Add script to install secrets with aws ssm

For launch template

corgi

@@ -287,6 +287,18 @@ start-bare-metal() {
     source "$here/.env"
     cd "$app_path"
     PYTHONPATH="$app_path:$PYTHONPATH" \
+    STACK_NAME="${STACK_NAME:-}" \
+    TAG="${TAG:-}" \
+    REVISION="${REVISION:-}" \
+    DEPLOYED_AT="${DEPLOYED_AT:-}" \
+    SESSION_SECRET="${SESSION_SECRET:-}" \
+    GITHUB_API_TOKEN="${GITHUB_API_TOKEN:-}" \
+    GITHUB_OAUTH_ID="${GITHUB_OAUTH_ID:-}" \
+    GITHUB_OAUTH_SECRET="${GITHUB_OAUTH_SECRET:-}" \
+    POSTGRES_SERVER="${POSTGRES_SERVER:-}" \
+    POSTGRES_DB="${POSTGRES_DB:-}" \
+    POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-}" \
+    POSTGRES_USER="${POSTGRES_USER:-}" \
     PORT="${PORT:-8080}" \
     MODULE_NAME="${MODULE_NAME:-app.main}" \
     CALLABLE_NAME="${CALLABLE_NAME:-server}" \

scripts/install_secrets.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+: "${SECRETS_NAMESPACE:?}"
+
+here="$(cd "$(dirname "$0")" && pwd)"
+repo_root="$(cd "$here/.." && pwd)"
+env_file="$repo_root/.env"
+# These could probably be arguments instead
+secret_names=(
+    github_api_token
+    github_oauth_id
+    github_oauth_secret
+    postgres_server
+    postgres_db
+    postgres_password
+    postgres_user
+)
+readonly here repo_root env_file secret_names
+
+ends-with() { [[ ${#2} -le ${#1} && "${1:$((${#1}-${#2}))}" == "$2" ]]; }
+starts-with() { [[ ${#2} -le ${#1} && "${1:0:${#2}}" == "$2" ]]; }
+
+get-secrets() {
+    aws ssm get-parameters \
+        --with-decryption \
+        --names "$@" \
+        --output text \
+        --query 'Parameters[*].[Name, Value]'
+}
+
+if ends-with "$SECRETS_NAMESPACE" "/"; then
+    SECRETS_NAMESPACE="${SECRETS_NAMESPACE:0:$((${#SECRETS_NAMESPACE}-1))}"
+fi
+
+names=()
+for secret_name in "${secret_names[@]}"; do
+    # Assume fully qualified secret name if it starts with /
+    if starts-with "$secret_name" "/"; then
+        names+=("$secret_name")
+    else
+        names+=("$SECRETS_NAMESPACE/$secret_name")
+    fi
+done
+
+while IFS=$'\t' read -r secret_name secret_value; do
+    echo -n "$secret_name" | \
+        awk -F/ '{ $0=toupper($NF); gsub(/-/, "_"); printf $0 }'
+    echo -n =
+    echo "$secret_value"
+done < <(get-secrets "${names[@]}") >> "$env_file"