diff --git a/bin/start_console_production b/bin/start_console_production index 7ba895a6..82f3876d 100755 --- a/bin/start_console_production +++ b/bin/start_console_production @@ -28,7 +28,7 @@ fetch_db_credentials() { echo "ERROR: DB_SECRETS_NAME environment variable is not set" exit 1 fi - + # Fetch the secret echo "Retrieving secret: $DB_SECRETS_NAME" SECRET_JSON=$(aws secretsmanager get-secret-value \ @@ -36,12 +36,12 @@ fetch_db_credentials() { --secret-id "$DB_SECRETS_NAME" \ --query SecretString \ --output text) - + if [ $? -ne 0 ]; then echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager" exit 1 fi - + # Parse JSON and export environment variables export DB_USERNAME=$(echo "$SECRET_JSON" | jq -r '.username') export DB_PASSWORD=$(echo "$SECRET_JSON" | jq -r '.password') @@ -52,10 +52,10 @@ fetch_db_credentials() { echo "Expected JSON format: {\"username\": \"...\", \"password\": \"...\"}" exit 1 fi - + # Write credentials to .env.production file echo "Writing database credentials to .env.production..." - + # Remove existing DB_USERNAME and DB_PASSWORD lines if they exist if [ -f "./.env.production" ]; then echo "Removing existing DB_USERNAME and DB_PASSWORD from .env.production" @@ -63,7 +63,7 @@ fetch_db_credentials() { grep -v "^DB_PASSWORD=" ./.env.production.tmp > ./.env.production || true rm -f ./.env.production.tmp fi - + # Append the new credentials echo "DB_USERNAME=$DB_USERNAME" >> ./.env.production echo "DB_PASSWORD=$DB_PASSWORD" >> ./.env.production @@ -146,7 +146,7 @@ fetch_env_variables() { echo "ERROR: CP_VARIABLES_NAME environment variable is not set" exit 1 fi - + # Fetch the secret echo "Retrieving secret: $CP_VARIABLES_NAME" SECRET_JSON=$(aws secretsmanager get-secret-value \ @@ -154,7 +154,7 @@ fetch_env_variables() { --secret-id "$CP_VARIABLES_NAME" \ --query SecretString \ --output text) - + if [ $? -ne 0 ]; then echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager" exit 1 @@ -168,6 +168,7 @@ fetch_env_variables() { export NEWRELIC_LICENSE_KEY=$(echo "$SECRET_JSON" | jq -r '.newrelic_license_key') export NEWRELIC_APP_NAME=$(echo "$SECRET_JSON" | jq -r '.newrelic_app_name') export NEWRELIC_MONITOR_MODE=$(echo "$SECRET_JSON" | jq -r '.newrelic_monitor_mode') + export ENCRYPTION_SECRET=$(echo "$SECRET_JSON" | jq -r '.ENCRYPTION_SECRET // empty') # Validate that we got the values @@ -176,7 +177,13 @@ fetch_env_variables() { echo "Expected JSON format: {\"key\": \"...\", ...}" exit 1 fi - + + # Warn if encryption secret is missing (important for ActiveRecord encryption) + if [ -z "$ENCRYPTION_SECRET" ]; then + echo "WARNING: ENCRYPTION_SECRET not found in secrets" + echo "WARNING: ActiveRecord encryption may not work correctly" + fi + # Write variables to .env.production file echo "Writing environment variables to .env.production..." @@ -191,9 +198,10 @@ fetch_env_variables() { grep -v "^NEWRELIC_LICENSE_KEY=" ./.env.production.tmp > ./.env.production || true grep -v "^NEWRELIC_APP_NAME=" ./.env.production.tmp > ./.env.production || true grep -v "^NEWRELIC_MONITOR_MODE=" ./.env.production.tmp > ./.env.production || true + grep -v "^ENCRYPTION_SECRET=" ./.env.production.tmp > ./.env.production || true rm -f ./.env.production.tmp fi - + # Append the new credentials echo "DB_HOST=$DB_HOST" >> ./.env.production echo "REDIS_URL=$REDIS_URL" >> ./.env.production @@ -204,6 +212,12 @@ fetch_env_variables() { echo "NEWRELIC_APP_NAME=$NEWRELIC_APP_NAME" >> ./.env.production