From 4020f310cefec2511d834967431b60707dcead8a Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <hg@lukegb.com>
Date: Sun, 20 Mar 2022 10:20:25 +0000
Subject: [PATCH] ops/vault: destroy existing secrets before provisioning a new
 one

---
 ops/vault/default.nix          | 3 +++
 ops/vault/reissue-secret-id.sh | 8 +++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/ops/vault/default.nix b/ops/vault/default.nix
index 6ec9f21681..1c3e66e3c6 100644
--- a/ops/vault/default.nix
+++ b/ops/vault/default.nix
@@ -27,6 +27,9 @@
         exit $RET
       fi
       echo "$SECRET_ID" > /var/lib/vault-agent/secret-id
+
+      systemctl restart vault-agent
+      systemctl restart secretsmgr || true
     '';
   };
 }
diff --git a/ops/vault/reissue-secret-id.sh b/ops/vault/reissue-secret-id.sh
index 0a144e2b38..ae0e8bf5d8 100755
--- a/ops/vault/reissue-secret-id.sh
+++ b/ops/vault/reissue-secret-id.sh
@@ -10,5 +10,11 @@ export VAULT_ADDR=https://vault.int.lukegb.com/
 echo Checking login credentials... >&2
 vault token lookup >/dev/null || vault login -method=oidc role=admin >&2
 
+echo Destroying existing secrets for that server... >&2
+vault list -format=json "auth/approle/role/${server_name}/secret-id" | jq -r '.[]' | while read -r secret_id_accessor; do
+  echo -ne "\t$secret_id_accessor\n"
+  vault write "auth/approle/role/${server_name}/secret-id-accessor/destroy" secret_id_accessor="${secret_id_accessor}"
+done
+
 echo Creating new secret... >&2
-vault write -f -format=json -wrap-ttl=3m auth/approle/role/${server_name}/secret-id | jq -r '.wrap_info.token'
+vault write -f -format=json -wrap-ttl=3m "auth/approle/role/${server_name}/secret-id" | jq -r '.wrap_info.token'