@digitraffic/common 2022.10.25-1 → 2022.10.31-1

package/dist/aws/infra/stack/stack-checking-aspect.js

@@ -0,0 +1,174 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.StackCheckingAspect = void 0;
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const aws_lambda_1 = require("aws-cdk-lib/aws-lambda");
+const aws_s3_1 = require("aws-cdk-lib/aws-s3");
+const stack_1 = require("./stack");
+const aws_apigateway_1 = require("aws-cdk-lib/aws-apigateway");
+const change_case_1 = require("change-case");
+const aws_sqs_1 = require("aws-cdk-lib/aws-sqs");
+const aws_logs_1 = require("aws-cdk-lib/aws-logs");
+const MAX_CONCURRENCY_LIMIT = 100;
+const NODE_RUNTIME = aws_lambda_1.Runtime.NODEJS_14_X.name;
+var ResourceType;
+(function (ResourceType) {
+    ResourceType["stackName"] = "STACK_NAME";
+    ResourceType["reservedConcurrentConcurrency"] = "RESERVED_CONCURRENT_CONCURRENCY";
+    ResourceType["functionTimeout"] = "FUNCTION_TIMEOUT";
+    ResourceType["functionMemorySize"] = "FUNCTION_MEMORY_SIZE";
+    ResourceType["functionRuntime"] = "FUNCTION_RUNTIME";
+    ResourceType["functionName"] = "FUNCTION_NAME";
+    ResourceType["tagSolution"] = "TAG_SOLUTION";
+    ResourceType["bucketPublicity"] = "BUCKET_PUBLICITY";
+    ResourceType["resourcePath"] = "RESOURCE_PATH";
+    ResourceType["queueEncryption"] = "QUEUE_ENCRYPTION";
+    ResourceType["logGroupRetention"] = "LOG_GROUP_RETENTION";
+})(ResourceType || (ResourceType = {}));
+class StackCheckingAspect {
+    constructor(stackShortName, whitelistedResources) {
+        this.stackShortName = stackShortName;
+        this.whitelistedResources = whitelistedResources;
+    }
+    static create(stack) {
+        return new StackCheckingAspect(stack.configuration.shortName, stack.configuration.whitelistedResources);
+    }
+    visit(node) {
+        //console.info("visiting class " + node.constructor.name);
+        this.checkStack(node);
+        this.checkFunction(node);
+        this.checkTags(node);
+        this.checkBucket(node);
+        this.checkResourceCasing(node);
+        this.checkQueueEncryption(node);
+        this.checkLogGroupRetention(node);
+    }
+    isWhitelisted(key) {
+        return this.whitelistedResources?.some((wl) => {
+            return key.matchAll(new RegExp(wl, "g"));
+        });
+    }
+    addAnnotation(node, key, message, isError = true) {
+        const resourceKey = `${node.node.path}/${key}`;
+        const isWhiteListed = this.isWhitelisted(resourceKey);
+        const annotationMessage = `${resourceKey}:${message}`;
+        // error && whitelisted -> warning
+        // warning && whitelisted -> nothing
+        if (isError && !isWhiteListed) {
+            aws_cdk_lib_1.Annotations.of(node).addError(annotationMessage);
+        }
+        else if ((!isError && !isWhiteListed) || (isError && isWhiteListed)) {
+            aws_cdk_lib_1.Annotations.of(node).addWarning(annotationMessage);
+        }
+    }
+    checkStack(node) {
+        if (node instanceof stack_1.DigitrafficStack) {
+            if ((node.stackName.includes("Test") ||
+                node.stackName.includes("Tst")) &&
+                node.configuration.production) {
+                this.addAnnotation(node, ResourceType.stackName, "Production is set for Test-stack");
+            }
+            if ((node.stackName.includes("Prod") ||
+                node.stackName.includes("Prd")) &&
+                !node.configuration.production) {
+                this.addAnnotation(node, ResourceType.stackName, "Production is not set for Production-stack");
+            }
+        }
+    }
+    checkFunction(node) {
+        if (node instanceof aws_lambda_1.CfnFunction) {
+            if (!node.reservedConcurrentExecutions) {
+                this.addAnnotation(node, ResourceType.reservedConcurrentConcurrency, "Function must have reservedConcurrentConcurrency");
+            }
+            else if (node.reservedConcurrentExecutions > MAX_CONCURRENCY_LIMIT) {