echo "NEWRELIC_MONITOR_MODE=$NEWRELIC_MONITOR_MODE" >> ./.env.production + # Add encryption secret if it exists + if [ -n "$ENCRYPTION_SECRET" ]; then + echo "ENCRYPTION_SECRET=$ENCRYPTION_SECRET" >> ./.env.production + echo "✓ ENCRYPTION_SECRET written to .env.production" + fi + echo "✓ Environment variables successfully retrieved and written to .env.production" } @@ -236,13 +250,13 @@ main() { set_environment check_aws_setup - + echo "Starting CP Docuseal in production mode..." echo "Rails Environment: ${RAILS_ENV:-production}" # Fetch database credentials from Secrets Manager fetch_db_credentials - + # Fetch encryption key and write to config/master.key fetch_encryption_key @@ -254,7 +268,7 @@ main() { # Load updated environment variables set_environment - + # Setup and migrate database setup_database @@ -275,4 +289,4 @@ main() { } # Execute main function with all arguments -main "$@" +main "$@" diff --git a/bin/start_console_staging b/bin/start_console_staging index 0991d160..d7bdca8e 100755 --- a/bin/start_console_staging +++ b/bin/start_console_staging @@ -28,7 +28,7 @@ fetch_db_credentials() { echo "ERROR: DB_SECRETS_NAME environment variable is not set" exit 1 fi - + # Fetch the secret echo "Retrieving secret: $DB_SECRETS_NAME" SECRET_JSON=$(aws secretsmanager get-secret-value \ @@ -36,12 +36,12 @@ fetch_db_credentials() { --secret-id "$DB_SECRETS_NAME" \ --query SecretString \ --output text) - + if [ $? -ne 0 ]; then echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager" exit 1 fi - + # Parse JSON and export environment variables export DB_USERNAME=$(echo "$SECRET_JSON" | jq -r '.username') export DB_PASSWORD=$(echo "$SECRET_JSON" | jq -r '.password') @@ -52,10 +52,10 @@ fetch_db_credentials() { echo "Expected JSON format: {\"username\": \"...\", \"password\": \"...\"}" exit 1 fi - + # Write credentials to .env.staging file echo "Writing database credentials to .env.staging..." - + # Remove existing DB_USERNAME and DB_PASSWORD lines if they exist if [ -f "./.env.staging" ]; then echo "Removing existing DB_USERNAME and DB_PASSWORD from .env.staging" @@ -63,7 +63,7 @@ fetch_db_credentials() { grep -v "^DB_PASSWORD=" ./.env.staging.tmp > ./.env.staging || true rm -f ./.env.staging.tmp fi - + # Append the new credentials echo "DB_USERNAME=$DB_USERNAME" >> ./.env.staging echo "DB_PASSWORD=$DB_PASSWORD" >> ./.env.staging @@ -146,7 +146,7 @@ fetch_env_variables() { echo "ERROR: CP_VARIABLES_NAME environment variable is not set" exit 1 fi - + # Fetch the secret echo "Retrieving secret: $CP_VARIABLES_NAME" SECRET_JSON=$(aws secretsmanager get-secret-value \ @@ -154,7 +154,7 @@ fetch_env_variables() { --secret-id "$CP_VARIABLES_NAME" \ --query SecretString \ --output text) - + if [ $? -ne 0 ]; then echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager" exit 1 @@ -168,7 +168,7 @@ fetch_env_variables() { export NEWRELIC_LICENSE_KEY=$(echo "$SECRET_JSON" | jq -r '.newrelic_license_key') export NEWRELIC_APP_NAME=$(echo "$SECRET_JSON" | jq -r '.newrelic_app_name') export NEWRELIC_MONITOR_MODE=$(echo "$SECRET_JSON" | jq -r '.newrelic_monitor_mode') - + export ENCRYPTION_SECRET=$(echo "$SECRET_JSON" | jq -r '.ENCRYPTION_SECRET // empty') # Validate that we got the values if [ "$DB_HOST" = "null" ] || [ "$REDIS_URL" = "null" ] || [ "$S3_ATTACHMENTS_BUCKET" = "null" ] || [ -z "$DB_HOST" ] || [ -z "$REDIS_URL" ] || [ -z "$S3_ATTACHMENTS_BUCKET" ]; then @@ -176,7 +176,13 @@ fetch_env_variables() { echo "Expected JSON format: {\"key\": \"...