dotenv-secretsmanager 0.1.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +37 -0
- data/lib/dotenv/secretsmanager/configuration.rb +3 -0
- data/lib/dotenv/secretsmanager/version.rb +1 -1
- data/lib/dotenv/secretsmanager.rb +26 -0
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1179b709da58d9aaf2a856a5a1231036f53151846e30a7767cb04944d1ecbbc4
|
|
4
|
+
data.tar.gz: 439b0ebd08d2a4056ff1cb7d4fdb017fb92f0a9b82f30ae0315452e6b4e52bef
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8e45f5ef7022f70044e3608839c9a518b6269f530206f9e8d2e13f6d7f0a4adf579448733c7bee5120250019fd869aa08ab9a133c7bed24652fb5dd89fb48ddc
|
|
7
|
+
data.tar.gz: 15f96a1c520ccc704909758ef8c38845000d33b17f246d0f9bb840cd33dc1b2b819bc564bcd436f290ceba18e72914b7bc54c07b8c315066591d16ba6c3d09b3
|
data/README.md
CHANGED
|
@@ -61,6 +61,43 @@ end
|
|
|
61
61
|
Credentials and region come from the standard AWS SDK credential chain. The gem
|
|
62
62
|
makes zero AWS calls and builds no client when no references are present.
|
|
63
63
|
|
|
64
|
+
## Skipping resolution
|
|
65
|
+
|
|
66
|
+
Set the `DOTENV_SECRETSMANAGER_SKIP` env var (or `configuration.skip`) to skip
|
|
67
|
+
resolution: no AWS calls and no client constructed. Instead of resolving them,
|
|
68
|
+
`resolve!` **removes** every `ENV` key whose value is an `aws-sm:` reference, so
|
|
69
|
+
the net effect is as if those references were never in `ENV`.
|
|
70
|
+
|
|
71
|
+
This deletion is deliberate: a raw `aws-sm:` value is never valid for any
|
|
72
|
+
consumer, and a *present-but-invalid* secret breaks boot. For example, leaving
|
|
73
|
+
`RAILS_MASTER_KEY="aws-sm:..."` in `ENV` makes Rails credentials decryption fail
|
|
74
|
+
with `ArgumentError: key must be 16 bytes`, whereas an *absent* `RAILS_MASTER_KEY`
|
|
75
|
+
is tolerated. Non-reference inline config (e.g. `DEFAULT_URL_HOST`) is left
|
|
76
|
+
intact — the build still wants those values.
|
|
77
|
+
|
|
78
|
+
```sh
|
|
79
|
+
DOTENV_SECRETSMANAGER_SKIP=true
|
|
80
|
+
```
|
|
81
|
+
|
|
82
|
+
```ruby
|
|
83
|
+
Dotenv::SecretsManager.configure { |c| c.skip = true }
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
- The env var is truthy when it is `1`, `true`, `yes`, or `on`
|
|
87
|
+
(case-insensitive; surrounding whitespace is ignored). Anything else —
|
|
88
|
+
`""`, `0`, `false`, `no`, or unset — does not by itself skip.
|
|
89
|
+
- Either source skips: a truthy env var **or** `configuration.skip == true`.
|
|
90
|
+
The config flag skips regardless of the env var.
|
|
91
|
+
- The env var is read at call time (when the railtie fires), so it is the right
|
|
92
|
+
knob for build-time use.
|
|
93
|
+
|
|
94
|
+
The primary use case is an image build that boots the app — for example a Rails
|
|
95
|
+
`assets:precompile` step in a Docker build — where there is no AWS region or
|
|
96
|
+
credentials and no secrets are needed. Without skipping, constructing the AWS
|
|
97
|
+
client raises (e.g. `Aws::Errors::MissingRegionError`) and fails the build. Set
|
|
98
|
+
`DOTENV_SECRETSMANAGER_SKIP=true` on that step only. Non-secret `.env`
|
|
99
|
+
config still loads normally; only secrets resolution is skipped.
|
|
100
|
+
|
|
64
101
|
## Deployment (AWS Lightsail Container Service)
|
|
65
102
|
|
|
66
103
|
Set only `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_REGION` as
|
|
@@ -9,11 +9,14 @@ module Dotenv
|
|
|
9
9
|
attr_accessor :logger
|
|
10
10
|
# nil => a default Aws::SecretsManager::Client (built lazily, only if needed)
|
|
11
11
|
attr_accessor :client
|
|
12
|
+
# true => skip resolution entirely (no AWS calls, no client, ENV untouched)
|
|
13
|
+
attr_accessor :skip
|
|
12
14
|
|
|
13
15
|
def initialize
|
|
14
16
|
@on_error = :raise
|
|
15
17
|
@logger = nil
|
|
16
18
|
@client = nil
|
|
19
|
+
@skip = false
|
|
17
20
|
end
|
|
18
21
|
end
|
|
19
22
|
end
|
|
@@ -9,6 +9,8 @@ require "dotenv/secretsmanager/resolver"
|
|
|
9
9
|
|
|
10
10
|
module Dotenv
|
|
11
11
|
module SecretsManager
|
|
12
|
+
SKIP_ENV_VAR = "DOTENV_SECRETSMANAGER_SKIP"
|
|
13
|
+
|
|
12
14
|
class << self
|
|
13
15
|
def configuration
|
|
14
16
|
@configuration ||= Configuration.new
|
|
@@ -24,8 +26,32 @@ module Dotenv
|
|
|
24
26
|
end
|
|
25
27
|
|
|
26
28
|
def resolve!(env = ENV)
|
|
29
|
+
if skip?
|
|
30
|
+
# Delete reference-holding keys rather than leaving them: a raw
|
|
31
|
+
# aws-sm: literal is never a valid value for any consumer, and a
|
|
32
|
+
# present-but-invalid secret (e.g. RAILS_MASTER_KEY) breaks boot.
|
|
33
|
+
# Non-reference inline config is left intact for the build.
|
|
34
|
+
env.keys.each { |key| env.delete(key) if Reference.reference?(env[key]) }
|
|
35
|
+
return env
|
|
36
|
+
end
|
|
37
|
+
|
|
27
38
|
Resolver.new(env: env, config: configuration).resolve!
|
|
28
39
|
end
|
|
40
|
+
|
|
41
|
+
# Skip resolution entirely. Either the env var or the config flag can
|
|
42
|
+
# request it; resolution happens only when neither does. Read at call
|
|
43
|
+
# time so a railtie firing during an image build honors the env var.
|
|
44
|
+
def skip?
|
|
45
|
+
truthy?(ENV[SKIP_ENV_VAR]) || configuration.skip
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
private
|
|
49
|
+
|
|
50
|
+
def truthy?(value)
|
|
51
|
+
return false if value.nil?
|
|
52
|
+
|
|
53
|
+
%w[1 true yes on].include?(value.strip.downcase)
|
|
54
|
+
end
|
|
29
55
|
end
|
|
30
56
|
end
|
|
31
57
|
end
|