UNPKG

@middy/secrets-manager

Version:

Secrets Manager middleware for the middy framework

middy.js.org

middyjs/middy

138 lines (123 loc) 3.49 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
// Copyright 2017 - 2026 will Farrell, Luciano Mammino, and Middy contributors. // SPDX-License-Identifier: MIT import { DescribeSecretCommand, GetSecretValueCommand, SecretsManagerClient, } from "@aws-sdk/client-secrets-manager"; import { canPrefetch, catchInvalidSignatureException, createClient, createPrefetchClient, getCache, getInternal, jsonSafeParse, modifyCache, processCache, } from "@middy/util"; const defaults = { AwsClient: SecretsManagerClient, awsClientOptions: {}, awsClientAssumeRole: undefined, awsClientCapture: undefined, fetchData: {}, fetchRotationDate: false, // true: apply to all or {key: true} for individual disablePrefetch: false, cacheKey: "secrets-manager", cacheKeyExpiry: {}, cacheExpiry: -1, // ignored when fetchRotationRules is true/object setToContext: false, }; const secretsManagerMiddleware = (opts = {}) => { const options = { ...defaults, ...opts, cacheKeyExpiry: { ...defaults.cacheKeyExpiry, ...opts.cacheKeyExpiry }, }; const fetchDataKeys = Object.keys(options.fetchData); const fetchRequest = (request, cachedValues = {}) => { const values = {}; for (const internalKey of fetchDataKeys) { if (cachedValues[internalKey]) continue; const fetchRotation = options.fetchRotationDate === true || options.fetchRotationDate?.[internalKey]; const rotationPromise = fetchRotation ? client .send( new DescribeSecretCommand({ SecretId: options.fetchData[internalKey], }), ) .catch((e) => catchInvalidSignatureException( e, client, new DescribeSecretCommand({ SecretId: options.fetchData[internalKey], }), ), ) .then((resp) => { if (options.cacheExpiry < 0) { options.cacheKeyExpiry[internalKey] = resp.NextRotationDate * 1000; } else { options.cacheKeyExpiry[internalKey] = Math.min( Math.max( resp.LastRotationDate ?? 0, resp.LastChangedDate ?? 0, ) * 1000 + options.cacheExpiry, resp.NextRotationDate * 1000, ); } }) : undefined; const fetchSecret = () => { const command = new GetSecretValueCommand({ SecretId: options.fetchData[internalKey], }); return client .send(command) .catch((e) => catchInvalidSignatureException(e, client, command)) .then((resp) => jsonSafeParse(resp.SecretString)); }; values[internalKey] = ( rotationPromise ? rotationPromise.then(fetchSecret) : fetchSecret() ).catch((e) => { const value = getCache(options.cacheKey).value ?? {}; value[internalKey] = undefined; modifyCache(options.cacheKey, value); throw e; }); } return values; }; let client; if (canPrefetch(options)) { client = createPrefetchClient(options); processCache(options, fetchRequest); } const secretsManagerMiddlewareBefore = async (request) => { if (!client) { client = await createClient(options, request); } const { value } = processCache(options, fetchRequest, request); Object.assign(request.internal, value); if (options.setToContext) { const data = await getInternal(fetchDataKeys, request); Object.assign(request.context, data); } }; return { before: secretsManagerMiddlewareBefore, }; }; export default secretsManagerMiddleware; // used for TS type inference (see index.d.ts) export function secretsManagerParam(name) { return name; }