adminbruno
/
docuseal
mirror of https://github.com/docusealco/docuseal
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add ENCRYPTION_SECRET (#34)

Browse Source 
Currently, old AccessTokens break on a new deploy, because we don't have a set encryption key, so a new one is generated for each deploy.
pull/544/head
Ryan Arakawa 1 month ago committed by GitHub
parent 587438b7f9
commit 30cd83ea89
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 110 additions and 55 deletions
Show Stats Download Patch File Download Diff File

42
bin/start_console_production
Unescape View File

@ -28,7 +28,7 @@ fetch_db_credentials() {
echo "ERROR: DB_SECRETS_NAME environment variable is not set" echo "ERROR: DB_SECRETS_NAME environment variable is not set"
exit 1 exit 1
fi fi
# Fetch the secret # Fetch the secret
echo "Retrieving secret: $DB_SECRETS_NAME" echo "Retrieving secret: $DB_SECRETS_NAME"
SECRET_JSON=$(aws secretsmanager get-secret-value \ SECRET_JSON=$(aws secretsmanager get-secret-value \
@ -36,12 +36,12 @@ fetch_db_credentials() {
--secret-id "$DB_SECRETS_NAME" \ --secret-id "$DB_SECRETS_NAME" \
--query SecretString \ --query SecretString \
--output text) --output text)
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager" echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager"
exit 1 exit 1
fi fi
# Parse JSON and export environment variables # Parse JSON and export environment variables
export DB_USERNAME=$(echo "$SECRET_JSON" | jq -r '.username') export DB_USERNAME=$(echo "$SECRET_JSON" | jq -r '.username')
export DB_PASSWORD=$(echo "$SECRET_JSON" | jq -r '.password') export DB_PASSWORD=$(echo "$SECRET_JSON" | jq -r '.password')
@ -52,10 +52,10 @@ fetch_db_credentials() {
echo "Expected JSON format: {\"username\": \"...\", \"password\": \"...\"}" echo "Expected JSON format: {\"username\": \"...\", \"password\": \"...\"}"
exit 1 exit 1
fi fi
# Write credentials to .env.production file # Write credentials to .env.production file
echo "Writing database credentials to .env.production..." echo "Writing database credentials to .env.production..."
# Remove existing DB_USERNAME and DB_PASSWORD lines if they exist # Remove existing DB_USERNAME and DB_PASSWORD lines if they exist
if [ -f "./.env.production" ]; then if [ -f "./.env.production" ]; then
echo "Removing existing DB_USERNAME and DB_PASSWORD from .env.production" echo "Removing existing DB_USERNAME and DB_PASSWORD from .env.production"
@ -63,7 +63,7 @@ fetch_db_credentials() {
grep -v "^DB_PASSWORD=" ./.env.production.tmp > ./.env.production || true grep -v "^DB_PASSWORD=" ./.env.production.tmp > ./.env.production || true
rm -f ./.env.production.tmp rm -f ./.env.production.tmp
fi fi
# Append the new credentials # Append the new credentials
echo "DB_USERNAME=$DB_USERNAME" >> ./.env.production echo "DB_USERNAME=$DB_USERNAME" >> ./.env.production
echo "DB_PASSWORD=$DB_PASSWORD" >> ./.env.production echo "DB_PASSWORD=$DB_PASSWORD" >> ./.env.production
@ -146,7 +146,7 @@ fetch_env_variables() {
echo "ERROR: CP_VARIABLES_NAME environment variable is not set" echo "ERROR: CP_VARIABLES_NAME environment variable is not set"
exit 1 exit 1
fi fi
# Fetch the secret # Fetch the secret
echo "Retrieving secret: $CP_VARIABLES_NAME" echo "Retrieving secret: $CP_VARIABLES_NAME"
SECRET_JSON=$(aws secretsmanager get-secret-value \ SECRET_JSON=$(aws secretsmanager get-secret-value \