+                this.addAnnotation(node, ResourceType.reservedConcurrentConcurrency, "Function reservedConcurrentConcurrency too high!");
+            }
+            if (!node.timeout) {
+                this.addAnnotation(node, ResourceType.functionTimeout, "Function must have timeout");
+            }
+            if (!node.memorySize) {
+                this.addAnnotation(node, ResourceType.functionMemorySize, "Function must have memorySize");
+            }
+            if (node.runtime !== NODE_RUNTIME) {
+                this.addAnnotation(node, ResourceType.functionRuntime, `Function has wrong runtime ${node.runtime}!`);
+            }
+            if (this.stackShortName &&
+                node.functionName &&
+                !node.functionName.startsWith(this.stackShortName)) {
+                this.addAnnotation(node, ResourceType.functionName, `Function name does not begin with ${this.stackShortName}`);
+            }
+        }
+    }
+    checkTags(node) {
+        if (node instanceof aws_cdk_lib_1.Stack) {
+            if (!node.tags.tagValues()[stack_1.SOLUTION_KEY]) {
+                this.addAnnotation(node, ResourceType.tagSolution, "Solution tag is missing");
+            }
+        }
+    }
+    checkBucket(node) {
+        if (node instanceof aws_s3_1.CfnBucket) {
+            const c = node.publicAccessBlockConfiguration;
+            if (c) {
+                if (!c.blockPublicAcls ||
+                    !c.blockPublicPolicy ||
+                    !c.ignorePublicAcls ||
+                    !c.restrictPublicBuckets) {
+                    this.addAnnotation(node, ResourceType.bucketPublicity, "Check bucket publicity");
+                }
+            }
+        }
+    }
+    static isValidPath(path) {
+        // if path includes . or { check only the trailing part of path
+        if (path.includes(".")) {
+            return this.isValidPath(path.split(".")[0]);
+        }
+        if (path.includes("{")) {
+            return this.isValidPath(path.split("{")[0]);
+        }
+        return (0, change_case_1.paramCase)(path) === path;
+    }
+    static isValidQueryString(name) {
+        return (0, change_case_1.snakeCase)(name) === name;
+    }
+    checkResourceCasing(node) {
+        if (node instanceof aws_apigateway_1.CfnResource) {
+            if (!StackCheckingAspect.isValidPath(node.pathPart)) {
+                this.addAnnotation(node, ResourceType.resourcePath, "Path part should be in kebab-case");
+            }
+        }
+        else if (node instanceof aws_apigateway_1.CfnMethod) {
+            const integration = node.integration;
+            if (integration && integration.requestParameters) {
+                Object.keys(integration.requestParameters).forEach((key) => {
+                    const split = key.split(".");
+                    const type = split[2];
+                    const name = split[3];
+                    if (type === "querystring" &&
+                        !StackCheckingAspect.isValidQueryString(name)) {
+                        this.addAnnotation(node, name, "Querystring should be in snake_case");
+                    }
+                });
+            }
+        }
+    }
+    checkQueueEncryption(node) {
+        if (node instanceof aws_sqs_1.CfnQueue) {
+            if (!node.kmsMasterKeyId) {
+                this.addAnnotation(node, ResourceType.queueEncryption, "Queue must have encryption enabled");
+            }
+        }
+    }
+    checkLogGroupRetention(node) {
+        if (node instanceof aws_logs_1.LogRetention) {
+            const child = node.node.defaultChild;
+            const retention = child._cfnProperties.RetentionInDays;
+            if (!retention) {
+                this.addAnnotation(node, ResourceType.logGroupRetention, "Log group must define log group retention");
+            }
+        }
+    }
+}
+exports.StackCheckingAspect = StackCheckingAspect;
+//# sourceMappingURL=stack-checking-aspect.js.map

