Fix variable handling

Author: azvoleff

.github/workflows/codedeploy_production.yml

@@ -203,81 +203,82 @@ jobs:
       run: |
         # Generate prod.env with secrets from GitHub
         # This file is included in the deployment package and copied to the server
-        # All values are single-quoted to prevent shell interpretation of special characters
+        # Values are NOT quoted - Docker env_file reads quotes as literal characters
+        # The CodeDeploy scripts use safe_source_env() to handle special chars in values
         {
           echo "# Generated by GitHub Actions"
           echo "# Commit: ${{ github.sha }}"
           echo ""
           echo "# ECR Images (pre-built in CI)"
-          echo "ECR_REGISTRY='$ECR_REGISTRY'"
-          echo "API_IMAGE='$API_IMAGE'"
+          echo "ECR_REGISTRY=$ECR_REGISTRY"
+          echo "API_IMAGE=$API_IMAGE"
           echo ""
           echo "# Environment"
-          echo "ENVIRONMENT='production'"
-          echo "DEBUG='False'"
-          echo "TESTING='false'"
+          echo "ENVIRONMENT=production"
+          echo "DEBUG=False"
+          echo "TESTING=false"
           echo ""
           echo "# Flask/API Configuration"
-          echo "SECRET_KEY='$SECRET_KEY'"
-          echo "JWT_SECRET_KEY='$JWT_SECRET_KEY'"
-          echo "API_ENVIRONMENT_USER='$API_ENVIRONMENT_USER'"
-          echo "API_ENVIRONMENT_USER_PASSWORD='$API_ENVIRONMENT_USER_PASSWORD'"
+          echo "SECRET_KEY=$SECRET_KEY"
+          echo "JWT_SECRET_KEY=$JWT_SECRET_KEY"
+          echo "API_ENVIRONMENT_USER=$API_ENVIRONMENT_USER"
+          echo "API_ENVIRONMENT_USER_PASSWORD=$API_ENVIRONMENT_USER_PASSWORD"
           echo ""
           echo "# Database Configuration"
-          echo "DATABASE_URL='$DATABASE_URL'"
+          echo "DATABASE_URL=$DATABASE_URL"
           echo ""
           echo "# Redis Configuration (uses stack Redis service)"
-          echo "REDIS_URL='redis://redis:6379/0'"
+          echo "REDIS_URL=redis://redis:6379/0"
           echo ""
           echo "# Rate Limiting"
-          echo "RATE_LIMITING_ENABLED='$RATE_LIMITING_ENABLED'"
-          echo "RATE_LIMIT_STORAGE_URI='redis://redis:6379/1'"
-          echo "DEFAULT_LIMITS='$RATE_LIMIT_DEFAULT_LIMITS'"
-          echo "API_LIMITS='$RATE_LIMIT_API_LIMITS'"
-          echo "AUTH_LIMITS='$RATE_LIMIT_AUTH_LIMITS'"
-          echo "PASSWORD_RESET_LIMITS='$RATE_LIMIT_PASSWORD_RESET_LIMITS'"
-          echo "USER_CREATION_LIMITS='$RATE_LIMIT_USER_CREATION_LIMITS'"
-          echo "EXECUTION_RUN_LIMITS='$RATE_LIMIT_EXECUTION_RUN_LIMITS'"
-          echo "TRUSTED_PROXY_COUNT='$RATE_LIMIT_TRUSTED_PROXY_COUNT'"
-          echo "INTERNAL_NETWORKS='$RATE_LIMIT_INTERNAL_NETWORKS'"
+          echo "RATE_LIMITING_ENABLED=$RATE_LIMITING_ENABLED"
+          echo "RATE_LIMIT_STORAGE_URI=redis://redis:6379/1"
+          echo "DEFAULT_LIMITS=$RATE_LIMIT_DEFAULT_LIMITS"
+          echo "API_LIMITS=$RATE_LIMIT_API_LIMITS"
+          echo "AUTH_LIMITS=$RATE_LIMIT_AUTH_LIMITS"
+          echo "PASSWORD_RESET_LIMITS=$RATE_LIMIT_PASSWORD_RESET_LIMITS"
+          echo "USER_CREATION_LIMITS=$RATE_LIMIT_USER_CREATION_LIMITS"
+          echo "EXECUTION_RUN_LIMITS=$RATE_LIMIT_EXECUTION_RUN_LIMITS"