@ -154,7 +154,7 @@ fetch_env_variables() {
--secret-id "$CP_VARIABLES_NAME" \ --secret-id "$CP_VARIABLES_NAME" \
--query SecretString \ --query SecretString \
--output text) --output text)
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager" echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager"
exit 1 exit 1
@ -168,6 +168,7 @@ fetch_env_variables() {
export NEWRELIC_LICENSE_KEY=$(echo "$SECRET_JSON" | jq -r '.newrelic_license_key') export NEWRELIC_LICENSE_KEY=$(echo "$SECRET_JSON" | jq -r '.newrelic_license_key')
export NEWRELIC_APP_NAME=$(echo "$SECRET_JSON" | jq -r '.newrelic_app_name') export NEWRELIC_APP_NAME=$(echo "$SECRET_JSON" | jq -r '.newrelic_app_name')
export NEWRELIC_MONITOR_MODE=$(echo "$SECRET_JSON" | jq -r '.newrelic_monitor_mode') export NEWRELIC_MONITOR_MODE=$(echo "$SECRET_JSON" | jq -r '.newrelic_monitor_mode')
export ENCRYPTION_SECRET=$(echo "$SECRET_JSON" | jq -r '.ENCRYPTION_SECRET // empty')
# Validate that we got the values # Validate that we got the values
@ -176,7 +177,13 @@ fetch_env_variables() {
echo "Expected JSON format: {\"key\": \"...\", ...}" echo "Expected JSON format: {\"key\": \"...\", ...}"
exit 1 exit 1
fi fi
# Warn if encryption secret is missing (important for ActiveRecord encryption)
if [ -z "$ENCRYPTION_SECRET" ]; then
echo "WARNING: ENCRYPTION_SECRET not found in secrets"
echo "WARNING: ActiveRecord encryption may not work correctly"
fi
# Write variables to .env.production file # Write variables to .env.production file
echo "Writing environment variables to .env.production..." echo "Writing environment variables to .env.production..."
@ -191,9 +198,10 @@ fetch_env_variables() {
grep -v "^NEWRELIC_LICENSE_KEY=" ./.env.production.tmp > ./.env.production || true grep -v "^NEWRELIC_LICENSE_KEY=" ./.env.production.tmp > ./.env.production || true
grep -v "^NEWRELIC_APP_NAME=" ./.env.production.tmp > ./.env.production || true grep -v "^NEWRELIC_APP_NAME=" ./.env.production.tmp > ./.env.production || true
grep -v "^NEWRELIC_MONITOR_MODE=" ./.env.production.tmp > ./.env.production || true grep -v "^NEWRELIC_MONITOR_MODE=" ./.env.production.tmp > ./.env.production || true
grep -v "^ENCRYPTION_SECRET=" ./.env.production.tmp > ./.env.production || true
rm -f ./.env.production.tmp rm -f ./.env.production.tmp
fi fi
# Append the new credentials # Append the new credentials
echo "DB_HOST=$DB_HOST" >> ./.env.production echo "DB_HOST=$DB_HOST" >> ./.env.production
echo "REDIS_URL=$REDIS_URL" >> ./.env.production echo "REDIS_URL=$REDIS_URL" >> ./.env.production
@ -204,6 +212,12 @@ fetch_env_variables() {
echo "NEWRELIC_APP_NAME=$NEWRELIC_APP_NAME" >> ./.env.production echo "NEWRELIC_APP_NAME=$NEWRELIC_APP_NAME" >> ./.env.production
echo "NEWRELIC_MONITOR_MODE=$NEWRELIC_MONITOR_MODE" >> ./.env.production echo "NEWRELIC_MONITOR_MODE=$NEWRELIC_MONITOR_MODE" >> ./.env.production
# Add encryption secret if it exists
if [ -n "$ENCRYPTION_SECRET" ]; then
echo "ENCRYPTION_SECRET=$ENCRYPTION_SECRET" >> ./.env.production
echo "✓ ENCRYPTION_SECRET written to .env.production"
fi
echo "✓ Environment variables successfully retrieved and written to .env.production" echo "✓ Environment variables successfully retrieved and written to .env.production"
} }
@ -236,13 +250,13 @@ main() {
set_environment set_environment
check_aws_setup check_aws_setup
echo "Starting CP Docuseal in production mode..." echo "Starting CP Docuseal in production mode..."
