39333033a6
Part of SOPS multi-user secrets migration. - .sops.yaml: defines age recipients (Viktor + CI) - scripts/tg: wrapper that decrypts secrets before running terragrunt - .gitignore: excludes decrypted secrets.auto.tfvars.json No functional change — terraform.tfvars still works as before.
22 lines
707 B
Bash
Executable file
22 lines
707 B
Bash
Executable file
#!/usr/bin/env bash
|
|
# scripts/tg — wrapper: decrypt secrets then run terragrunt
|
|
# Usage: scripts/tg apply --non-interactive
|
|
# scripts/tg run --all -- plan
|
|
set -euo pipefail
|
|
|
|
REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
|
SOPS_FILE="$REPO_ROOT/secrets.sops.json"
|
|
OUT_FILE="$REPO_ROOT/secrets.auto.tfvars.json"
|
|
|
|
# Decrypt if needed (skips if already decrypted and up-to-date)
|
|
if [ -f "$SOPS_FILE" ]; then
|
|
if [ ! -f "$OUT_FILE" ] || [ "$SOPS_FILE" -nt "$OUT_FILE" ]; then
|
|
TEMP=$(mktemp "$OUT_FILE.XXXXXX")
|
|
trap "rm -f '$TEMP'" EXIT
|
|
sops -d "$SOPS_FILE" > "$TEMP"
|
|
mv "$TEMP" "$OUT_FILE"
|
|
echo "Decrypted secrets.sops.json → secrets.auto.tfvars.json"
|
|
fi
|
|
fi
|
|
|
|
exec terragrunt "$@"
|