bsod-analyzer/setup-all-secrets.sh at main · faratech/bsod-analyzer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
#!/bin/bash

# Setup all required secrets for BSOD Analyzer in Google Secret Manager

set -e

# Configuration
PROJECT_ID=${PROJECT_ID:-"project-bigfoot"}

echo "🔐 Setting up all required secrets for BSOD Analyzer"
echo "Project: ${PROJECT_ID}"
echo ""

# Function to create or update a secret
setup_secret() {
    local SECRET_NAME=$1
    local SECRET_VALUE=$2
    local SECRET_DESC=$3

    echo "📌 Setting up ${SECRET_DESC}..."

    # Check if secret already exists
    if gcloud secrets describe ${SECRET_NAME} --project=${PROJECT_ID} >/dev/null 2>&1; then
        echo "  ⚠️  Secret '${SECRET_NAME}' already exists"
        echo -n "  Do you want to update it? (y/N): "
        read -r response
        if [[ "$response" =~ ^([yY][eE][sS]|[yY])$ ]]; then
            # Add a new version of the secret
            echo -n "${SECRET_VALUE}" | gcloud secrets versions add ${SECRET_NAME} \
                --data-file=- \
                --project=${PROJECT_ID}
            echo "  ✅ Secret updated"
        else
            echo "  ℹ️  Keeping existing secret"
        fi
    else
        # Create the secret
        echo -n "${SECRET_VALUE}" | gcloud secrets create ${SECRET_NAME} \
            --replication-policy="automatic" \
            --data-file=- \
            --project=${PROJECT_ID}
        echo "  ✅ Secret created"
    fi
}

# 1. Gemini API Key
echo "1️⃣ Gemini API Key"
echo -n "Enter your Gemini API Key (or press Enter to skip): "
read -r -s GEMINI_KEY
echo ""
if [ ! -z "$GEMINI_KEY" ]; then
    setup_secret "gemini-api-key" "$GEMINI_KEY" "Gemini API Key"
else
    echo "  ⏭️  Skipped"
fi
echo ""

# 2. Turnstile Secret Key
echo "2️⃣ Cloudflare Turnstile Secret Key"
if [ -z "$TURNSTILE_SECRET_KEY" ]; then
    echo -n "Enter your Cloudflare Turnstile Secret Key (or press Enter to skip): "
    read -r -s TURNSTILE_KEY
    echo ""
else
    TURNSTILE_KEY="$TURNSTILE_SECRET_KEY"
    echo "  Using provided Turnstile secret from environment"
fi
if [ ! -z "$TURNSTILE_KEY" ]; then
    setup_secret "turnstile-secret-key" "$TURNSTILE_KEY" "Turnstile Secret Key"
else
    echo "  ⏭️  Skipped"
fi
echo ""

# 3. Session Secret (optional - generate random if not exists)
echo "3️⃣ Session Secret Key"
if ! gcloud secrets describe session-secret --project=${PROJECT_ID} >/dev/null 2>&1; then
    SESSION_SECRET=$(openssl rand -hex 32)
    setup_secret "session-secret" "$SESSION_SECRET" "Session Secret"
else
    echo "  ℹ️  Session secret already exists"
fi
echo ""

# 4. Upstash Redis URL
echo "4️⃣ Upstash Redis REST URL"
echo -n "Enter your Upstash Redis REST URL (or press Enter to skip): "
read -r UPSTASH_URL
echo ""
if [ ! -z "$UPSTASH_URL" ]; then
    setup_secret "upstash-redis-url" "$UPSTASH_URL" "Upstash Redis REST URL"
else
    echo "  ⏭️  Skipped"
fi
echo ""

# 5. Upstash Redis Token
echo "5️⃣ Upstash Redis REST Token"
echo -n "Enter your Upstash Redis REST Token (or press Enter to skip): "
read -r -s UPSTASH_TOKEN
echo ""
if [ ! -z "$UPSTASH_TOKEN" ]; then
    setup_secret "upstash-redis-token" "$UPSTASH_TOKEN" "Upstash Redis REST Token"
else
    echo "  ⏭️  Skipped"
fi
echo ""