echo "Rails Environment: ${RAILS_ENV:-production}" echo "Rails Environment: ${RAILS_ENV:-production}"
# Fetch database credentials from Secrets Manager # Fetch database credentials from Secrets Manager
fetch_db_credentials fetch_db_credentials
# Fetch encryption key and write to config/master.key # Fetch encryption key and write to config/master.key
fetch_encryption_key fetch_encryption_key
@ -254,7 +268,7 @@ main() {
# Load updated environment variables # Load updated environment variables
set_environment set_environment
# Setup and migrate database # Setup and migrate database
setup_database setup_database
@ -275,4 +289,4 @@ main() {
} }
# Execute main function with all arguments # Execute main function with all arguments
main "$@" main "$@"

43
bin/start_console_staging
Unescape View File

@ -28,7 +28,7 @@ fetch_db_credentials() {
echo "ERROR: DB_SECRETS_NAME environment variable is not set" echo "ERROR: DB_SECRETS_NAME environment variable is not set"
exit 1 exit 1
fi fi
# Fetch the secret # Fetch the secret
echo "Retrieving secret: $DB_SECRETS_NAME" echo "Retrieving secret: $DB_SECRETS_NAME"
SECRET_JSON=$(aws secretsmanager get-secret-value \ SECRET_JSON=$(aws secretsmanager get-secret-value \
@ -36,12 +36,12 @@ fetch_db_credentials() {
--secret-id "$DB_SECRETS_NAME" \ --secret-id "$DB_SECRETS_NAME" \
--query SecretString \ --query SecretString \
--output text) --output text)
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager" echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager"
exit 1 exit 1
fi fi
# Parse JSON and export environment variables # Parse JSON and export environment variables
export DB_USERNAME=$(echo "$SECRET_JSON" | jq -r '.username') export DB_USERNAME=$(echo "$SECRET_JSON" | jq -r '.username')
export DB_PASSWORD=$(echo "$SECRET_JSON" | jq -r '.password') export DB_PASSWORD=$(echo "$SECRET_JSON" | jq -r '.password')
@ -52,10 +52,10 @@ fetch_db_credentials() {
echo "Expected JSON format: {\"username\": \"...\", \"password\": \"...\"}" echo "Expected JSON format: {\"username\": \"...\", \"password\": \"...\"}"
exit 1 exit 1
fi fi
# Write credentials to .env.staging file # Write credentials to .env.staging file
echo "Writing database credentials to .env.staging..." echo "Writing database credentials to .env.staging..."
# Remove existing DB_USERNAME and DB_PASSWORD lines if they exist # Remove existing DB_USERNAME and DB_PASSWORD lines if they exist
if [ -f "./.env.staging" ]; then if [ -f "./.env.staging" ]; then
echo "Removing existing DB_USERNAME and DB_PASSWORD from .env.staging" echo "Removing existing DB_USERNAME and DB_PASSWORD from .env.staging"
@ -63,7 +63,7 @@ fetch_db_credentials() {
grep -v "^DB_PASSWORD=" ./.env.staging.tmp > ./.env.staging || true grep -v "^DB_PASSWORD=" ./.env.staging.tmp > ./.env.staging || true
rm -f ./.env.staging.tmp rm -f ./.env.staging.tmp
fi fi
# Append the new credentials # Append the new credentials
echo "DB_USERNAME=$DB_USERNAME" >> ./.env.staging echo "DB_USERNAME=$DB_USERNAME" >> ./.env.staging
echo "DB_PASSWORD=$DB_PASSWORD" >> ./.env.staging echo "DB_PASSWORD=$DB_PASSWORD" >> ./.env.staging
@ -146,7 +146,7 @@ fetch_env_variables() {
echo "ERROR: CP_VARIABLES_NAME environment variable is not set" echo "ERROR: CP_VARIABLES_NAME environment variable is not set"
exit 1 exit 1
fi fi
# Fetch the secret # Fetch the secret
echo "Retrieving secret: $CP_VARIABLES_NAME" echo "Retrieving secret: $CP_VARIABLES_NAME"
SECRET_JSON=$(aws secretsmanager get-secret-value \ SECRET_JSON=$(aws secretsmanager get-secret-value \
@ -154,7 +154,7 @@ fetch_env_variables() {
