[infra] vault + chsettle + aurora for dev

ci/prod/scripts/deploy/bff.sh

@@ -20,8 +20,6 @@ REQUIRED_SECRETS=(
   MONGO_USER
   MONGO_PASSWORD
   API_ENDPOINT_SECRET
-  BFF_VAULT_ROLE_ID
-  BFF_VAULT_SECRET_ID
   NATS_USER
   NATS_PASSWORD
   NATS_URL
@@ -46,8 +44,8 @@ b64enc() {
 MONGO_USER_B64="$(b64enc "${MONGO_USER}")"
 MONGO_PASSWORD_B64="$(b64enc "${MONGO_PASSWORD}")"
 API_ENDPOINT_SECRET_B64="$(b64enc "${API_ENDPOINT_SECRET}")"
-BFF_VAULT_ROLE_ID_B64="$(b64enc "${BFF_VAULT_ROLE_ID}")"
-BFF_VAULT_SECRET_ID_B64="$(b64enc "${BFF_VAULT_SECRET_ID}")"
+BFF_VAULT_ROLE_ID_B64="$(b64enc "${BFF_VAULT_ROLE_ID:-}")"
+BFF_VAULT_SECRET_ID_B64="$(b64enc "${BFF_VAULT_SECRET_ID:-}")"
 NATS_USER_B64="$(b64enc "${NATS_USER}")"
 NATS_PASSWORD_B64="$(b64enc "${NATS_PASSWORD}")"
 NATS_URL_B64="$(b64enc "${NATS_URL}")"
@@ -114,6 +112,9 @@ load_kv_file() {
   done <"$file"
 }
 load_kv_file ../env/.env.version
+if [[ -f ../env/vault.env ]]; then
+  load_kv_file ../env/vault.env
+fi
 set +a
 
 IMAGE_TAG="${IMAGE_TAG:-${APP_V}-${GIT_REV}}"
@@ -146,6 +147,10 @@ NATS_URL="$(decode_b64 "$NATS_URL_B64")"
 export MONGO_USER MONGO_PASSWORD API_ENDPOINT_SECRET
 export BFF_VAULT_ROLE_ID BFF_VAULT_SECRET_ID
 export NATS_USER NATS_PASSWORD NATS_URL
+if [[ -z "${BFF_VAULT_ROLE_ID:-}" || -z "${BFF_VAULT_SECRET_ID:-}" ]]; then
+  echo "missing required secret env: BFF_VAULT_ROLE_ID/BFF_VAULT_SECRET_ID" >&2
+  exit 65
+fi
 COMPOSE_PROJECT_NAME="$COMPOSE_PROJECT"
 export COMPOSE_PROJECT_NAME
 read -r -a SERVICES <<<"${SERVICES_LINE}"