+          echo "TRUSTED_PROXY_COUNT=$RATE_LIMIT_TRUSTED_PROXY_COUNT"
+          echo "INTERNAL_NETWORKS=$RATE_LIMIT_INTERNAL_NETWORKS"
           echo ""
           echo "# Google Earth Engine"
-          echo "EE_SERVICE_ACCOUNT_JSON='$EE_SERVICE_ACCOUNT_JSON'"
-          echo "GOOGLE_PROJECT_ID='$GOOGLE_PROJECT_ID'"
-          echo "GEE_ENDPOINT='$GEE_ENDPOINT'"
-          echo "GOOGLE_OAUTH_CLIENT_ID='$GOOGLE_OAUTH_CLIENT_ID'"
-          echo "GOOGLE_OAUTH_CLIENT_SECRET='$GOOGLE_OAUTH_CLIENT_SECRET'"
-          echo "GOOGLE_OAUTH_REDIRECT_URI='$GOOGLE_OAUTH_REDIRECT_URI'"
+          echo "EE_SERVICE_ACCOUNT_JSON=$EE_SERVICE_ACCOUNT_JSON"
+          echo "GOOGLE_PROJECT_ID=$GOOGLE_PROJECT_ID"
+          echo "GEE_ENDPOINT=$GEE_ENDPOINT"
+          echo "GOOGLE_OAUTH_CLIENT_ID=$GOOGLE_OAUTH_CLIENT_ID"
+          echo "GOOGLE_OAUTH_CLIENT_SECRET=$GOOGLE_OAUTH_CLIENT_SECRET"
+          echo "GOOGLE_OAUTH_REDIRECT_URI=$GOOGLE_OAUTH_REDIRECT_URI"
           echo ""
           echo "# Rollbar Error Tracking"
-          echo "ROLLBAR_SCRIPT_TOKEN='$ROLLBAR_SCRIPT_TOKEN'"
-          echo "ROLLBAR_SERVER_TOKEN='$ROLLBAR_SERVER_TOKEN'"
+          echo "ROLLBAR_SCRIPT_TOKEN=$ROLLBAR_SCRIPT_TOKEN"
+          echo "ROLLBAR_SERVER_TOKEN=$ROLLBAR_SERVER_TOKEN"
           echo ""
           echo "# API URLs"
-          echo "API_PUBLIC_URL='$API_PUBLIC_URL'"
-          echo "API_INTERNAL_URL='http://api:3000'"
+          echo "API_PUBLIC_URL=$API_PUBLIC_URL"
+          echo "API_INTERNAL_URL=http://api:3000"
           echo ""
           echo "# S3 Configuration (uses EC2 instance role for credentials)"
-          echo "SCRIPTS_S3_BUCKET='$SCRIPTS_S3_BUCKET'"
-          echo "SCRIPTS_S3_PREFIX='$SCRIPTS_S3_PREFIX'"
-          echo "PARAMS_S3_BUCKET='$PARAMS_S3_BUCKET'"
-          echo "PARAMS_S3_PREFIX='$PARAMS_S3_PREFIX'"
+          echo "SCRIPTS_S3_BUCKET=$SCRIPTS_S3_BUCKET"
+          echo "SCRIPTS_S3_PREFIX=$SCRIPTS_S3_PREFIX"
+          echo "PARAMS_S3_BUCKET=$PARAMS_S3_BUCKET"
+          echo "PARAMS_S3_PREFIX=$PARAMS_S3_PREFIX"
           echo ""
           echo "# Docker Configuration"
-          echo "REGISTRY_URL='$REGISTRY_URL'"
-          echo "DOCKER_SUBNET='$DOCKER_SUBNET'"
-          echo "EXECUTION_SUBNET='$EXECUTION_SUBNET'"
+          echo "REGISTRY_URL=$REGISTRY_URL"
+          echo "DOCKER_SUBNET=$DOCKER_SUBNET"
+          echo "EXECUTION_SUBNET=$EXECUTION_SUBNET"
           echo ""
           echo "# Email Configuration (SparkPost)"
-          echo "SPARKPOST_API_KEY='$SPARKPOST_API_KEY'"
+          echo "SPARKPOST_API_KEY=$SPARKPOST_API_KEY"
           echo ""
           echo "# CORS Configuration"
-          echo "CORS_ORIGINS='$CORS_ORIGINS'"
+          echo "CORS_ORIGINS=$CORS_ORIGINS"
           echo ""
           echo "# Deployment info"
-          echo "GIT_REVISION='${{ github.sha }}'"
-          echo "GIT_BRANCH='${{ github.ref_name }}'"
-          echo "DEPLOYMENT_ENVIRONMENT='production'"
+          echo "GIT_REVISION=${{ github.sha }}"
+          echo "GIT_BRANCH=${{ github.ref_name }}"
+          echo "DEPLOYMENT_ENVIRONMENT=production"
         } > prod.env
         echo "✅ Created prod.env with $(wc -l < prod.env) lines"
 