--secret-id "$CP_VARIABLES_NAME" \ --secret-id "$CP_VARIABLES_NAME" \
--query SecretString \ --query SecretString \
--output text) --output text)
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager" echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager"
exit 1 exit 1
@ -168,7 +168,7 @@ fetch_env_variables() {
export NEWRELIC_LICENSE_KEY=$(echo "$SECRET_JSON" | jq -r '.newrelic_license_key') export NEWRELIC_LICENSE_KEY=$(echo "$SECRET_JSON" | jq -r '.newrelic_license_key')
export NEWRELIC_APP_NAME=$(echo "$SECRET_JSON" | jq -r '.newrelic_app_name') export NEWRELIC_APP_NAME=$(echo "$SECRET_JSON" | jq -r '.newrelic_app_name')
export NEWRELIC_MONITOR_MODE=$(echo "$SECRET_JSON" | jq -r '.newrelic_monitor_mode') export NEWRELIC_MONITOR_MODE=$(echo "$SECRET_JSON" | jq -r '.newrelic_monitor_mode')
export ENCRYPTION_SECRET=$(echo "$SECRET_JSON" | jq -r '.ENCRYPTION_SECRET // empty')
# Validate that we got the values # Validate that we got the values
if [ "$DB_HOST" = "null" ] || [ "$REDIS_URL" = "null" ] || [ "$S3_ATTACHMENTS_BUCKET" = "null" ] || [ -z "$DB_HOST" ] || [ -z "$REDIS_URL" ] || [ -z "$S3_ATTACHMENTS_BUCKET" ]; then if [ "$DB_HOST" = "null" ] || [ "$REDIS_URL" = "null" ] || [ "$S3_ATTACHMENTS_BUCKET" = "null" ] || [ -z "$DB_HOST" ] || [ -z "$REDIS_URL" ] || [ -z "$S3_ATTACHMENTS_BUCKET" ]; then
@ -176,7 +176,13 @@ fetch_env_variables() {
echo "Expected JSON format: {\"key\": \"...\", ...}" echo "Expected JSON format: {\"key\": \"...\", ...}"
exit 1 exit 1
fi fi
# Warn if encryption secret is missing (important for ActiveRecord encryption)
if [ -z "$ENCRYPTION_SECRET" ]; then
echo "WARNING: ENCRYPTION_SECRET not found in secrets"
echo "WARNING: ActiveRecord encryption may not work correctly"
fi
# Write variables to .env.staging file # Write variables to .env.staging file
echo "Writing environment variables to .env.staging..." echo "Writing environment variables to .env.staging..."
@ -191,9 +197,10 @@ fetch_env_variables() {
grep -v "^NEWRELIC_LICENSE_KEY=" ./.env.staging.tmp > ./.env.staging || true grep -v "^NEWRELIC_LICENSE_KEY=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^NEWRELIC_APP_NAME=" ./.env.staging.tmp > ./.env.staging || true grep -v "^NEWRELIC_APP_NAME=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^NEWRELIC_MONITOR_MODE=" ./.env.staging.tmp > ./.env.staging || true grep -v "^NEWRELIC_MONITOR_MODE=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^ENCRYPTION_SECRET=" ./.env.staging.tmp > ./.env.staging || true
rm -f ./.env.staging.tmp rm -f ./.env.staging.tmp
fi fi
# Append the new credentials # Append the new credentials
echo "DB_HOST=$DB_HOST" >> ./.env.staging echo "DB_HOST=$DB_HOST" >> ./.env.staging
echo "REDIS_URL=$REDIS_URL" >> ./.env.staging echo "REDIS_URL=$REDIS_URL" >> ./.env.staging
@ -204,6 +211,12 @@ fetch_env_variables() {
echo "NEWRELIC_APP_NAME=$NEWRELIC_APP_NAME" >> ./.env.staging echo "NEWRELIC_APP_NAME=$NEWRELIC_APP_NAME" >> ./.env.staging
echo "NEWRELIC_MONITOR_MODE=$NEWRELIC_MONITOR_MODE" >> ./.env.staging echo "NEWRELIC_MONITOR_MODE=$NEWRELIC_MONITOR_MODE" >> ./.env.staging
# Add encryption secret if it exists
if [ -n "$ENCRYPTION_SECRET" ]; then
echo "ENCRYPTION_SECRET=$ENCRYPTION_SECRET" >> ./.env.staging
echo "✓ ENCRYPTION_SECRET written to .env.staging"
fi
echo "✓ Environment variables successfully retrieved and written to .env.staging" echo "✓ Environment variables successfully retrieved and written to .env.staging"
} }
@ -236,13 +249,13 @@ main() {
set_environment set_environment
check_aws_setup check_aws_setup
echo "Starting CP Docuseal in staging mode..." echo "Starting CP Docuseal in staging mode..."
