infisical_env {{ '}}' }} \ @@ -200,10 +199,9 @@ source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env # --plain captures the token without storing a CLI session (a headless # `infisical login` without --plain prompts for a vault backend → hangs). - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" # MINIMUS_TOKEN is org-wide → lives in the /Shared folder, not the root. MINIMUS_TOKEN=$(infisical secrets get MINIMUS_TOKEN \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ @@ -247,10 +245,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" install -d -m 0700 -o root -g root /root/.ssh infisical run --projectId={{ '{{' }} infisical_project_id {{ '}}' }} --env={{ '{{' }} infisical_env {{ '}}' }} --path=/Shared --path=/{{ project_name }} -- bash -c ' keys="${OPS_AUTHORIZED_KEYS:-}" diff --git a/openclaw-docker/template/scripts/backup.sh.jinja b/openclaw-docker/template/scripts/backup.sh.jinja index 3e80d622..5ec83782 100644 --- a/openclaw-docker/template/scripts/backup.sh.jinja +++ b/openclaw-docker/template/scripts/backup.sh.jinja @@ -201,10 +201,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='$PROJECT_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/backup.sh" EOF diff --git a/openclaw-docker/template/scripts/restore.sh.jinja b/openclaw-docker/template/scripts/restore.sh.jinja index 069eb25a..18202a42 100644 --- a/openclaw-docker/template/scripts/restore.sh.jinja +++ b/openclaw-docker/template/scripts/restore.sh.jinja @@ -224,10 +224,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='{{ project_name | replace('-', '_') }}' BACKUP_NAME='$BACKUP_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/restore.sh" "$BACKUP_NAME" EOF diff --git a/openclaw-docker/template/terraform/init.sh.jinja b/openclaw-docker/template/terraform/init.sh.jinja index 49eb1b75..a622f1ef 100644 --- a/openclaw-docker/template/terraform/init.sh.jinja +++ b/openclaw-docker/template/terraform/init.sh.jinja @@ -45,9 +45,9 @@ if [[ -z "$SPACES_ACCESS_KEY" ]] || [[ -z "$SPACES_SECRET_KEY" ]] || [[ -z "$SPA fi echo "==> Initializing OpenTofu with DO Spaces backend..." +export AWS_ACCESS_KEY_ID="${SPACES_ACCESS_KEY}" +export AWS_SECRET_ACCESS_KEY="${SPACES_SECRET_KEY}" tofu init \ - -backend-config="access_key=${SPACES_ACCESS_KEY}" \ - -backend-config="secret_key=${SPACES_SECRET_KEY}" \ -backend-config="sse_customer_key=${SPACES_ENCRYPTION_KEY}" echo "" diff --git a/openclaw-docker/template/terraform/itofu.sh.jinja b/openclaw-docker/template/terraform/itofu.sh.jinja old mode 100755 new mode 100644 index 8cbe01e5..aef0df1e --- a/openclaw-docker/template/terraform/itofu.sh.jinja +++ b/openclaw-docker/template/terraform/itofu.sh.jinja @@ -52,9 +52,7 @@ case "$1" in # from the Infisical-injected env to -backend-config. Single quotes are # intentional - these expand inside `infisical run`, not here. # shellcheck disable=SC2016 - irun bash -c 'exec tofu init -reconfigure \ - -backend-config="access_key=$TF_VAR_spaces_access_key" \ - -backend-config="secret_key=$TF_VAR_spaces_secret_key" \ + irun bash -c 'export AWS_ACCESS_KEY_ID="$TF_VAR_spaces_access_key"; export AWS_SECRET_ACCESS_KEY="$TF_VAR_spaces_secret_key"; exec tofu init -reconfigure \ -backend-config="sse_customer_key=$TF_VAR_spaces_encryption_key" "$@"' itofu "$@" ;; plan) diff --git a/otel-agent/README.md b/otel-agent/README.md index e655ac2e..13e10f7e 100644 --- a/otel-agent/README.md +++ b/otel-agent/README.md @@ -268,9 +268,9 @@ curl -sf http://127.0.0.1:13133/health && echo OK ```bash cd set -a; source .infisical-auth.env; set +a - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" --silent --plain + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent --plain HOSTNAME=$(hostname) infisical run \ --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV_SLUG" \ -- docker