initial user data script for vault initialization

2020-04-11 13:29:58 -07:00 · 2020-04-11 13:29:58 -07:00 · d68a36e52f
parent e2383bda9f
commit d68a36e52f
1 changed files with 26 additions and 0 deletions
--- a/files/userdata.sh
+++ b/files/userdata.sh
@ -167,6 +167,32 @@ Content-Type: text/x-shellscript; charset="us-ascii"
 # - Create credentials file
 # - Encrypt the file via KMS
 # - Send the file to S3
+# - Delete the local file
 # - Erase bash history

+VAULT_INITIALIZED=$(vault operator init -status)
+
+function initialize_vault {
+  # initialize and pipe to file
+  vault operator init > vault_credentials.txt
+
+  # encrypt it with the KMS key
+  aws kms encrypt --key-id ${KMS_KEY_ID} --plaintext fileb://vault_credentials.txt --output text --query CiphertextBlob | base64 --decode > vault_creds_encrypted
+
+  # send the encrypted file to the s3 bucket
+  aws s3 cp vault_creds_encrypted s3://${S3_BUCKET_NAME}
+
+  # cleanup
+  rm vault_credentials.txt
+  history -c
+  history -w
+}
+
+if [ "$VAULT_INITIALIZED" = "Vault is initialized" ]; then
+  echo "Vault is already initialized."
+else
+  echo "Initializing vault..."
+  initialize_vault
+fi
+
 --==BOUNDARY==--