echo "Rails Environment: ${RAILS_ENV:-staging}" echo "Rails Environment: ${RAILS_ENV:-staging}"
# Fetch database credentials from Secrets Manager # Fetch database credentials from Secrets Manager
fetch_db_credentials fetch_db_credentials
# Fetch encryption key and write to config/master.key # Fetch encryption key and write to config/master.key
fetch_encryption_key fetch_encryption_key
@ -254,7 +267,7 @@ main() {
# Load updated environment variables # Load updated environment variables
set_environment set_environment
# Setup and migrate database # Setup and migrate database
setup_database setup_database
@ -275,4 +288,4 @@ main() {
} }
# Execute main function with all arguments # Execute main function with all arguments
main "$@" main "$@"

38
bin/start_production
Unescape View File

@ -28,7 +28,7 @@ fetch_db_credentials() {
echo "ERROR: DB_SECRETS_NAME environment variable is not set" echo "ERROR: DB_SECRETS_NAME environment variable is not set"
exit 1 exit 1
fi fi
# Fetch the secret # Fetch the secret
echo "Retrieving secret: $DB_SECRETS_NAME" echo "Retrieving secret: $DB_SECRETS_NAME"
SECRET_JSON=$(aws secretsmanager get-secret-value \ SECRET_JSON=$(aws secretsmanager get-secret-value \
@ -36,12 +36,12 @@ fetch_db_credentials() {
--secret-id "$DB_SECRETS_NAME" \ --secret-id "$DB_SECRETS_NAME" \
--query SecretString \ --query SecretString \
--output text) --output text)
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager" echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager"
exit 1 exit 1
fi fi
# Parse JSON and export environment variables # Parse JSON and export environment variables
export DB_USERNAME=$(echo "$SECRET_JSON" | jq -r '.username') export DB_USERNAME=$(echo "$SECRET_JSON" | jq -r '.username')
export DB_PASSWORD=$(echo "$SECRET_JSON" | jq -r '.password') export DB_PASSWORD=$(echo "$SECRET_JSON" | jq -r '.password')
@ -63,7 +63,7 @@ fetch_db_credentials() {
grep -v "^DB_PASSWORD=" ./.env.production.tmp > ./.env.production || true grep -v "^DB_PASSWORD=" ./.env.production.tmp > ./.env.production || true
rm -f ./.env.production.tmp rm -f ./.env.production.tmp
fi fi
# Append the new credentials # Append the new credentials
echo "DB_USERNAME=$DB_USERNAME" >> ./.env.production echo "DB_USERNAME=$DB_USERNAME" >> ./.env.production
echo "DB_PASSWORD=$DB_PASSWORD" >> ./.env.production echo "DB_PASSWORD=$DB_PASSWORD" >> ./.env.production
@ -142,7 +142,7 @@ fetch_env_variables() {
echo "ERROR: CP_VARIABLES_NAME environment variable is not set" echo "ERROR: CP_VARIABLES_NAME environment variable is not set"
exit 1 exit 1
fi fi
# Fetch the secret # Fetch the secret
echo "Retrieving secret: $CP_VARIABLES_NAME" echo "Retrieving secret: $CP_VARIABLES_NAME"
SECRET_JSON=$(aws secretsmanager get-secret-value \ SECRET_JSON=$(aws secretsmanager get-secret-value \
@ -150,7 +150,7 @@ fetch_env_variables() {
--secret-id "$CP_VARIABLES_NAME" \ --secret-id "$CP_VARIABLES_NAME" \
--query SecretString \ --query SecretString \
--output text) --output text)
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager" echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager"
exit 1 exit 1
@ -169,6 +169,7 @@ fetch_env_variables() {