\", ...}" exit 1 fi - + + # Warn if encryption secret is missing (important for ActiveRecord encryption) + if [ -z "$ENCRYPTION_SECRET" ]; then + echo "WARNING: ENCRYPTION_SECRET not found in secrets" + echo "WARNING: ActiveRecord encryption may not work correctly" + fi + # Write variables to .env.staging file echo "Writing environment variables to .env.staging..." @@ -191,9 +197,10 @@ fetch_env_variables() { grep -v "^NEWRELIC_LICENSE_KEY=" ./.env.staging.tmp > ./.env.staging || true grep -v "^NEWRELIC_APP_NAME=" ./.env.staging.tmp > ./.env.staging || true grep -v "^NEWRELIC_MONITOR_MODE=" ./.env.staging.tmp > ./.env.staging || true + grep -v "^ENCRYPTION_SECRET=" ./.env.staging.tmp > ./.env.staging || true rm -f ./.env.staging.tmp fi - + # Append the new credentials echo "DB_HOST=$DB_HOST" >> ./.env.staging echo "REDIS_URL=$REDIS_URL" >> ./.env.staging @@ -204,6 +211,12 @@ fetch_env_variables() { echo "NEWRELIC_APP_NAME=$NEWRELIC_APP_NAME" >> ./.env.staging echo "NEWRELIC_MONITOR_MODE=$NEWRELIC_MONITOR_MODE" >> ./.env.staging + # Add encryption secret if it exists + if [ -n "$ENCRYPTION_SECRET" ]; then + echo "ENCRYPTION_SECRET=$ENCRYPTION_SECRET" >> ./.env.staging + echo "✓ ENCRYPTION_SECRET written to .env.staging" + fi + echo "✓ Environment variables successfully retrieved and written to .env.staging" } @@ -236,13 +249,13 @@ main() { set_environment check_aws_setup - + echo "Starting CP Docuseal in staging mode..." echo "Rails Environment: ${RAILS_ENV:-staging}" # Fetch database credentials from Secrets Manager fetch_db_credentials - + # Fetch encryption key and write to config/master.key fetch_encryption_key @@ -254,7 +267,7 @@ main() { # Load updated environment variables set_environment - + # Setup and migrate database setup_database @@ -275,4 +288,4 @@ main() { } # Execute main function with all arguments -main "$@" +main "$@" diff --git a/bin/start_production b/bin/start_production index 23b92547..bad48974 100755 --- a/bin/start_production +++ b/bin/start_production @@ -28,7 +28,7 @@ fetch_db_credentials() { echo "ERROR: DB_SECRETS_NAME environment variable is not set" exit 1 fi - + # Fetch the secret echo "Retrieving secret: $DB_SECRETS_NAME" SECRET_JSON=$(aws secretsmanager get-secret-value \ @@ -36,12 +36,12 @@ fetch_db_credentials() { --secret-id "$DB_SECRETS_NAME" \ --query SecretString \ --output text) - + if [ $? -ne 0 ]; then echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager" exit 1 fi - + # Parse JSON and export environment variables export DB_USERNAME=$(echo "$SECRET_JSON" | jq -r '.username') export DB_PASSWORD=$(echo "$SECRET_JSON" | jq -r '.password') @@ -63,7 +63,7 @@ fetch_db_credentials() { grep -v "^DB_PASSWORD=" ./.env.production.tmp > ./.env.production || true rm -f ./.env.production.tmp fi - + # Append the new credentials echo "DB_USERNAME=$DB_USERNAME" >> ./.env.production echo "DB_PASSWORD=$DB_PASSWORD" >> ./.env.production @@ -142,7 +142,7 @@ fetch_env_variables() { echo "ERROR: CP_VARIABLES_NAME environment variable is not set" exit 1 fi - + # Fetch the secret echo "Retrieving secret: $CP_VARIABLES_NAME" SECRET_JSON=$(aws secretsmanager get-secret-value \ @@ -150,7 +150,7 @@ fetch_env_variables() { --secret-id "$CP_VARIABLES_NAME" \ --query SecretString \ --output text) - + if [ $? -ne 0 ]; then echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager" exit 1 @@ -169,6 +169,7 @@ fetch_env_variables() { export CF_KEY_SECRET=$(echo "$SECRET_JSON" | jq -r '.cf_key_secret') export SECURED_STORAGE_BUCKET=$(echo "$SECRET_JSON" | jq -r '.secured_storage_bucket') export SECURED_STORAGE_REGION=$(echo "$SECRET_JSON" | jq -r '.secured_storage_region') + export ENCRYPTION_SECRET=$(echo "$SECRET_JSON" | jq -r '.ENCRYPTION_SECRET // empty') # Validate that we got the values if [ "$DB_HOST" = "null" ] || [ "$REDIS_URL" = "null" ] || [ "$S3_ATTACHMENTS_BUCKET" = "null" ] || [ -z "$DB_HOST" ] || [ -z "$REDIS_URL" ] || [ -z "$S3_ATTACHMENTS_BUCKET" ]; then @@ -183,6 +184,12 @@ fetch_env_variables() { exit 1 fi + # Warn if encryption secret is missing (important for ActiveRecord encryption) + if [ -z "$ENCRYPTION_SECRET" ]; then + echo "WARNING: ENCRYPTION_SECRET not found in secrets" + echo "WARNING: ActiveRecord encryption may not work correctly" + fi + # Write variables to .env.production file echo "Writing environment variables to .env.production..." @@ -202,9 +209,10 @@ fetch_env_variables() { grep -v "^CF_KEY_SECRET=" ./.env.production.tmp > ./.env.production || true grep -v "^SECURED_STORAGE_BUCKET=" ./.env.production.tmp > ./.env.production || true grep -v "^SECURED_STORAGE_REGION=" ./.env.production.tmp > ./.env.production || true + grep -v "^ENCRYPTION_SECRET=" ./.env.production.tmp > ./.env.production || true rm -f ./.env.production.tmp fi - + # Append the new credentials echo "DB_HOST=$DB_HOST" >> ./.env.production echo "REDIS_URL=$REDIS_URL" >> ./.env.production @@ -220,6 +228,12 @@ fetch_env_variables() { echo "SECURED_STORAGE_BUCKET=$SECURED_STORAGE_BUCKET" >> ./.env.production echo "SECURED_STORAGE_REGION=$SECURED_STORAGE_REGION" >> ./.env.production + # Add encryption secret if it exists + if [ -n "$ENCRYPTION_SECRET" ]; then + echo "ENCRYPTION_SECRET=$ENCRYPTION_SECRET" >> ./.env.production + echo "✓ ENCRYPTION_SECRET written to .env.production" + fi + echo "✓ Environment variables successfully retrieved and written to .env.production" } @@ -255,10 +269,10 @@ main() { echo "Starting CP Docuseal in production mode..." echo "Rails Environment: ${RAILS_ENV:-production}" - + # Fetch database credentials from Secrets Manager fetch_db_credentials - + # Fetch encryption key and write to config/master.key fetch_encryption_key @@ -270,10 +284,10 @@ main() { # Load updated environment variables set_environment - + # Setup and migrate database setup_database - + echo "=== Startup Complete - Starting Rails Server ===" echo "Database Host: ${DB_HOST:-not set}" echo "Database Port: ${DB_PORT:-not set}" @@ -283,4 +297,4 @@ main() { } # Execute main function -main "$@" +main "$@" diff --git a/bin/start_staging b/bin/start_staging index 9eef14f8..1c8512b4 100755 --- a/bin/start_staging +++ b/bin/start_staging @@ -28,7 +28,7 @@ fetch_db_credentials() { echo "ERROR: DB_SECRETS_NAME environment variable is not set" exit 1 fi - + # Fetch the secret echo "Retrieving secret: $DB_SECRETS_NAME" SECRET_JSON=$(aws secretsmanager get-secret-value \ @@ -36,12 +36,12 @@ fetch_db_credentials() { --secret-id "$DB_SECRETS_NAME" \ --query SecretString \ --output text) - + if [ $? -ne 0 ]; then echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager" exit 1 fi - + # Parse JSON and export environment variables export DB_USERNAME=$(echo "$SECRET_JSON" | jq -r '.username') export DB_PASSWORD=$(echo "$SECRET_JSON" | jq -r '.password') @@ -52,10 +52,10 @@ fetch_db_credentials() { echo "Expected JSON format: {\"username\": \"...