UNPKG

envilder

Version:

A CLI and GitHub Action that securely centralizes your environment variables from AWS SSM or Azure Key Vault as a single source of truth

166 lines 7.04 kB
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) { var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d; if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc); else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r; return c > 3 && r && Object.defineProperty(target, key, r), r; }; var __metadata = (this && this.__metadata) || function (k, v) { if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v); }; var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } return new (P || (P = Promise))(function (resolve, reject) { function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } step((generator = generator.apply(thisArg, _arguments || [])).next()); }); }; import { GetParameterCommand, PutParameterCommand, } from '@aws-sdk/client-ssm'; import { GetCallerIdentityCommand } from '@aws-sdk/client-sts'; import { injectable } from 'inversify'; import pc from 'picocolors'; import { EnvironmentVariable } from '../../domain/EnvironmentVariable.js'; import { ExpiredCredentialsError, SecretOperationError, SsoSessionExpiredError, } from '../../domain/errors/DomainErrors.js'; import { describeError } from '../describeError.js'; import { isExpiredCredentialsError } from './isExpiredCredentialsError.js'; import { isSsoSessionExpiredError } from './isSsoSessionExpiredError.js'; let AwsSsmSecretProvider = class AwsSsmSecretProvider { constructor(ssm, logger, sts, profile) { this.identityLogged = false; this.ssm = ssm; this.logger = logger; this.sts = sts; this.profile = profile; } getSecret(name) { return __awaiter(this, void 0, void 0, function* () { yield this.logIdentity(); try { const command = new GetParameterCommand({ Name: name, WithDecryption: true, }); const { Parameter } = yield this.ssm.send(command); return Parameter === null || Parameter === void 0 ? void 0 : Parameter.Value; } catch (error) { if (typeof error === 'object' && error !== null && 'name' in error && error.name === 'ParameterNotFound') { return undefined; } if (isSsoSessionExpiredError(error)) { throw new SsoSessionExpiredError(this.profile, error); } if (isExpiredCredentialsError(error)) { throw new ExpiredCredentialsError(error); } throw new SecretOperationError(`${EnvironmentVariable.maskSecretPath(name)}: ${describeError(error)}`); } }); } setSecret(name, value) { return __awaiter(this, void 0, void 0, function* () { yield this.logIdentity(); const command = new PutParameterCommand({ Name: name, Value: value, Type: 'SecureString', Overwrite: true, }); try { yield this.ssm.send(command); } catch (error) { if (isSsoSessionExpiredError(error)) { throw new SsoSessionExpiredError(this.profile, error); } if (isExpiredCredentialsError(error)) { throw new ExpiredCredentialsError(error); } throw new SecretOperationError(`${EnvironmentVariable.maskSecretPath(name)}: ${describeError(error)}`); } }); } logIdentity() { return __awaiter(this, void 0, void 0, function* () { var _a; if (this.identityLogged) { return; } this.identityLogged = true; const [region, account] = yield Promise.all([ this.resolveRegion(), this.resolveAccount(), ]); const profile = (_a = this.profile) !== null && _a !== void 0 ? _a : 'default'; this.logger.info(this.formatIdentityBanner(account, region, profile)); }); } formatIdentityBanner(account, region, profile) { const sep = pc.dim(' · '); const accountValue = account === 'unknown' ? pc.red(account) : pc.green(account); const regionValue = region === 'unknown' ? pc.red(region) : pc.yellow(region); return ('\n' + pc.bold(pc.cyan('☁ AWS identity')) + sep + pc.dim('account=') + accountValue + sep + pc.dim('region=') + regionValue + sep + pc.dim('profile=') + pc.magenta(profile)); } resolveRegion() { return __awaiter(this, void 0, void 0, function* () { try { return yield this.ssm.config.region(); } catch (_a) { return 'unknown'; } }); } resolveAccount() { return __awaiter(this, void 0, void 0, function* () { const fromCredentials = yield this.tryCredentialsAccount(); if (fromCredentials) { return fromCredentials; } return this.tryStsAccount(); }); } tryCredentialsAccount() { return __awaiter(this, void 0, void 0, function* () { try { const credentials = yield this.ssm.config.credentials(); return credentials.accountId; } catch (_a) { return undefined; } }); } tryStsAccount() { return __awaiter(this, void 0, void 0, function* () { var _a; try { const identity = yield this.sts.send(new GetCallerIdentityCommand({})); return (_a = identity.Account) !== null && _a !== void 0 ? _a : 'unknown'; } catch (_b) { return 'unknown'; } }); } }; AwsSsmSecretProvider = __decorate([ injectable(), __metadata("design:paramtypes", [Function, Object, Function, String]) ], AwsSsmSecretProvider); export { AwsSsmSecretProvider }; //# sourceMappingURL=AwsSsmSecretProvider.js.map