diff --git a/.env.example b/.env.example index 8f4ffff1..ac8aaca5 100644 --- a/.env.example +++ b/.env.example @@ -1,6 +1,10 @@ # ── Common Platform Environment Variables ────────────────────── # Copy to .env and fill in real values. +# ── Azure Key Vault (optional — secrets fall back to env vars) ─ +# Set this to resolve secrets from AKV instead of .env: +AZURE_KEYVAULT_URL=https://kv-mywisprai.vault.azure.net + # ── Azure Cosmos DB ──────────────────────────────────────────── COSMOS_ENDPOINT=https://cosmos-mywisprai.documents.azure.com:443/ COSMOS_KEY=your-cosmos-key diff --git a/scripts/seed-keyvault.sh b/scripts/seed-keyvault.sh new file mode 100755 index 00000000..b4db170b --- /dev/null +++ b/scripts/seed-keyvault.sh @@ -0,0 +1,69 @@ +#!/usr/bin/env bash +# seed-keyvault.sh — Populate Azure Key Vault with all LysnrAI secrets. +# +# Prerequisites: +# 1. az login +# 2. A .env file with all secret values (or set them as env vars) +# +# Usage: +# ./scripts/seed-keyvault.sh # uses default vault +# AZURE_KEYVAULT_URL=https://kv-mywisprai.vault.azure.net ./scripts/seed-keyvault.sh +# +set -euo pipefail + +VAULT_NAME="${AZURE_KEYVAULT_NAME:-kv-mywisprai}" + +# Load .env if present +if [ -f .env ]; then + set -a; source .env; set +a +fi + +echo "🔐 Seeding Azure Key Vault: $VAULT_NAME" +echo "" + +# Map: KV secret name → env var name +declare -A SECRETS=( + ["lysnr-cosmos-endpoint"]="COSMOS_ENDPOINT" + ["lysnr-cosmos-key"]="COSMOS_KEY" + ["lysnr-jwt-secret"]="JWT_SECRET" + ["lysnr-stripe-secret-key"]="STRIPE_SECRET_KEY" + ["lysnr-stripe-webhook-secret"]="STRIPE_WEBHOOK_SECRET" + ["lysnr-billing-internal-key"]="BILLING_INTERNAL_KEY" + ["lysnr-blob-connection-string"]="AZURE_BLOB_CONNECTION_STRING" + ["lysnr-blob-account-key"]="AZURE_BLOB_ACCOUNT_KEY" + ["lysnr-gemini-api-key"]="GEMINI_API_KEY" + ["lysnr-seed-secret"]="SEED_SECRET" + ["lysnr-azure-speech-key"]="AZURE_SPEECH_KEY" + ["lysnr-azure-openai-key"]="AZURE_OPENAI_KEY" + ["lysnr-azure-openai-endpoint"]="AZURE_OPENAI_ENDPOINT" +) + +ok=0 +skip=0 +fail=0 + +for kv_name in "${!SECRETS[@]}"; do + env_var="${SECRETS[$kv_name]}" + value="${!env_var:-}" + + if [ -z "$value" ]; then + echo " ⚠️ SKIP $kv_name ($env_var not set)" + ((skip++)) + continue + fi + + if az keyvault secret set \ + --vault-name "$VAULT_NAME" \ + --name "$kv_name" \ + --value "$value" \ + --output none 2>/dev/null; then + echo " ✅ SET $kv_name" + ((ok++)) + else + echo " ❌ FAIL $kv_name" + ((fail++)) + fi +done + +echo "" +echo "Done: $ok set, $skip skipped, $fail failed"