export CF_KEY_SECRET=$(echo "$SECRET_JSON" | jq -r '.cf_key_secret') export CF_KEY_SECRET=$(echo "$SECRET_JSON" | jq -r '.cf_key_secret')
export SECURED_STORAGE_BUCKET=$(echo "$SECRET_JSON" | jq -r '.secured_storage_bucket') export SECURED_STORAGE_BUCKET=$(echo "$SECRET_JSON" | jq -r '.secured_storage_bucket')
export SECURED_STORAGE_REGION=$(echo "$SECRET_JSON" | jq -r '.secured_storage_region') export SECURED_STORAGE_REGION=$(echo "$SECRET_JSON" | jq -r '.secured_storage_region')
export ENCRYPTION_SECRET=$(echo "$SECRET_JSON" | jq -r '.ENCRYPTION_SECRET // empty')
# Validate that we got the values # Validate that we got the values
if [ "$DB_HOST" = "null" ] || [ "$REDIS_URL" = "null" ] || [ "$S3_ATTACHMENTS_BUCKET" = "null" ] || [ -z "$DB_HOST" ] || [ -z "$REDIS_URL" ] || [ -z "$S3_ATTACHMENTS_BUCKET" ]; then if [ "$DB_HOST" = "null" ] || [ "$REDIS_URL" = "null" ] || [ "$S3_ATTACHMENTS_BUCKET" = "null" ] || [ -z "$DB_HOST" ] || [ -z "$REDIS_URL" ] || [ -z "$S3_ATTACHMENTS_BUCKET" ]; then
@ -183,6 +184,12 @@ fetch_env_variables() {
exit 1 exit 1
fi fi
# Warn if encryption secret is missing (important for ActiveRecord encryption)
if [ -z "$ENCRYPTION_SECRET" ]; then
echo "WARNING: ENCRYPTION_SECRET not found in secrets"
echo "WARNING: ActiveRecord encryption may not work correctly"
fi
# Write variables to .env.production file # Write variables to .env.production file
echo "Writing environment variables to .env.production..." echo "Writing environment variables to .env.production..."
@ -202,9 +209,10 @@ fetch_env_variables() {
grep -v "^CF_KEY_SECRET=" ./.env.production.tmp > ./.env.production || true grep -v "^CF_KEY_SECRET=" ./.env.production.tmp > ./.env.production || true
grep -v "^SECURED_STORAGE_BUCKET=" ./.env.production.tmp > ./.env.production || true grep -v "^SECURED_STORAGE_BUCKET=" ./.env.production.tmp > ./.env.production || true
grep -v "^SECURED_STORAGE_REGION=" ./.env.production.tmp > ./.env.production || true grep -v "^SECURED_STORAGE_REGION=" ./.env.production.tmp > ./.env.production || true
grep -v "^ENCRYPTION_SECRET=" ./.env.production.tmp > ./.env.production || true
rm -f ./.env.production.tmp rm -f ./.env.production.tmp
fi fi
# Append the new credentials # Append the new credentials
echo "DB_HOST=$DB_HOST" >> ./.env.production echo "DB_HOST=$DB_HOST" >> ./.env.production
echo "REDIS_URL=$REDIS_URL" >> ./.env.production echo "REDIS_URL=$REDIS_URL" >> ./.env.production
@ -220,6 +228,12 @@ fetch_env_variables() {
echo "SECURED_STORAGE_BUCKET=$SECURED_STORAGE_BUCKET" >> ./.env.production echo "SECURED_STORAGE_BUCKET=$SECURED_STORAGE_BUCKET" >> ./.env.production
echo "SECURED_STORAGE_REGION=$SECURED_STORAGE_REGION" >> ./.env.production echo "SECURED_STORAGE_REGION=$SECURED_STORAGE_REGION" >> ./.env.production
# Add encryption secret if it exists
if [ -n "$ENCRYPTION_SECRET" ]; then
echo "ENCRYPTION_SECRET=$ENCRYPTION_SECRET" >> ./.env.production
echo "✓ ENCRYPTION_SECRET written to .env.production"
fi
echo "✓ Environment variables successfully retrieved and written to .env.production" echo "✓ Environment variables successfully retrieved and written to .env.production"
} }
@ -255,10 +269,10 @@ main() {
echo "Starting CP Docuseal in production mode..." echo "Starting CP Docuseal in production mode..."
