From d68a36e52ff0cafe0b64efa5f078ffc30ea98dd7 Mon Sep 17 00:00:00 2001
From: J Cole Morrison <j.cole.morrison@gmail.com>
Date: Sat, 11 Apr 2020 13:29:58 -0700
Subject: [PATCH] initial user data script for vault initialization

---
 files/userdata.sh | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/files/userdata.sh b/files/userdata.sh
index a4eff44..75673af 100644
--- a/files/userdata.sh
+++ b/files/userdata.sh
@@ -167,6 +167,32 @@ Content-Type: text/x-shellscript; charset="us-ascii"
 # - Create credentials file
 # - Encrypt the file via KMS
 # - Send the file to S3
+# - Delete the local file
 # - Erase bash history
 
+VAULT_INITIALIZED=$(vault operator init -status)
+
+function initialize_vault {
+  # initialize and pipe to file
+  vault operator init > vault_credentials.txt
+
+  # encrypt it with the KMS key
+  aws kms encrypt --key-id ${KMS_KEY_ID} --plaintext fileb://vault_credentials.txt --output text --query CiphertextBlob | base64 --decode > vault_creds_encrypted
+
+  # send the encrypted file to the s3 bucket
+  aws s3 cp vault_creds_encrypted s3://${S3_BUCKET_NAME}
+
+  # cleanup
+  rm vault_credentials.txt
+  history -c
+  history -w
+}
+
+if [ "$VAULT_INITIALIZED" = "Vault is initialized" ]; then
+  echo "Vault is already initialized."
+else
+  echo "Initializing vault..."
+  initialize_vault
+fi
+
 --==BOUNDARY==--
\ No newline at end of file