\", \"password\": \"...\"}" exit 1 fi - + # Write credentials to .env.staging file echo "Writing database credentials to .env.staging..." - + # Remove existing DB_USERNAME and DB_PASSWORD lines if they exist if [ -f "./.env.staging" ]; then echo "Removing existing DB_USERNAME and DB_PASSWORD from .env.staging" @@ -63,7 +63,7 @@ fetch_db_credentials() { grep -v "^DB_PASSWORD=" ./.env.staging.tmp > ./.env.staging || true rm -f ./.env.staging.tmp fi - + # Append the new credentials echo "DB_USERNAME=$DB_USERNAME" >> ./.env.staging echo "DB_PASSWORD=$DB_PASSWORD" >> ./.env.staging @@ -146,7 +146,7 @@ fetch_env_variables() { echo "ERROR: CP_VARIABLES_NAME environment variable is not set" exit 1 fi - + # Fetch the secret echo "Retrieving secret: $CP_VARIABLES_NAME" SECRET_JSON=$(aws secretsmanager get-secret-value \ @@ -154,7 +154,7 @@ fetch_env_variables() { --secret-id "$CP_VARIABLES_NAME" \ --query SecretString \ --output text) - + if [ $? -ne 0 ]; then echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager" exit 1 @@ -173,6 +173,7 @@ fetch_env_variables() { export CF_KEY_SECRET=$(echo "$SECRET_JSON" | jq -r '.cf_key_secret') export SECURED_STORAGE_BUCKET=$(echo "$SECRET_JSON" | jq -r '.secured_storage_bucket') export SECURED_STORAGE_REGION=$(echo "$SECRET_JSON" | jq -r '.secured_storage_region') + export ENCRYPTION_SECRET=$(echo "$SECRET_JSON" | jq -r '.ENCRYPTION_SECRET // empty') # Validate that we got the values @@ -187,7 +188,13 @@ fetch_env_variables() { echo "ERROR: One or more monitor/logging license keys are missing" exit 1 fi - + + # Warn if encryption secret is missing (important for ActiveRecord encryption) + if [ -z "$ENCRYPTION_SECRET" ]; then + echo "WARNING: ENCRYPTION_SECRET not found in secrets" + echo "WARNING: ActiveRecord encryption may not work correctly" + fi + # Write variables to .env.staging file echo "Writing environment variables to .env.staging..." @@ -207,9 +214,10 @@ fetch_env_variables() { grep -v "^CF_KEY_SECRET=" ./.env.staging.tmp > ./.env.staging || true grep -v "^SECURED_STORAGE_BUCKET=" ./.env.staging.tmp > ./.env.staging || true grep -v "^SECURED_STORAGE_REGION=" ./.env.staging.tmp > ./.env.staging || true + grep -v "^ENCRYPTION_SECRET=" ./.env.staging.tmp > ./.env.staging || true rm -f ./.env.staging.tmp fi - + # Append the new credentials echo "DB_HOST=$DB_HOST" >> ./.env.staging echo "REDIS_URL=$REDIS_URL" >> ./.env.staging @@ -225,6 +233,12 @@ fetch_env_variables() { echo "SECURED_STORAGE_BUCKET=$SECURED_STORAGE_BUCKET" >> ./.env.staging echo "SECURED_STORAGE_REGION=$SECURED_STORAGE_REGION" >> ./.env.staging + # Add encryption secret if it exists + if [ -n "$ENCRYPTION_SECRET" ]; then + echo "ENCRYPTION_SECRET=$ENCRYPTION_SECRET" >> ./.env.staging + echo "✓ ENCRYPTION_SECRET written to .env.staging" + fi + echo "✓ Environment variables successfully retrieved and written to .env.staging" } @@ -257,13 +271,13 @@ main() { set_environment check_aws_setup - + echo "Starting CP Docuseal in staging mode..." echo "Rails Environment: ${RAILS_ENV:-staging}" # Fetch database credentials from Secrets Manager fetch_db_credentials - + # Fetch encryption key and write to config/master.key fetch_encryption_key @@ -275,7 +289,7 @@ main() { # Load updated environment variables set_environment - + # Setup and migrate database setup_database @@ -288,4 +302,4 @@ main() { } # Execute main function with all arguments -main "$@" +main "$@"