package/dist/aws/infra/stack/stack.js

@@ -0,0 +1,67 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DigitrafficStack = exports.SSM_KEY_ALARM_TOPIC = exports.SSM_KEY_WARNING_TOPIC = exports.SOLUTION_KEY = void 0;
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const aws_ec2_1 = require("aws-cdk-lib/aws-ec2");
+const aws_sns_1 = require("aws-cdk-lib/aws-sns");
+const aws_ssm_1 = require("aws-cdk-lib/aws-ssm");
+const aws_secretsmanager_1 = require("aws-cdk-lib/aws-secretsmanager");
+const stack_checking_aspect_1 = require("./stack-checking-aspect");
+const SSM_ROOT = "/digitraffic";
+exports.SOLUTION_KEY = "Solution";
+const MONITORING_ROOT = "/monitoring";
+exports.SSM_KEY_WARNING_TOPIC = `${SSM_ROOT}${MONITORING_ROOT}/warning-topic`;
+exports.SSM_KEY_ALARM_TOPIC = `${SSM_ROOT}${MONITORING_ROOT}/alarm-topic`;
+class DigitrafficStack extends aws_cdk_lib_1.Stack {
+    constructor(scope, id, configuration) {
+        super(scope, id, configuration.stackProps);
+        this.configuration = configuration;
+        if (configuration.secretId) {
+            this.secret = aws_secretsmanager_1.Secret.fromSecretNameV2(this, "Secret", configuration.secretId);
+        }
+        // VPC reference construction requires vpcId and availability zones
+        // private subnets are used in Lambda configuration
+        if (configuration.vpcId) {
+            this.vpc = aws_ec2_1.Vpc.fromVpcAttributes(this, "vpc", {
+                vpcId: configuration.vpcId,
+                privateSubnetIds: configuration.privateSubnetIds,
+                availabilityZones: configuration.availabilityZones ?? [],
+            });
+        }
+        // security group that allows Lambda database access
+        if (configuration.lambdaDbSgId) {
+            this.lambdaDbSg = aws_ec2_1.SecurityGroup.fromSecurityGroupId(this, "LambdaDbSG", configuration.lambdaDbSgId);
+        }
+        this.alarmTopic = aws_sns_1.Topic.fromTopicArn(this, "AlarmTopic", aws_ssm_1.StringParameter.fromStringParameterName(this, "AlarmTopicParam", exports.SSM_KEY_ALARM_TOPIC).stringValue);
+        this.warningTopic = aws_sns_1.Topic.fromTopicArn(this, "WarningTopic", aws_ssm_1.StringParameter.fromStringParameterName(this, "WarningTopicParam", exports.SSM_KEY_WARNING_TOPIC).stringValue);
+        this.addAspects();
+    }
+    addAspects() {
+        aws_cdk_lib_1.Aspects.of(this).add(stack_checking_aspect_1.StackCheckingAspect.create(this));
+    }
+    createLambdaEnvironment() {
+        return this.createDefaultLambdaEnvironment(this.configuration.shortName);
+    }
+    createDefaultLambdaEnvironment(dbApplication) {
+        return this.configuration.secretId
+            ? {
+                SECRET_ID: this.configuration.secretId,
+                DB_APPLICATION: dbApplication,
+            }
+            : {
+                DB_APPLICATION: dbApplication,
+            };
+    }
+    getSecret() {
+        if (this.secret === undefined) {
+            throw new Error("Secret is undefined");
+        }
+        return this.secret;
+    }
+    grantSecret(...lambdas) {
+        const secret = this.getSecret();
+        lambdas.forEach((l) => secret.grantRead(l));
+    }
+}
+exports.DigitrafficStack = DigitrafficStack;
+//# sourceMappingURL=stack.js.map

package/dist/aws/infra/stack/subscription.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DigitrafficLogSubscriptions = exports.createSubscription = void 0;
+const aws_logs_1 = require("aws-cdk-lib/aws-logs");
+/**
+ * Creates a subscription filter that subscribes to a Lambda Log Group and delivers the logs to another destination.
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-subscriptionfilter.html
+ * @param lambda The Lambda function, needed to create a dependency
+ * @param lambdaName The Lambda name from which the Log Group name is derived
+ * @param logDestinationArn Destination for streamed logs
+ * @param stack CloudFormation stack
+ */
+function createSubscription(lambda, lambdaName, logDestinationArn, stack) {
+    if (logDestinationArn == undefined) {
+        return undefined;
+    }
+    const filter = new aws_logs_1.CfnSubscriptionFilter(stack, `${lambdaName}LogsSubscription`, {
+        logGroupName: `/aws/lambda/${lambdaName}`,
+        filterPattern: "",
+        destinationArn: logDestinationArn,
+    });
+    filter.node.addDependency(lambda);
+    return filter;
+}
+exports.createSubscription = createSubscription;
+class DigitrafficLogSubscriptions {
+    constructor(stack, ...lambdas) {
+        const destinationArn = stack.configuration.logsDestinationArn;
+        if (destinationArn !== undefined) {
+            lambdas.forEach((lambda) => {
+                const filter = new aws_logs_1.CfnSubscriptionFilter(stack, `${lambda.givenName}LogsSubscription`, {
+                    logGroupName: `/aws/lambda/${lambda.givenName}`,
+                    filterPattern: "",
+                    destinationArn,
+                });
+                filter.node.addDependency(lambda);
+            });
+        }
+    }
+}
+exports.DigitrafficLogSubscriptions = DigitrafficLogSubscriptions;
+//# sourceMappingURL=subscription.js.map