.github/workflows/codedeploy_staging.yml

@@ -213,92 +213,93 @@ jobs:
       run: |
         # Generate staging.env with secrets from GitHub
         # This file is included in the deployment package and copied to the server
-        # All values are single-quoted to prevent shell interpretation of special characters
+        # Values are NOT quoted - Docker env_file reads quotes as literal characters
+        # The CodeDeploy scripts use safe_source_env() to handle special chars in values
         {
           echo "# Generated by GitHub Actions"
           echo "# Commit: ${{ github.sha }}"
           echo ""
           echo "# ECR Images (pre-built in CI)"
-          echo "ECR_REGISTRY='$ECR_REGISTRY'"
-          echo "API_IMAGE='$API_IMAGE'"
+          echo "ECR_REGISTRY=$ECR_REGISTRY"
+          echo "API_IMAGE=$API_IMAGE"
           echo ""
           echo "# Environment"
-          echo "ENVIRONMENT='staging'"
-          echo "DEBUG='False'"
-          echo "TESTING='false'"
+          echo "ENVIRONMENT=staging"
+          echo "DEBUG=False"
+          echo "TESTING=false"
           echo ""
           echo "# Flask/API Configuration"
-          echo "SECRET_KEY='$SECRET_KEY'"
-          echo "JWT_SECRET_KEY='$JWT_SECRET_KEY'"
-          echo "API_ENVIRONMENT_USER='$API_ENVIRONMENT_USER'"
-          echo "API_ENVIRONMENT_USER_PASSWORD='$API_ENVIRONMENT_USER_PASSWORD'"
+          echo "SECRET_KEY=$SECRET_KEY"
+          echo "JWT_SECRET_KEY=$JWT_SECRET_KEY"
+          echo "API_ENVIRONMENT_USER=$API_ENVIRONMENT_USER"
+          echo "API_ENVIRONMENT_USER_PASSWORD=$API_ENVIRONMENT_USER_PASSWORD"
           echo ""
           echo "# Database Configuration"
-          echo "DATABASE_URL='$DATABASE_URL'"
+          echo "DATABASE_URL=$DATABASE_URL"
           echo ""
           echo "# Redis Configuration (uses stack Redis service)"
-          echo "REDIS_URL='redis://redis:6379/0'"
+          echo "REDIS_URL=redis://redis:6379/0"
           echo ""
           echo "# Rate Limiting"
-          echo "RATE_LIMITING_ENABLED='$RATE_LIMITING_ENABLED'"
-          echo "RATE_LIMIT_STORAGE_URI='redis://redis:6379/1'"
-          echo "DEFAULT_LIMITS='$RATE_LIMIT_DEFAULT_LIMITS'"
-          echo "API_LIMITS='$RATE_LIMIT_API_LIMITS'"
-          echo "AUTH_LIMITS='$RATE_LIMIT_AUTH_LIMITS'"
-          echo "PASSWORD_RESET_LIMITS='$RATE_LIMIT_PASSWORD_RESET_LIMITS'"
-          echo "USER_CREATION_LIMITS='$RATE_LIMIT_USER_CREATION_LIMITS'"
