Intial commit for deployment script p2

GCR/scripts/03-create-secrets.sh

@@ -0,0 +1,101 @@
+#!/usr/bin/env bash
+# =============================================================================
+# 03-create-secrets.sh  (Linux)
+# Creates and configures secrets in Google Cloud Secret Manager.
+#
+# Run this after 02-setup-project.sh to set up sensitive configuration
+# values (e.g., MongoDB connection string).
+#
+# Windows users: run GCR/scripts/03-create-secrets.ps1 in PowerShell instead.
+# =============================================================================
+set -euo pipefail
+
+if [[ "$(uname -s)" != "Linux" ]]; then
+    echo "ERROR: This script is for Linux only."
+    echo "Windows users: run GCR/scripts/03-create-secrets.ps1"
+    exit 1
+fi
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# ── Load .env ─────────────────────────────────────────────────────────────────
+ENV_FILE="$SCRIPT_DIR/../.env"
+if [[ ! -f "$ENV_FILE" ]]; then
+    echo "ERROR: $ENV_FILE not found."
+    echo "Copy GCR/.env.example to GCR/.env and fill in your values first."
+    exit 1
+fi
+# shellcheck disable=SC1090
+source "$ENV_FILE"
+
+: "${GCP_PROJECT_ID:?GCP_PROJECT_ID is not set in .env}"
+
+echo "================================================================"
+echo "  Google Cloud Secret Manager setup"
+echo "================================================================"
+echo "  Project: $GCP_PROJECT_ID"
+echo ""
+
+# ── Helper function to create or update a secret ──────────────────────────────
+create_or_update_secret() {
+    local SECRET_NAME="$1"
+    local SECRET_PROMPT="$2"
+
+    echo ">>> Setting up secret: $SECRET_NAME"
+    echo "    $SECRET_PROMPT"
+    read -rsp "    Enter value (will not be echoed): " SECRET_VALUE
+    echo ""
+
+    if gcloud secrets describe "$SECRET_NAME" --project="$GCP_PROJECT_ID" &>/dev/null; then
+        echo "    Secret already exists — creating new version..."
+        printf '%s' "$SECRET_VALUE" | gcloud secrets versions add "$SECRET_NAME" \
+            --data-file=- \
+            --project="$GCP_PROJECT_ID"
+    else
+        echo "    Creating new secret..."
+        printf '%s' "$SECRET_VALUE" | gcloud secrets create "$SECRET_NAME" \
+            --data-file=- \
+            --replication-policy="automatic" \
+            --project="$GCP_PROJECT_ID"
+    fi
+
+    echo "    ✓ Secret '$SECRET_NAME' ready."
+    echo ""
+}
+
+# ── Step 1: Create MongoDB connection string secret ──────────────────────────
+create_or_update_secret \
+    "mongodb-connection-string" \
+    "MongoDB Atlas or self-hosted connection URI (e.g., mongodb+srv://user:pass@cluster.mongodb.net)"
+
+# ── Step 2: Grant Cloud Run service account access to secrets ─────────────────
+echo ">>> Granting Cloud Run service account access to secrets..."
+echo ""
+
+# Get the default Cloud Run service account for this project
+SERVICE_ACCOUNT="$GCP_PROJECT_ID@appspot.gserviceaccount.com"
+
+for SECRET_NAME in mongodb-connection-string; do
+    echo "    Granting Secret Accessor role for '$SECRET_NAME' to $SERVICE_ACCOUNT"
+    gcloud secrets add-iam-policy-binding "$SECRET_NAME" \
+        --member="serviceAccount:$SERVICE_ACCOUNT" \
+        --role="roles/secretmanager.secretAccessor" \
+        --project="$GCP_PROJECT_ID" \
+        --quiet
+done
+
+echo ""
+echo "================================================================"
+echo "  Secret Manager setup complete!"
+echo "================================================================"
+echo ""
+echo ">>> Summary:"
+echo "    Secrets created:"
+echo "      • mongodb-connection-string"
+echo ""
+echo "    Service account granted access:"
+echo "      • $SERVICE_ACCOUNT"
+echo ""
+echo ">>> Next step: run GCR/scripts/04-deploy.sh"
+echo "    (The deploy script will automatically inject secrets into"
+echo "     the running container.)"