compose up -d --force-recreate diff --git a/otel-agent/deploy.yml b/otel-agent/deploy.yml index b486e88e..bc2a2474 100644 --- a/otel-agent/deploy.yml +++ b/otel-agent/deploy.yml @@ -157,10 +157,9 @@ set +a export INFISICAL_TOKEN - INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent --plain)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + INFISICAL_TOKEN="$(infisical login --method=universal-auth --silent --plain)" cd "{{ otel_agent_dir }}" HOSTNAME=$(hostname) \ @@ -209,10 +208,9 @@ set +a export INFISICAL_TOKEN - INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent --plain)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + INFISICAL_TOKEN="$(infisical login --method=universal-auth --silent --plain)" cd "{{ otel_agent_dir }}" HOSTNAME=$(hostname) \ diff --git a/owncloud-docker/template/README.md.jinja b/owncloud-docker/template/README.md.jinja index bdea33af..58a16dc1 100644 --- a/owncloud-docker/template/README.md.jinja +++ b/owncloud-docker/template/README.md.jinja @@ -186,7 +186,8 @@ fi 1. **Verify Infisical connectivity:** ```bash - infisical login --method=universal-auth --client-id= --client-secret= + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID= INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET= + infisical login --method=universal-auth ``` 2. **Rotate bootstrap secret (if outage was prolonged):** diff --git a/owncloud-docker/template/ansible/deploy.yml.jinja b/owncloud-docker/template/ansible/deploy.yml.jinja index 39b156f4..a923d461 100644 --- a/owncloud-docker/template/ansible/deploy.yml.jinja +++ b/owncloud-docker/template/ansible/deploy.yml.jinja @@ -120,10 +120,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent infisical run \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ --env={{ '{{' }} infisical_env {{ '}}' }} \ @@ -156,10 +155,9 @@ ansible.builtin.shell: | set -euo pipefail source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent MINIMUS_TOKEN=$(infisical secrets get MINIMUS_TOKEN \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ --env={{ '{{' }} infisical_env {{ '}}' }} \ diff --git a/owncloud-docker/template/scripts/backup.sh.jinja b/owncloud-docker/template/scripts/backup.sh.jinja index d30e8be6..d7469d5f 100644 --- a/owncloud-docker/template/scripts/backup.sh.jinja +++ b/owncloud-docker/template/scripts/backup.sh.jinja @@ -180,10 +180,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='$PROJECT_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +infisical login --method=universal-auth --silent exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/backup.sh" EOF diff --git a/owncloud-docker/template/scripts/entrypoint-infisical.sh.jinja b/owncloud-docker/template/scripts/entrypoint-infisical.sh.jinja index 399866ac..4f9cc9d0 100644 --- a/owncloud-docker/template/scripts/entrypoint-infisical.sh.jinja +++ b/owncloud-docker/template/scripts/entrypoint-infisical.sh.jinja @@ -41,10 +41,9 @@ max_attempts=3 delay=5 while [ "$attempt" -le "$max_attempts" ]; do - if INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)"; then + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + if INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)"; then break fi diff --git a/owncloud-docker/template/scripts/restore.sh.jinja b/owncloud-docker/template/scripts/restore.sh.jinja index f65e02c3..4f6b2c79 100644 --- a/owncloud-docker/template/scripts/restore.sh.jinja +++ b/owncloud-docker/template/scripts/restore.sh.jinja @@ -180,7 +180,9 @@ SCRIPT # Use heredoc to pass RESTORE_CMDS to avoid quoting issues with single quotes ssh "$host" bash -s < Initializing OpenTofu with DO Spaces backend..." +export AWS_ACCESS_KEY_ID="${SPACES_ACCESS_KEY}" +export AWS_SECRET_ACCESS_KEY="${SPACES_SECRET_KEY}" tofu init \ - -backend-config="access_key=${SPACES_ACCESS_KEY}" \ - -backend-config="secret_key=${SPACES_SECRET_KEY}" \ -backend-config="sse_customer_key=${SPACES_ENCRYPTION_KEY}" echo "" diff --git a/sandbox-docker/template/ansible/deploy.yml.jinja b/sandbox-docker/template/ansible/deploy.yml.jinja index f61eab86..39134b72 100644 --- a/sandbox-docker/template/ansible/deploy.yml.jinja +++ b/sandbox-docker/template/ansible/deploy.yml.jinja @@ -134,10 +134,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" infisical run \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ --env={{ '{{' }} infisical_env {{ '}}' }} \ @@ -170,10 +169,9 @@ ansible.builtin.shell: | set -euo pipefail source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent MINIMUS_TOKEN=$(infisical secrets get MINIMUS_TOKEN \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ --env={{ '{{' }} infisical_env {{ '}}' }} \ diff --git a/sandbox-docker/template/scripts/backup.sh.jinja b/sandbox-docker/template/scripts/backup.sh.jinja index 56a823ff..d89126b8 100644 --- a/sandbox-docker/template/scripts/backup.sh.jinja +++ b/sandbox-docker/template/scripts/backup.sh.jinja @@ -159,10 +159,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='$PROJECT_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/backup.sh" EOF diff --git a/sandbox-docker/template/scripts/entrypoint-infisical.sh.jinja b/sandbox-docker/template/scripts/entrypoint-infisical.sh.jinja index 7706dcca..dd123031 100644 --- a/sandbox-docker/template/scripts/entrypoint-infisical.sh.jinja +++ b/sandbox-docker/template/scripts/entrypoint-infisical.sh.jinja @@ -36,10 +36,9 @@ fi # Step 2: Login to Infisical export INFISICAL_TOKEN -INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" if [ -z "$INFISICAL_TOKEN" ]; then echo "ERROR: Failed to authenticate with Infisical" >&2 diff --git a/sandbox-docker/template/scripts/restore.sh.jinja b/sandbox-docker/template/scripts/restore.sh.jinja index f801d462..0faaf71c 100644 --- a/sandbox-docker/template/scripts/restore.sh.jinja +++ b/sandbox-docker/template/scripts/restore.sh.jinja @@ -196,10 +196,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='{{ project_name | replace('-', '_') }}' BACKUP_NAME='$BACKUP_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -export INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +export INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/restore.sh" "$BACKUP_NAME" EOF diff --git a/sandbox-docker/template/terraform/init.sh.jinja b/sandbox-docker/template/terraform/init.sh.jinja index 0a457487..c66a5b99 100644 --- a/sandbox-docker/template/terraform/init.sh.jinja +++ b/sandbox-docker/template/terraform/init.sh.jinja @@ -46,9 +46,9 @@ if [[ -z "$SPACES_ACCESS_KEY" ]] || [[ -z "$SPACES_SECRET_KEY" ]] || [[ -z "$SPA fi echo "==> Initializing OpenTofu with DO Spaces backend..." +export AWS_ACCESS_KEY_ID="${SPACES_ACCESS_KEY}" +export AWS_SECRET_ACCESS_KEY="${SPACES_SECRET_KEY}" tofu init \ - -backend-config="access_key=${SPACES_ACCESS_KEY}" \ - -backend-config="secret_key=${SPACES_SECRET_KEY}" \ -backend-config="sse_customer_key=${SPACES_ENCRYPTION_KEY}" echo "" diff --git a/scripts/bootstrap-otel-agent.sh b/scripts/bootstrap-otel-agent.sh old mode 100755 new mode 100644 index 8810995c..9debf23b --- a/scripts/bootstrap-otel-agent.sh +++ b/scripts/bootstrap-otel-agent.sh @@ -245,10 +245,9 @@ trap - EXIT # Sanity check — login AND verify we can read OTEL_URL/OTEL_KEY from this project/env. # login alone is not enough: `infisical run` needs INFISICAL_TOKEN (see Infisical docs). export INFISICAL_TOKEN -INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="${INFISICAL_OTEL_CLIENT_ID}" \ - --client-secret="${INFISICAL_OTEL_CLIENT_SECRET}" \ - --silent --plain)" || { +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="${INFISICAL_OTEL_CLIENT_ID}" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="${INFISICAL_OTEL_CLIENT_SECRET}" +INFISICAL_TOKEN="$(infisical