-          echo "EXECUTION_RUN_LIMITS='$RATE_LIMIT_EXECUTION_RUN_LIMITS'"
-          echo "TRUSTED_PROXY_COUNT='$RATE_LIMIT_TRUSTED_PROXY_COUNT'"
-          echo "INTERNAL_NETWORKS='$RATE_LIMIT_INTERNAL_NETWORKS'"
+          echo "RATE_LIMITING_ENABLED=$RATE_LIMITING_ENABLED"
+          echo "RATE_LIMIT_STORAGE_URI=redis://redis:6379/1"
+          echo "DEFAULT_LIMITS=$RATE_LIMIT_DEFAULT_LIMITS"
+          echo "API_LIMITS=$RATE_LIMIT_API_LIMITS"
+          echo "AUTH_LIMITS=$RATE_LIMIT_AUTH_LIMITS"
+          echo "PASSWORD_RESET_LIMITS=$RATE_LIMIT_PASSWORD_RESET_LIMITS"
+          echo "USER_CREATION_LIMITS=$RATE_LIMIT_USER_CREATION_LIMITS"
+          echo "EXECUTION_RUN_LIMITS=$RATE_LIMIT_EXECUTION_RUN_LIMITS"
+          echo "TRUSTED_PROXY_COUNT=$RATE_LIMIT_TRUSTED_PROXY_COUNT"
+          echo "INTERNAL_NETWORKS=$RATE_LIMIT_INTERNAL_NETWORKS"
           echo ""
           echo "# Google Earth Engine"
-          echo "EE_SERVICE_ACCOUNT_JSON='$EE_SERVICE_ACCOUNT_JSON'"
-          echo "GOOGLE_PROJECT_ID='$GOOGLE_PROJECT_ID'"
-          echo "GEE_ENDPOINT='$GEE_ENDPOINT'"
-          echo "GOOGLE_OAUTH_CLIENT_ID='$GOOGLE_OAUTH_CLIENT_ID'"
-          echo "GOOGLE_OAUTH_CLIENT_SECRET='$GOOGLE_OAUTH_CLIENT_SECRET'"
-          echo "GOOGLE_OAUTH_REDIRECT_URI='$GOOGLE_OAUTH_REDIRECT_URI'"
+          echo "EE_SERVICE_ACCOUNT_JSON=$EE_SERVICE_ACCOUNT_JSON"
+          echo "GOOGLE_PROJECT_ID=$GOOGLE_PROJECT_ID"
+          echo "GEE_ENDPOINT=$GEE_ENDPOINT"
+          echo "GOOGLE_OAUTH_CLIENT_ID=$GOOGLE_OAUTH_CLIENT_ID"
+          echo "GOOGLE_OAUTH_CLIENT_SECRET=$GOOGLE_OAUTH_CLIENT_SECRET"
+          echo "GOOGLE_OAUTH_REDIRECT_URI=$GOOGLE_OAUTH_REDIRECT_URI"
           echo ""
           echo "# Rollbar Error Tracking"
-          echo "ROLLBAR_SCRIPT_TOKEN='$ROLLBAR_SCRIPT_TOKEN'"
-          echo "ROLLBAR_SERVER_TOKEN='$ROLLBAR_SERVER_TOKEN'"
+          echo "ROLLBAR_SCRIPT_TOKEN=$ROLLBAR_SCRIPT_TOKEN"
+          echo "ROLLBAR_SERVER_TOKEN=$ROLLBAR_SERVER_TOKEN"
           echo ""
           echo "# API URLs"
-          echo "API_PUBLIC_URL='$API_PUBLIC_URL'"
-          echo "API_INTERNAL_URL='http://api:3000'"
+          echo "API_PUBLIC_URL=$API_PUBLIC_URL"
+          echo "API_INTERNAL_URL=http://api:3000"
           echo ""
           echo "# S3 Configuration (uses EC2 instance role for credentials)"
-          echo "SCRIPTS_S3_BUCKET='$SCRIPTS_S3_BUCKET'"
-          echo "SCRIPTS_S3_PREFIX='$SCRIPTS_S3_PREFIX'"
-          echo "PARAMS_S3_BUCKET='$PARAMS_S3_BUCKET'"
