UNPKG

@middy/secrets-manager

Version:

Secrets Manager middleware for the middy framework

middy.js.org

middyjs/middy

118 lines (105 loc) 3.04 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
import { DescribeSecretCommand, GetSecretValueCommand, SecretsManagerClient, } from "@aws-sdk/client-secrets-manager"; import { canPrefetch, catchInvalidSignatureException, createClient, createPrefetchClient, getCache, getInternal, jsonSafeParse, modifyCache, processCache, } from "@middy/util"; const defaults = { AwsClient: SecretsManagerClient, awsClientOptions: {}, awsClientAssumeRole: undefined, awsClientCapture: undefined, fetchData: {}, fetchRotationDate: false, // true: apply to all or {key: true} for individual disablePrefetch: false, cacheKey: "secrets-manager", cacheKeyExpiry: {}, cacheExpiry: -1, // ignored when fetchRotationRules is true/object setToContext: false, }; const secretsManagerMiddleware = (opts = {}) => { const options = { ...defaults, ...opts }; const fetchRequest = (request, cachedValues = {}) => { const values = {}; for (const internalKey of Object.keys(options.fetchData)) { if (cachedValues[internalKey]) continue; values[internalKey] = Promise.resolve() .then(() => { if ( options.fetchRotationDate === true || options.fetchRotationDate?.[internalKey] ) { const command = new DescribeSecretCommand({ SecretId: options.fetchData[internalKey], }); return client .send(command) .catch((e) => catchInvalidSignatureException(e, client, command)) .then((resp) => { if (options.cacheExpiry < 0) { options.cacheKeyExpiry[internalKey] = resp.NextRotationDate * 1000; } else { options.cacheKeyExpiry[internalKey] = Math.min( Math.max(resp.LastRotationDate, resp.LastChangedDate) * 1000 + options.cacheExpiry, resp.NextRotationDate * 1000, ); } }); } }) .then(() => { const command = new GetSecretValueCommand({ SecretId: options.fetchData[internalKey], }); return client .send(command) .catch((e) => catchInvalidSignatureException(e, client, command)); }) .then((resp) => jsonSafeParse(resp.SecretString)) .catch((e) => { const value = getCache(options.cacheKey).value ?? {}; value[internalKey] = undefined; modifyCache(options.cacheKey, value); throw e; }); } return values; }; let client; if (canPrefetch(options)) { client = createPrefetchClient(options); processCache(options, fetchRequest); } const secretsManagerMiddlewareBefore = async (request) => { if (!client) { client = await createClient(options, request); } const { value } = processCache(options, fetchRequest, request); Object.assign(request.internal, value); if (options.setToContext) { const data = await getInternal(Object.keys(options.fetchData), request); Object.assign(request.context, data); } }; return { before: secretsManagerMiddlewareBefore, }; }; export default secretsManagerMiddleware; // used for TS type inference (see index.d.ts) export function secret(name) { return name; }