# 6. Cloudflare Purge Token
echo "6️⃣ Cloudflare Purge Token"
echo -n "Enter your Cloudflare Purge Token (or press Enter to skip): "
read -r -s CF_PURGE_TOKEN
echo ""
if [ ! -z "$CF_PURGE_TOKEN" ]; then
    setup_secret "cloudflare-purge-token" "$CF_PURGE_TOKEN" "Cloudflare Purge Token"
else
    echo "  ⏭️  Skipped"
fi
echo ""

# 7. Cloudflare Zone ID
echo "7️⃣ Cloudflare Zone ID"
echo -n "Enter your Cloudflare Zone ID (or press Enter to skip): "
read -r CF_ZONE_ID
echo ""
if [ ! -z "$CF_ZONE_ID" ]; then
    setup_secret "cloudflare-zone-id" "$CF_ZONE_ID" "Cloudflare Zone ID"
else
    echo "  ⏭️  Skipped"
fi
echo ""

# Grant Cloud Run service account access to all secrets
echo "🔓 Granting Cloud Run access to all secrets..."
SERVICE_ACCOUNT=$(gcloud iam service-accounts list \
    --filter="displayName:Compute Engine default service account" \
    --format="value(email)" \
    --project=${PROJECT_ID})

if [ -z "$SERVICE_ACCOUNT" ]; then
    PROJECT_NUMBER=$(gcloud projects describe ${PROJECT_ID} --format="value(projectNumber)")
    SERVICE_ACCOUNT="${PROJECT_NUMBER}-compute@developer.gserviceaccount.com"
fi

echo "Using service account: ${SERVICE_ACCOUNT}"

# Grant access to each secret
for SECRET in "gemini-api-key" "turnstile-secret-key" "session-secret" "upstash-redis-url" "upstash-redis-token" "cloudflare-purge-token" "cloudflare-zone-id"; do
    if gcloud secrets describe ${SECRET} --project=${PROJECT_ID} >/dev/null 2>&1; then
        gcloud secrets add-iam-policy-binding ${SECRET} \
            --member="serviceAccount:${SERVICE_ACCOUNT}" \
            --role="roles/secretmanager.secretAccessor" \
            --project=${PROJECT_ID} >/dev/null 2>&1
        echo "  ✅ Access granted for ${SECRET}"
    fi
done

# Grant Cloud Build service account access to Cloudflare secrets
# (needed for cloudbuild.yaml secretEnv in the cache purge step)
echo "🔓 Granting Cloud Build access to Cloudflare secrets..."
PROJECT_NUMBER=$(gcloud projects describe ${PROJECT_ID} --format="value(projectNumber)" 2>/dev/null || echo "")
if [ -n "$PROJECT_NUMBER" ]; then
    CLOUDBUILD_SA="${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com"
    for SECRET in "cloudflare-purge-token" "cloudflare-zone-id"; do
        if gcloud secrets describe ${SECRET} --project=${PROJECT_ID} >/dev/null 2>&1; then
            gcloud secrets add-iam-policy-binding ${SECRET} \
                --member="serviceAccount:${CLOUDBUILD_SA}" \
                --role="roles/secretmanager.secretAccessor" \
                --project=${PROJECT_ID} >/dev/null 2>&1
            echo "  ✅ Access granted for ${SECRET} to Cloud Build"
        fi
    done
else
    echo "  ⚠️  Could not determine project number, skipping Cloud Build SA grants"
fi

echo ""
echo "✅ All secrets configured successfully!"
echo ""
echo "📝 Next Steps:"
echo "1. Update deploy-with-secret.sh if adding new secrets"
echo "2. Deploy your service with: ./deploy-with-secret.sh"
echo ""
echo "🔍 To list all secrets:"
echo "   gcloud secrets list --project=${PROJECT_ID}"
echo ""
echo "🔍 To view a specific secret:"
echo "   gcloud secrets versions access latest --secret=SECRET_NAME --project=${PROJECT_ID}"

# Make scripts executable
chmod +x setup-all-secrets.sh
chmod +x setup-turnstile-secret.sh
chmod +x deploy-with-secret.sh