-          echo "PARAMS_S3_PREFIX='$PARAMS_S3_PREFIX'"
+          echo "SCRIPTS_S3_BUCKET=$SCRIPTS_S3_BUCKET"
+          echo "SCRIPTS_S3_PREFIX=$SCRIPTS_S3_PREFIX"
+          echo "PARAMS_S3_BUCKET=$PARAMS_S3_BUCKET"
+          echo "PARAMS_S3_PREFIX=$PARAMS_S3_PREFIX"
           echo ""
           echo "# Docker Configuration"
-          echo "REGISTRY_URL='$REGISTRY_URL'"
-          echo "DOCKER_SUBNET='$DOCKER_SUBNET'"
-          echo "EXECUTION_SUBNET='$EXECUTION_SUBNET'"
+          echo "REGISTRY_URL=$REGISTRY_URL"
+          echo "DOCKER_SUBNET=$DOCKER_SUBNET"
+          echo "EXECUTION_SUBNET=$EXECUTION_SUBNET"
           echo ""
           echo "# Email Configuration (SparkPost)"
-          echo "SPARKPOST_API_KEY='$SPARKPOST_API_KEY'"
+          echo "SPARKPOST_API_KEY=$SPARKPOST_API_KEY"
           echo ""
           echo "# CORS Configuration"
-          echo "CORS_ORIGINS='$CORS_ORIGINS'"
+          echo "CORS_ORIGINS=$CORS_ORIGINS"
           echo ""
           echo "# Staging Database Setup (for migrate service)"
           echo "# Production database URL for copying scripts/data to staging"
-          echo "PRODUCTION_DATABASE_URL='$PRODUCTION_DATABASE_URL'"
+          echo "PRODUCTION_DATABASE_URL=$PRODUCTION_DATABASE_URL"
           echo "# Test user credentials"
-          echo "TEST_SUPERADMIN_EMAIL='$TEST_SUPERADMIN_EMAIL'"
-          echo "TEST_SUPERADMIN_PASSWORD='$TEST_SUPERADMIN_PASSWORD'"
-          echo "TEST_ADMIN_EMAIL='$TEST_ADMIN_EMAIL'"
-          echo "TEST_ADMIN_PASSWORD='$TEST_ADMIN_PASSWORD'"
-          echo "TEST_USER_EMAIL='$TEST_USER_EMAIL'"
-          echo "TEST_USER_PASSWORD='$TEST_USER_PASSWORD'"
+          echo "TEST_SUPERADMIN_EMAIL=$TEST_SUPERADMIN_EMAIL"
+          echo "TEST_SUPERADMIN_PASSWORD=$TEST_SUPERADMIN_PASSWORD"
+          echo "TEST_ADMIN_EMAIL=$TEST_ADMIN_EMAIL"
+          echo "TEST_ADMIN_PASSWORD=$TEST_ADMIN_PASSWORD"
+          echo "TEST_USER_EMAIL=$TEST_USER_EMAIL"
+          echo "TEST_USER_PASSWORD=$TEST_USER_PASSWORD"
           echo ""
           echo "# Deployment info"
-          echo "GIT_REVISION='${{ github.sha }}'"
-          echo "GIT_BRANCH='${{ github.ref_name }}'"
-          echo "DEPLOYMENT_ENVIRONMENT='staging'"
+          echo "GIT_REVISION=${{ github.sha }}"
+          echo "GIT_BRANCH=${{ github.ref_name }}"
+          echo "DEPLOYMENT_ENVIRONMENT=staging"
         } > staging.env
         echo "✅ Created staging.env with $(wc -l < staging.env) lines"
 

