the_order/scripts/deploy/phase8-secrets.sh

#!/bin/bash
#
# Phase 8: Secrets Configuration
# Store secrets in Azure Key Vault
# Note: Some secrets may need to be set manually
#

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "${SCRIPT_DIR}/config.sh"

log_info "=========================================="
log_info "Phase 8: Secrets Configuration"
log_info "=========================================="

# Verify Key Vault exists
log_step "8.1 Verifying Azure Key Vault..."

KV_EXISTS=$(az keyvault show \
  --name "${KEY_VAULT_NAME}" \
  --resource-group "${AKS_RESOURCE_GROUP}" \
  --query name -o tsv 2>/dev/null || echo "")

if [ -z "${KV_EXISTS}" ]; then
  error_exit "Key Vault ${KEY_VAULT_NAME} not found. Create it first with Terraform."
fi

log_success "Key Vault found: ${KEY_VAULT_NAME}"

# Store database URL if provided
if [ -n "${DATABASE_URL:-}" ]; then
  log_step "8.2 Storing database URL..."
  az keyvault secret set \
    --vault-name "${KEY_VAULT_NAME}" \
    --name "database-url-${ENVIRONMENT}" \
    --value "${DATABASE_URL}" \
    || log_warning "Failed to store database URL"
  log_success "Database URL stored"
fi

# Check for Entra secrets
log_step "8.3 Checking Entra ID secrets..."

ENTRA_SECRETS=("entra-tenant-id" "entra-client-id" "entra-client-secret" "entra-credential-manifest-id")
MISSING_SECRETS=()

for secret in "${ENTRA_SECRETS[@]}"; do
  if ! az keyvault secret show \
    --vault-name "${KEY_VAULT_NAME}" \
    --name "${secret}" \
    --query value -o tsv &> /dev/null; then
    MISSING_SECRETS+=("${secret}")
  fi
done

if [ ${#MISSING_SECRETS[@]} -gt 0 ]; then
  log_warning "Missing Entra ID secrets: ${MISSING_SECRETS[*]}"
  log_info "Run: ./scripts/deploy/store-entra-secrets.sh"
else
  log_success "All Entra ID secrets found"
fi

# Store JWT secret if not exists
log_step "8.4 Storing JWT secret..."

if ! az keyvault secret show \
  --vault-name "${KEY_VAULT_NAME}" \
  --name "jwt-secret" \
  --query value -o tsv &> /dev/null; then
  
  JWT_SECRET=$(openssl rand -base64 32)
  az keyvault secret set \
    --vault-name "${KEY_VAULT_NAME}" \
    --name "jwt-secret" \
    --value "${JWT_SECRET}" \
    || error_exit "Failed to store JWT secret"
  log_success "JWT secret generated and stored"
else
  log_success "JWT secret already exists"
fi

log_info "Secrets configuration complete"
log_info "Note: Additional secrets may need to be set manually"
log_info "See docs/deployment/DEPLOYMENT_GUIDE.md Phase 8 for complete list"

# Save state
save_state "phase8" "complete"

log_success "=========================================="
log_success "Phase 8: Secrets Configuration - COMPLETE"
log_success "=========================================="