#!/bin/bash

# Script to unseal Vault

VAULT_ADDR='<%= @vault_address %>'
UNSEAL_KEYS_FILE='/etc/vault/unseal_keys'

# Check if Vault is sealed
is_sealed=$(curl -s ${VAULT_ADDR}/v1/sys/seal-status | jq -r '.sealed')
if [ "$is_sealed" != "true" ]; then
  echo "Vault is already unsealed."
  exit 0
fi

# Retrieve unseal keys from plaintext file
unseal_keys=$(cat "$UNSEAL_KEYS_FILE")

# Loop through the unseal keys and use them to unseal Vault
for key in $unseal_keys; do
  curl --request PUT --data '{"key": "'$key'"}' $VAULT_ADDR/v1/sys/unseal
done

echo "Vault has been unsealed."