scripts/codedeploy/after-install.sh

@@ -29,13 +29,11 @@ cd "$APP_DIR"
 # ============================================================================
 
 ENV_FILE=$(get_env_file "$ENVIRONMENT")
-if [ -f "$ENV_FILE" ]; then
-    log_info "Loading environment variables from $ENV_FILE"
-    set -a
-    source "$ENV_FILE"
-    set +a
-else
-    log_error "Environment file not found: $ENV_FILE"
+log_info "Loading environment variables from $ENV_FILE"
+# Use safe_source_env to handle special characters (# & etc) in values
+# This reads line-by-line instead of bash 'source' which interprets special chars
+if ! safe_source_env "$ENV_FILE"; then
+    log_error "Failed to load environment file: $ENV_FILE"
     exit 1
 fi
 

scripts/codedeploy/application-start.sh

@@ -36,19 +36,33 @@ log_info "Compose file: $COMPOSE_FILE"
 # ============================================================================
 
 ENV_FILE=$(get_env_file "$ENVIRONMENT")
-if [ -f "$ENV_FILE" ]; then
-    log_info "Loading environment variables from $ENV_FILE"
-    set -a
-    source "$ENV_FILE"
-    set +a
-else
-    log_error "Environment file not found: $ENV_FILE"
+log_info "Loading environment variables from $ENV_FILE"
+# Use safe_source_env to handle special characters (# & etc) in values
+# This reads line-by-line instead of bash 'source' which interprets special chars
+if ! safe_source_env "$ENV_FILE"; then
+    log_error "Failed to load environment file: $ENV_FILE"
     exit 1
 fi
 
 # Export Docker registry for compose
 export DOCKER_REGISTRY="$ECR_REGISTRY"
 
+# ============================================================================
+# Login to ECR (refresh credentials before stack deploy)
+# ============================================================================
+# ECR tokens expire after 12 hours. We need fresh credentials on the node
+# running docker stack deploy so --with-registry-auth can pass them to workers.
+
+if [ -n "$ECR_REGISTRY" ]; then
+    log_info "Refreshing ECR credentials before stack deploy..."
+    ecr_login "$ECR_REGISTRY" || {
+        log_error "Failed to refresh ECR credentials"
+        exit 1
+    }
+else
+    log_warning "ECR_REGISTRY not set, skipping ECR login"
+fi
+
 # ============================================================================
 # Verify Compose File
 # ============================================================================

scripts/codedeploy/common.sh

@@ -117,6 +117,48 @@ get_env_file() {
     fi
 }
 
+# Safely source an environment file without bash interpretation of special chars
+# This reads line-by-line and exports variables, handling # and & in values correctly
+# Docker env_file format: VAR=value (no quotes needed)
+# This function is necessary because 'source file.env' interprets special chars
+safe_source_env() {
+    local file="$1"
+    
+    if [ ! -f "$file" ]; then
+        log_error "Environment file not found: $file"
+        return 1
+    fi
+    
+    while IFS= read -r line || [[ -n "$line" ]]; do
+        # Skip empty lines and comments
+        [[ -z "$line" ]] && continue
+        [[ "$line" =~ ^[[:space:]]*# ]] && continue
+        
+        # Skip lines without =
+        [[ "$line" != *"="* ]] && continue
+        
+        # Extract key and value (split on first = only)
+        local key="${line%%=*}"
+        local value="${line#*=}"
+        
+        # Skip if key is empty
+        [[ -z "$key" ]] && continue
+        
+        # Strip surrounding quotes if present (for backwards compatibility)
+        # This handles both 'value' and "value" formats
+        if [[ "$value" =~ ^\'(.*)\'$ ]]; then
+            value="${BASH_REMATCH[1]}"
+        elif [[ "$value" =~ ^\"(.*)\"$ ]]; then
+            value="${BASH_REMATCH[1]}"
+        fi
+        
+        # Export the variable
+        export "$key=$value"
+    done < "$file"
+    
+    return 0
+}
+
 # Wait for a service to be healthy
 wait_for_service() {
     local service_url="$1"
@@ -217,4 +259,4 @@ check_swarm_leader_or_skip() {
 export -f log_info log_success log_warning log_error
 export -f detect_environment get_app_directory get_compose_file get_env_file
 export -f get_stack_name get_api_port wait_for_service get_aws_region ecr_login
-export -f is_swarm_leader check_swarm_leader_or_skip
+export -f is_swarm_leader check_swarm_leader_or_skip safe_source_env