infra/scripts/tg

#!/usr/bin/env bash
# scripts/tg — wrapper: decrypt secrets then run terragrunt
# Usage: scripts/tg apply --non-interactive
#        scripts/tg run --all -- plan
set -euo pipefail

REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
SOPS_FILE="$REPO_ROOT/secrets.sops.json"
OUT_FILE="$REPO_ROOT/secrets.auto.tfvars.json"

# Decrypt if needed (skips if already decrypted and up-to-date)
if [ -f "$SOPS_FILE" ]; then
  if [ ! -f "$OUT_FILE" ] || [ "$SOPS_FILE" -nt "$OUT_FILE" ]; then
    TEMP=$(mktemp "$OUT_FILE.XXXXXX")
    trap "rm -f '$TEMP'" EXIT
    sops -d "$SOPS_FILE" > "$TEMP"
    mv "$TEMP" "$OUT_FILE"
    echo "Decrypted secrets.sops.json → secrets.auto.tfvars.json"
  fi
fi

exec terragrunt "$@"
[ci skip] phase 1: SOPS tooling setup (.sops.yaml, scripts/tg, .gitignore) Part of SOPS multi-user secrets migration. - .sops.yaml: defines age recipients (Viktor + CI) - scripts/tg: wrapper that decrypts secrets before running terragrunt - .gitignore: excludes decrypted secrets.auto.tfvars.json No functional change — terraform.tfvars still works as before. 2026-03-07 13:57:42 +00:00			`#!/usr/bin/env bash`
			`# scripts/tg — wrapper: decrypt secrets then run terragrunt`
			`# Usage: scripts/tg apply --non-interactive`
			`# scripts/tg run --all -- plan`
			`set -euo pipefail`

			`REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"`
			`SOPS_FILE="$REPO_ROOT/secrets.sops.json"`
			`OUT_FILE="$REPO_ROOT/secrets.auto.tfvars.json"`

			`# Decrypt if needed (skips if already decrypted and up-to-date)`
			`if [ -f "$SOPS_FILE" ]; then`
			`if [ ! -f "$OUT_FILE" ] \|\| [ "$SOPS_FILE" -nt "$OUT_FILE" ]; then`
			`TEMP=$(mktemp "$OUT_FILE.XXXXXX")`
			`trap "rm -f '$TEMP'" EXIT`
			`sops -d "$SOPS_FILE" > "$TEMP"`
			`mv "$TEMP" "$OUT_FILE"`
			`echo "Decrypted secrets.sops.json → secrets.auto.tfvars.json"`
			`fi`
			`fi`

			`exec terragrunt "$@"`