envilder
Version:
A CLI and GitHub Action that securely centralizes your environment variables from AWS SSM or Azure Key Vault as a single source of truth
166 lines • 7.04 kB
JavaScript
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
return c > 3 && r && Object.defineProperty(target, key, r), r;
};
var __metadata = (this && this.__metadata) || function (k, v) {
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
};
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
import { GetParameterCommand, PutParameterCommand, } from '@aws-sdk/client-ssm';
import { GetCallerIdentityCommand } from '@aws-sdk/client-sts';
import { injectable } from 'inversify';
import pc from 'picocolors';
import { EnvironmentVariable } from '../../domain/EnvironmentVariable.js';
import { ExpiredCredentialsError, SecretOperationError, SsoSessionExpiredError, } from '../../domain/errors/DomainErrors.js';
import { describeError } from '../describeError.js';
import { isExpiredCredentialsError } from './isExpiredCredentialsError.js';
import { isSsoSessionExpiredError } from './isSsoSessionExpiredError.js';
let AwsSsmSecretProvider = class AwsSsmSecretProvider {
constructor(ssm, logger, sts, profile) {
this.identityLogged = false;
this.ssm = ssm;
this.logger = logger;
this.sts = sts;
this.profile = profile;
}
getSecret(name) {
return __awaiter(this, void 0, void 0, function* () {
yield this.logIdentity();
try {
const command = new GetParameterCommand({
Name: name,
WithDecryption: true,
});
const { Parameter } = yield this.ssm.send(command);
return Parameter === null || Parameter === void 0 ? void 0 : Parameter.Value;
}
catch (error) {
if (typeof error === 'object' &&
error !== null &&
'name' in error &&
error.name === 'ParameterNotFound') {
return undefined;
}
if (isSsoSessionExpiredError(error)) {
throw new SsoSessionExpiredError(this.profile, error);
}
if (isExpiredCredentialsError(error)) {
throw new ExpiredCredentialsError(error);
}
throw new SecretOperationError(`${EnvironmentVariable.maskSecretPath(name)}: ${describeError(error)}`);
}
});
}
setSecret(name, value) {
return __awaiter(this, void 0, void 0, function* () {
yield this.logIdentity();
const command = new PutParameterCommand({
Name: name,
Value: value,
Type: 'SecureString',
Overwrite: true,
});
try {
yield this.ssm.send(command);
}
catch (error) {
if (isSsoSessionExpiredError(error)) {
throw new SsoSessionExpiredError(this.profile, error);
}
if (isExpiredCredentialsError(error)) {
throw new ExpiredCredentialsError(error);
}
throw new SecretOperationError(`${EnvironmentVariable.maskSecretPath(name)}: ${describeError(error)}`);
}
});
}
logIdentity() {
return __awaiter(this, void 0, void 0, function* () {
var _a;
if (this.identityLogged) {
return;
}
this.identityLogged = true;
const [region, account] = yield Promise.all([
this.resolveRegion(),
this.resolveAccount(),
]);
const profile = (_a = this.profile) !== null && _a !== void 0 ? _a : 'default';
this.logger.info(this.formatIdentityBanner(account, region, profile));
});
}
formatIdentityBanner(account, region, profile) {
const sep = pc.dim(' · ');
const accountValue = account === 'unknown' ? pc.red(account) : pc.green(account);
const regionValue = region === 'unknown' ? pc.red(region) : pc.yellow(region);
return ('\n' +
pc.bold(pc.cyan('☁ AWS identity')) +
sep +
pc.dim('account=') +
accountValue +
sep +
pc.dim('region=') +
regionValue +
sep +
pc.dim('profile=') +
pc.magenta(profile));
}
resolveRegion() {
return __awaiter(this, void 0, void 0, function* () {
try {
return yield this.ssm.config.region();
}
catch (_a) {
return 'unknown';
}
});
}
resolveAccount() {
return __awaiter(this, void 0, void 0, function* () {
const fromCredentials = yield this.tryCredentialsAccount();
if (fromCredentials) {
return fromCredentials;
}
return this.tryStsAccount();
});
}
tryCredentialsAccount() {
return __awaiter(this, void 0, void 0, function* () {
try {
const credentials = yield this.ssm.config.credentials();
return credentials.accountId;
}
catch (_a) {
return undefined;
}
});
}
tryStsAccount() {
return __awaiter(this, void 0, void 0, function* () {
var _a;
try {
const identity = yield this.sts.send(new GetCallerIdentityCommand({}));
return (_a = identity.Account) !== null && _a !== void 0 ? _a : 'unknown';
}
catch (_b) {
return 'unknown';
}
});
}
};
AwsSsmSecretProvider = __decorate([
injectable(),
__metadata("design:paramtypes", [Function, Object, Function, String])
], AwsSsmSecretProvider);
export { AwsSsmSecretProvider };
//# sourceMappingURL=AwsSsmSecretProvider.js.map