echo "Rails Environment: ${RAILS_ENV:-production}" echo "Rails Environment: ${RAILS_ENV:-production}"
# Fetch database credentials from Secrets Manager # Fetch database credentials from Secrets Manager
fetch_db_credentials fetch_db_credentials
# Fetch encryption key and write to config/master.key # Fetch encryption key and write to config/master.key
fetch_encryption_key fetch_encryption_key
@ -270,10 +284,10 @@ main() {
# Load updated environment variables # Load updated environment variables
set_environment set_environment
# Setup and migrate database # Setup and migrate database
setup_database setup_database
echo "=== Startup Complete - Starting Rails Server ===" echo "=== Startup Complete - Starting Rails Server ==="
echo "Database Host: ${DB_HOST:-not set}" echo "Database Host: ${DB_HOST:-not set}"
echo "Database Port: ${DB_PORT:-not set}" echo "Database Port: ${DB_PORT:-not set}"
@ -283,4 +297,4 @@ main() {
} }
# Execute main function # Execute main function
main "$@" main "$@"

42
bin/start_staging
Unescape View File

@ -28,7 +28,7 @@ fetch_db_credentials() {
echo "ERROR: DB_SECRETS_NAME environment variable is not set" echo "ERROR: DB_SECRETS_NAME environment variable is not set"
exit 1 exit 1
fi fi
# Fetch the secret # Fetch the secret
echo "Retrieving secret: $DB_SECRETS_NAME" echo "Retrieving secret: $DB_SECRETS_NAME"
SECRET_JSON=$(aws secretsmanager get-secret-value \ SECRET_JSON=$(aws secretsmanager get-secret-value \
@ -36,12 +36,12 @@ fetch_db_credentials() {
--secret-id "$DB_SECRETS_NAME" \ --secret-id "$DB_SECRETS_NAME" \
--query SecretString \ --query SecretString \
--output text) --output text)
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager" echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager"
exit 1 exit 1
fi fi
# Parse JSON and export environment variables # Parse JSON and export environment variables
export DB_USERNAME=$(echo "$SECRET_JSON" | jq -r '.username') export DB_USERNAME=$(echo "$SECRET_JSON" | jq -r '.username')
export DB_PASSWORD=$(echo "$SECRET_JSON" | jq -r '.password') export DB_PASSWORD=$(echo "$SECRET_JSON" | jq -r '.password')
@ -52,10 +52,10 @@ fetch_db_credentials() {
echo "Expected JSON format: {\"username\": \"...\", \"password\": \"...\"}" echo "Expected JSON format: {\"username\": \"...\", \"password\": \"...\"}"
exit 1 exit 1
fi fi
# Write credentials to .env.staging file # Write credentials to .env.staging file
echo "Writing database credentials to .env.staging..." echo "Writing database credentials to .env.staging..."
# Remove existing DB_USERNAME and DB_PASSWORD lines if they exist # Remove existing DB_USERNAME and DB_PASSWORD lines if they exist
if [ -f "./.env.staging" ]; then if [ -f "./.env.staging" ]; then
echo "Removing existing DB_USERNAME and DB_PASSWORD from .env.staging" echo "Removing existing DB_USERNAME and DB_PASSWORD from .env.staging"
@ -63,7 +63,7 @@ fetch_db_credentials() {
grep -v "^DB_PASSWORD=" ./.env.staging.tmp > ./.env.staging || true grep -v "^DB_PASSWORD=" ./.env.staging.tmp > ./.env.staging || true
rm -f ./.env.staging.tmp rm -f ./.env.staging.tmp
fi fi
# Append the new credentials # Append the new credentials
echo "DB_USERNAME=$DB_USERNAME" >> ./.env.staging echo "DB_USERNAME=$DB_USERNAME" >> ./.env.staging
echo "DB_PASSWORD=$DB_PASSWORD" >> ./.env.staging echo "DB_PASSWORD=$DB_PASSWORD" >> ./.env.staging
@ -146,7 +146,7 @@ fetch_env_variables() {
echo "ERROR: CP_VARIABLES_NAME environment variable is not set" echo "ERROR: CP_VARIABLES_NAME environment variable is not set"
exit 1 exit 1
fi fi
# Fetch the secret # Fetch the secret
echo "Retrieving secret: $CP_VARIABLES_NAME" echo "Retrieving secret: $CP_VARIABLES_NAME"
SECRET_JSON=$(aws secretsmanager get-secret-value \ SECRET_JSON=$(aws secretsmanager get-secret-value \
@ -154,7 +154,7 @@ fetch_env_variables() {
--secret-id "$CP_VARIABLES_NAME" \ --secret-id "$CP_VARIABLES_NAME" \
--query SecretString \ --query SecretString \
--output text) --output text)
