From 6f5ea3d9f96ffa9718143bc47ee411bde4ae1e13 Mon Sep 17 00:00:00 2001
From: Grant Slater <github@firefishy.com>
Date: Thu, 6 Nov 2025 21:36:32 +0000
Subject: [PATCH] db: Switch to aws databag for wal-g

---
 cookbooks/db/recipes/base.rb             |  5 +++--
 cookbooks/db/templates/default/wal-e.erb | 10 ----------
 cookbooks/db/templates/default/wal-g.erb |  4 ++--
 test/data_bags/db/aws.json               |  5 +++++
 test/data_bags/db/wal-secrets.json       |  4 ----
 5 files changed, 10 insertions(+), 18 deletions(-)
 delete mode 100644 cookbooks/db/templates/default/wal-e.erb
 create mode 100644 test/data_bags/db/aws.json
 delete mode 100644 test/data_bags/db/wal-secrets.json

diff --git a/cookbooks/db/recipes/base.rb b/cookbooks/db/recipes/base.rb
index 0cf57cf71..aa1e29b70 100644
--- a/cookbooks/db/recipes/base.rb
+++ b/cookbooks/db/recipes/base.rb
@@ -23,7 +23,7 @@ include_recipe "postgresql"
 include_recipe "python"
 include_recipe "ruby"
 
-wal_secrets = data_bag_item("db", "wal-secrets")
+aws_credentials = data_bag_item("db", "aws")
 
 package %w[
   cmake
@@ -97,5 +97,6 @@ template "/usr/local/bin/openstreetmap-wal-g" do
   owner "root"
   group "postgres"
   mode "750"
-  variables :s3_key => wal_secrets["s3_key"]
+  variables :aws_credentials => aws_credentials
+  sensitive true
 end
diff --git a/cookbooks/db/templates/default/wal-e.erb b/cookbooks/db/templates/default/wal-e.erb
deleted file mode 100644
index b4c13bd1d..000000000
--- a/cookbooks/db/templates/default/wal-e.erb
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/sh
-
-# DO NOT EDIT - This file is being maintained by Chef
-
-export WALE_S3_PREFIX="s3://openstreetmap-wal/"
-export AWS_ACCESS_KEY_ID="AKIAIQX2LTDOBIW4CZUQ"
-export AWS_SECRET_ACCESS_KEY="<%= @s3_key %>"
-export AWS_REGION="eu-west-2"
-
-exec /usr/local/bin/wal-e "$@" < /dev/null
diff --git a/cookbooks/db/templates/default/wal-g.erb b/cookbooks/db/templates/default/wal-g.erb
index 2297fd4ab..434fba791 100644
--- a/cookbooks/db/templates/default/wal-g.erb
+++ b/cookbooks/db/templates/default/wal-g.erb
@@ -4,8 +4,8 @@
 
 export WALG_S3_PREFIX="s3://openstreetmap-wal/"
 export WALG_COMPRESSION_METHOD="lz4"
-export AWS_ACCESS_KEY_ID="AKIAIQX2LTDOBIW4CZUQ"
-export AWS_SECRET_ACCESS_KEY="<%= @s3_key %>"
+export AWS_ACCESS_KEY_ID="<%= @aws_credentials["wal_access_key_id"] %>"
+export AWS_SECRET_ACCESS_KEY="<%= @aws_credentials["wal_secret_access_key"] %>"
 export AWS_REGION="eu-west-2"
 
 exec /usr/local/bin/wal-g "$@" < /dev/null
diff --git a/test/data_bags/db/aws.json b/test/data_bags/db/aws.json
new file mode 100644
index 000000000..553bd3cdf
--- /dev/null
+++ b/test/data_bags/db/aws.json
@@ -0,0 +1,5 @@
+{
+  "id": "aws",
+  "wal_access_key_id": "AKIAWLACCESSKEYIDEXAMPLE",
+  "wal_secret_access_key": "WALSECRETACCESSKEYEXAMPLE"
+}
diff --git a/test/data_bags/db/wal-secrets.json b/test/data_bags/db/wal-secrets.json
deleted file mode 100644
index 6f558f217..000000000
--- a/test/data_bags/db/wal-secrets.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{
-  "id": "wal-secrets",
-  "s3_key": "s3-key"
-}
-- 
2.39.5