login --method=universal-auth --silent --plain)" || { echo " ERROR: Infisical login failed with provided Machine Identity credentials" exit 1 } diff --git a/scripts/deploy-otel-fleet.sh b/scripts/deploy-otel-fleet.sh old mode 100755 new mode 100644 index 9c154cb8..65b05337 --- a/scripts/deploy-otel-fleet.sh +++ b/scripts/deploy-otel-fleet.sh @@ -192,10 +192,9 @@ EFFECTIVE_ENV="${ENV_SLUG_OVERRIDE:-${INFISICAL_ENV_SLUG:-dev}}" # `infisical run`. Discarding login stdout (>/dev/null) leaves no session for # run to use — see https://infisical.com/docs/cli/commands/run#infisical_token export INFISICAL_TOKEN -INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent --plain)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +INFISICAL_TOKEN="$(infisical login --method=universal-auth --silent --plain)" cd "$OTEL_AGENT_DIR" diff --git a/searxng-docker/template/ansible/deploy.yml.jinja b/searxng-docker/template/ansible/deploy.yml.jinja index 6e5cab96..d8b4e174 100644 --- a/searxng-docker/template/ansible/deploy.yml.jinja +++ b/searxng-docker/template/ansible/deploy.yml.jinja @@ -134,10 +134,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent infisical run \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ --env={{ '{{' }} infisical_env {{ '}}' }} \ @@ -170,10 +169,9 @@ ansible.builtin.shell: | set -euo pipefail source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent MINIMUS_TOKEN=$(infisical secrets get MINIMUS_TOKEN \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ --env={{ '{{' }} infisical_env {{ '}}' }} \ diff --git a/searxng-docker/template/scripts/backup.sh.jinja b/searxng-docker/template/scripts/backup.sh.jinja index f03d9a9a..579b1f53 100644 --- a/searxng-docker/template/scripts/backup.sh.jinja +++ b/searxng-docker/template/scripts/backup.sh.jinja @@ -174,10 +174,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='$PROJECT_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +infisical login --method=universal-auth --silent exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/backup.sh" EOF diff --git a/searxng-docker/template/scripts/entrypoint-infisical.sh.jinja b/searxng-docker/template/scripts/entrypoint-infisical.sh.jinja index 7706dcca..dd123031 100644 --- a/searxng-docker/template/scripts/entrypoint-infisical.sh.jinja +++ b/searxng-docker/template/scripts/entrypoint-infisical.sh.jinja @@ -36,10 +36,9 @@ fi # Step 2: Login to Infisical export INFISICAL_TOKEN -INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" if [ -z "$INFISICAL_TOKEN" ]; then echo "ERROR: Failed to authenticate with Infisical" >&2 diff --git a/searxng-docker/template/scripts/restore.sh.jinja b/searxng-docker/template/scripts/restore.sh.jinja index cee38e94..ecfd166d 100644 --- a/searxng-docker/template/scripts/restore.sh.jinja +++ b/searxng-docker/template/scripts/restore.sh.jinja @@ -156,7 +156,7 @@ SCRIPT if [[ -n "$host" ]]; then echo "==> Running restore on remote: ${host}" - ssh "$host" "source /opt/$PROJECT_NAME/.infisical-auth.env && export INFISICAL_TOKEN=\"\$(infisical login --method=universal-auth --client-id=\"\$INFISICAL_CLIENT_ID\" --client-secret=\"\$INFISICAL_CLIENT_SECRET\" --plain --silent)\" && infisical run --projectId=\$INFISICAL_PROJECT_ID --env=\$INFISICAL_ENV -- bash -c '$RESTORE_CMDS'" + ssh "$host" "source /opt/$PROJECT_NAME/.infisical-auth.env && export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID=\"\$INFISICAL_CLIENT_ID\" && export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET=\"\$INFISICAL_CLIENT_SECRET\" && export INFISICAL_TOKEN=\"\$(infisical login --method=universal-auth --plain --silent)\" && infisical run --projectId=\$INFISICAL_PROJECT_ID --env=\$INFISICAL_ENV -- bash -c '$RESTORE_CMDS'" else echo "==> Running restore locally" eval "$RESTORE_CMDS" diff --git a/searxng-docker/template/terraform/init.sh.jinja b/searxng-docker/template/terraform/init.sh.jinja index 10d97a20..45525043 100644 --- a/searxng-docker/template/terraform/init.sh.jinja +++ b/searxng-docker/template/terraform/init.sh.jinja @@ -43,9 +43,9 @@ if [[ -z "$SPACES_ACCESS_KEY" ]] || [[ -z "$SPACES_SECRET_KEY" ]] || [[ -z "$SPA fi echo "==> Initializing OpenTofu with DO Spaces backend..." +export AWS_ACCESS_KEY_ID="${SPACES_ACCESS_KEY}" +export AWS_SECRET_ACCESS_KEY="${SPACES_SECRET_KEY}" tofu init \ - -backend-config="access_key=${SPACES_ACCESS_KEY}" \ - -backend-config="secret_key=${SPACES_SECRET_KEY}" \ -backend-config="sse_customer_key=${SPACES_ENCRYPTION_KEY}" echo "" diff --git a/signoz-docker/template/ansible/deploy.yml.jinja b/signoz-docker/template/ansible/deploy.yml.jinja index 968ba31a..a79cef4f 100644 --- a/signoz-docker/template/ansible/deploy.yml.jinja +++ b/signoz-docker/template/ansible/deploy.yml.jinja @@ -132,10 +132,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent infisical run \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ --env={{ '{{' }} infisical_env {{ '}}' }} \ @@ -168,10 +167,9 @@ ansible.builtin.shell: | set -euo pipefail source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent MINIMUS_TOKEN=$(infisical secrets get MINIMUS_TOKEN \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ --env={{ '{{' }} infisical_env {{ '}}' }} \ diff --git a/signoz-docker/template/scripts/backup.sh.jinja b/signoz-docker/template/scripts/backup.sh.jinja index 94d7fa5d..226f211f 100644 --- a/signoz-docker/template/scripts/backup.sh.jinja +++ b/signoz-docker/template/scripts/backup.sh.jinja @@ -167,10 +167,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='$PROJECT_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +infisical login --method=universal-auth --silent exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/backup.sh" EOF diff --git a/signoz-docker/template/scripts/entrypoint-infisical.sh.jinja b/signoz-docker/template/scripts/entrypoint-infisical.sh.jinja index 7706dcca..dd123031 100644 --- a/signoz-docker/template/scripts/entrypoint-infisical.sh.jinja +++ b/signoz-docker/template/scripts/entrypoint-infisical.sh.jinja @@ -36,10 +36,9 @@ fi # Step 2: Login to Infisical export INFISICAL_TOKEN -INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" if [ -z "$INFISICAL_TOKEN" ]; then echo "ERROR: Failed to authenticate with Infisical" >&2 diff --git a/signoz-docker/template/terraform/init.sh.jinja b/signoz-docker/template/terraform/init.sh.jinja index 10d97a20..45525043 100644 --- a/signoz-docker/template/terraform/init.sh.jinja +++ b/signoz-docker/template/terraform/init.sh.jinja @@ -43,9 +43,9 @@ if [[ -z "$SPACES_ACCESS_KEY" ]] || [[ -z "$SPACES_SECRET_KEY" ]] || [[ -z "$SPA fi echo "==> Initializing OpenTofu with DO Spaces backend..." +export AWS_ACCESS_KEY_ID="${SPACES_ACCESS_KEY}" +export AWS_SECRET_ACCESS_KEY="${SPACES_SECRET_KEY}" tofu init \ - -backend-config="access_key=${SPACES_ACCESS_KEY}" \ - -backend-config="secret_key=${SPACES_SECRET_KEY}" \ -backend-config="sse_customer_key=${SPACES_ENCRYPTION_KEY}" echo "" diff --git a/wordpress-docker/docs/INFISICAL_INTEGRATION.md b/wordpress-docker/docs/INFISICAL_INTEGRATION.md index 19c2422f..9434d299 100644 --- a/wordpress-docker/docs/INFISICAL_INTEGRATION.md +++ b/wordpress-docker/docs/INFISICAL_INTEGRATION.md @@ -59,9 +59,9 @@ Infisical provides centralized secrets management, allowing you to: 5. Generate a token using the CLI: ```bash -infisical login --method=universal-auth \ - --client-id= \ - --client-secret= +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID= +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET= +infisical login --method=universal-auth ``` ### 3. Configure Terraform diff --git a/wordpress-docker/template/ansible/deploy.yml.jinja b/wordpress-docker/template/ansible/deploy.yml.jinja index d0719e0e..802a705c 100644 --- a/wordpress-docker/template/ansible/deploy.yml.jinja +++ b/wordpress-docker/template/ansible/deploy.yml.jinja @@ -146,10 +146,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent infisical run \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ --env={{ '{{' }} infisical_env {{ '}}' }} \ @@ -185,10 +184,9 @@ set -euo pipefail # shellcheck disable=SC1091 source {{ '{{' }} app_dir {{ '}}' }}/.infisical-auth.env - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent # Fetch MINIMUS_TOKEN if it exists (optional) MINIMUS_TOKEN=$(infisical secrets get MINIMUS_TOKEN \ --projectId={{ '{{' }} infisical_project_id {{ '}}' }} \ @@ -232,10 +230,9 @@ echo "Core plugin bundle already present, skipping download" exit 0 fi - infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent + export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" + export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" + infisical login --method=universal-auth --silent BUNDLE_PROJECT_ID="{{ core_plugin_bundle_infisical_project_id }}" SPACES_KEY=$(infisical secrets get BACKUP_SPACES_KEY --projectId="$BUNDLE_PROJECT_ID" --env=prod --plain) SPACES_SECRET=$(infisical secrets get BACKUP_SPACES_SECRET --projectId="$BUNDLE_PROJECT_ID" --env=prod --plain) diff --git a/wordpress-docker/template/scripts/backup.sh.jinja b/wordpress-docker/template/scripts/backup.sh.jinja index 79649a70..d4186818 100644 --- a/wordpress-docker/template/scripts/backup.sh.jinja +++ b/wordpress-docker/template/scripts/backup.sh.jinja @@ -198,10 +198,9 @@ SCRIPT "INFISICAL_PROJECT_ID='$INFISICAL_PROJECT_ID' INFISICAL_ENV='$INFISICAL_ENV' PROJECT_NAME='$PROJECT_NAME' bash -s" <<'EOF' set -euo pipefail source "/opt/$PROJECT_NAME/.infisical-auth.env" -infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --silent +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +infisical login --method=universal-auth --silent exec infisical run --projectId="$INFISICAL_PROJECT_ID" --env="$INFISICAL_ENV" \ -- "/opt/$PROJECT_NAME/backup.sh" EOF diff --git a/wordpress-docker/template/scripts/entrypoint-infisical.sh.jinja b/wordpress-docker/template/scripts/entrypoint-infisical.sh.jinja index 7706dcca..dd123031 100644 --- a/wordpress-docker/template/scripts/entrypoint-infisical.sh.jinja +++ b/wordpress-docker/template/scripts/entrypoint-infisical.sh.jinja @@ -36,10 +36,9 @@ fi # Step 2: Login to Infisical export INFISICAL_TOKEN -INFISICAL_TOKEN="$(infisical login --method=universal-auth \ - --client-id="$INFISICAL_CLIENT_ID" \ - --client-secret="$INFISICAL_CLIENT_SECRET" \ - --plain --silent)" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="$INFISICAL_CLIENT_ID" +export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="$INFISICAL_CLIENT_SECRET" +INFISICAL_TOKEN="$(infisical login --method=universal-auth --plain --silent)" if [ -z "$INFISICAL_TOKEN" ]; then echo "ERROR: Failed to authenticate with Infisical" >&2 diff --git a/wordpress-docker/template/terraform/init.sh.jinja b/wordpress-docker/template/terraform/init.sh.jinja index 0a457487..c66a5b99 100644 --- a/wordpress-docker/template/terraform/init.sh.jinja +++ b/wordpress-docker/template/terraform/init.sh.jinja @@ -46,9 +46,9 @@ if [[ -z "$SPACES_ACCESS_KEY" ]] || [[ -z "$SPACES_SECRET_KEY" ]] || [[ -z "$SPA fi echo "==> Initializing OpenTofu with DO Spaces backend..." +export AWS_ACCESS_KEY_ID="${SPACES_ACCESS_KEY}" +export AWS_SECRET_ACCESS_KEY="${SPACES_SECRET_KEY}" tofu init \ - -backend-config="access_key=${SPACES_ACCESS_KEY}" \ - -backend-config="secret_key=${SPACES_SECRET_KEY}" \ -backend-config="sse_customer_key=${SPACES_ENCRYPTION_KEY}" echo ""