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager" echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager"
exit 1 exit 1
@ -173,6 +173,7 @@ fetch_env_variables() {
export CF_KEY_SECRET=$(echo "$SECRET_JSON" | jq -r '.cf_key_secret') export CF_KEY_SECRET=$(echo "$SECRET_JSON" | jq -r '.cf_key_secret')
export SECURED_STORAGE_BUCKET=$(echo "$SECRET_JSON" | jq -r '.secured_storage_bucket') export SECURED_STORAGE_BUCKET=$(echo "$SECRET_JSON" | jq -r '.secured_storage_bucket')
export SECURED_STORAGE_REGION=$(echo "$SECRET_JSON" | jq -r '.secured_storage_region') export SECURED_STORAGE_REGION=$(echo "$SECRET_JSON" | jq -r '.secured_storage_region')
export ENCRYPTION_SECRET=$(echo "$SECRET_JSON" | jq -r '.ENCRYPTION_SECRET // empty')
# Validate that we got the values # Validate that we got the values
@ -187,7 +188,13 @@ fetch_env_variables() {
echo "ERROR: One or more monitor/logging license keys are missing" echo "ERROR: One or more monitor/logging license keys are missing"
exit 1 exit 1
fi fi
# Warn if encryption secret is missing (important for ActiveRecord encryption)
if [ -z "$ENCRYPTION_SECRET" ]; then
echo "WARNING: ENCRYPTION_SECRET not found in secrets"
echo "WARNING: ActiveRecord encryption may not work correctly"
fi
# Write variables to .env.staging file # Write variables to .env.staging file
echo "Writing environment variables to .env.staging..." echo "Writing environment variables to .env.staging..."
@ -207,9 +214,10 @@ fetch_env_variables() {
grep -v "^CF_KEY_SECRET=" ./.env.staging.tmp > ./.env.staging || true grep -v "^CF_KEY_SECRET=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^SECURED_STORAGE_BUCKET=" ./.env.staging.tmp > ./.env.staging || true grep -v "^SECURED_STORAGE_BUCKET=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^SECURED_STORAGE_REGION=" ./.env.staging.tmp > ./.env.staging || true grep -v "^SECURED_STORAGE_REGION=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^ENCRYPTION_SECRET=" ./.env.staging.tmp > ./.env.staging || true
rm -f ./.env.staging.tmp rm -f ./.env.staging.tmp
fi fi
# Append the new credentials # Append the new credentials
echo "DB_HOST=$DB_HOST" >> ./.env.staging echo "DB_HOST=$DB_HOST" >> ./.env.staging
echo "REDIS_URL=$REDIS_URL" >> ./.env.staging echo "REDIS_URL=$REDIS_URL" >> ./.env.staging
@ -225,6 +233,12 @@ fetch_env_variables() {
echo "SECURED_STORAGE_BUCKET=$SECURED_STORAGE_BUCKET" >> ./.env.staging echo "SECURED_STORAGE_BUCKET=$SECURED_STORAGE_BUCKET" >> ./.env.staging
echo "SECURED_STORAGE_REGION=$SECURED_STORAGE_REGION" >> ./.env.staging echo "SECURED_STORAGE_REGION=$SECURED_STORAGE_REGION" >> ./.env.staging
# Add encryption secret if it exists
if [ -n "$ENCRYPTION_SECRET" ]; then
echo "ENCRYPTION_SECRET=$ENCRYPTION_SECRET" >> ./.env.staging
echo "✓ ENCRYPTION_SECRET written to .env.staging"
fi
echo "✓ Environment variables successfully retrieved and written to .env.staging" echo "✓ Environment variables successfully retrieved and written to .env.staging"
} }
@ -257,13 +271,13 @@ main() {
set_environment set_environment
check_aws_setup check_aws_setup
echo "Starting CP Docuseal in staging mode..." echo "Starting CP Docuseal in staging mode..."
echo "Rails Environment: ${RAILS_ENV:-staging}" echo "Rails Environment: ${RAILS_ENV:-staging}"
# Fetch database credentials from Secrets Manager # Fetch database credentials from Secrets Manager
fetch_db_credentials fetch_db_credentials
# Fetch encryption key and write to config/master.key # Fetch encryption key and write to config/master.key
fetch_encryption_key fetch_encryption_key
@ -275,7 +289,7 @@ main() {
# Load updated environment variables # Load updated environment variables
set_environment set_environment
# Setup and migrate database # Setup and migrate database
setup_database setup_database
@ -288,4 +302,4 @@ main() {
} }
# Execute main function with all arguments # Execute main function with all arguments
main "$@" main "$@"

Write Preview
Loading…
Cancel
Save