package/dist/aws/infra/usage-plans.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createDefaultUsagePlan = exports.createUsagePlan = void 0;
+/**
+ * Creates an usage plan for a REST API with a single API key
+ * @param api The REST API
+ * @param apiKeyId Id for the API key, this is a surrogate id for CDK, not displayed anywhere
+ * @param apiKeyName Name for the API key, this is displayed in the AWS Console
+ * @deprecated Creates randomized API key names, use createDefaultUsagePlan instead
+ */
+function createUsagePlan(api, apiKeyId, apiKeyName) {
+    const apiKey = api.addApiKey(apiKeyId);
+    const plan = api.addUsagePlan(apiKeyName, {
+        name: apiKeyName,
+    });
+    plan.addApiStage({
+        stage: api.deploymentStage,
+    });
+    plan.addApiKey(apiKey);
+    return apiKey;
+}
+exports.createUsagePlan = createUsagePlan;
+/**
+ * Creates a default usage plan for a REST API with a single API key
+ * @param api The REST API
+ * @param apiName Name of the api. Will generate key: apiName + ' API Key' and plan: apiName + ' API Usage Plan'
+ */
+function createDefaultUsagePlan(api, apiName) {
+    const apiKeyName = apiName + ' API Key';
+    const usagePlanName = apiName + ' API Usage Plan';
+    const apiKey = api.addApiKey(apiKeyName, { apiKeyName: apiKeyName });
+    const plan = api.addUsagePlan(usagePlanName, {
+        name: usagePlanName,
+    });
+    plan.addApiStage({
+        stage: api.deploymentStage,
+    });
+    plan.addApiKey(apiKey);
+    return apiKey;
+}
+exports.createDefaultUsagePlan = createDefaultUsagePlan;
+//# sourceMappingURL=usage-plans.js.map

package/dist/aws/runtime/apikey.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getApiKeyFromAPIGateway = void 0;
+const aws_sdk_1 = require("aws-sdk");
+function getApiKeyFromAPIGateway(keyId) {
+    const agw = new aws_sdk_1.APIGateway();
+    return agw.getApiKey({
+        apiKey: keyId,
+        includeValue: true,
+    }).promise();
+}
+exports.getApiKeyFromAPIGateway = getApiKeyFromAPIGateway;
+//# sourceMappingURL=apikey.js.map

package/dist/aws/runtime/digitraffic-integration-response.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DigitrafficIntegrationResponse = void 0;
+const mediatypes_1 = require("../types/mediatypes");
+const response_1 = require("../infra/api/response");
+class DigitrafficIntegrationResponse {
+    static ok(mediaType) {
+        return this.create("200", mediaType);
+    }
+    static badRequest(mediaType) {
+        return this.create("400", mediaType ?? mediatypes_1.MediaType.TEXT_PLAIN);
+    }
+    static notImplemented(mediaType) {
+        return this.create("501", mediaType ?? mediatypes_1.MediaType.TEXT_PLAIN);
+    }
+    static create(statusCode, mediaType) {
+        return {
+            statusCode,
+            responseTemplates: {
+                [mediaType]: response_1.RESPONSE_DEFAULT_LAMBDA,
+            },
+        };
+    }
+}
+exports.DigitrafficIntegrationResponse = DigitrafficIntegrationResponse;
+//# sourceMappingURL=digitraffic-integration-response.js.map

package/dist/aws/runtime/environment.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.envValue = void 0;
+function envValue(key) {
+    const value = process.env[key];
+    if (value == null) {
+        throw new Error(`Missing environment value ${key}`);
+    }
+    return value;
+}
+exports.envValue = envValue;
+//# sourceMappingURL=environment.js.map

package/dist/aws/runtime/messaging.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.snsPublish = void 0;
+/**
+ * Utility function for publishing SNS messages.
+ * Made because using *await* with AWS APIs doesn't require calling promise() but nothing works if it isn't called.
+ * Retries a single time in case of failure.
+ * @param message
+ * @param topicArn
+ * @param sns
+ */
+async function snsPublish(message, topicArn, sns) {
+    const publishParams = {
+        Message: message,
+        TopicArn: topicArn,
+    };
+    try {
+        await sns.publish(publishParams).promise();
+    }
+    catch (error) {
+        console.error('method=snsPublish error, retrying', error);
+        try {
+            await sns.publish(publishParams).promise();
+        }
+        catch (e2) {
+            console.error('method=snsPublish error after retry', e2);
+        }
+    }
+}
+exports.snsPublish = snsPublish;
+//# sourceMappingURL=messaging.js.map

package/dist/aws/runtime/s3.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.uploadToS3 = void 0;
+const aws_sdk_1 = require("aws-sdk");
+async function uploadToS3(bucketName, body, objectName, cannedAcl, contentType) {
+    const s3 = new aws_sdk_1.S3();
+    try {
+        await doUpload(s3, bucketName, body, objectName, cannedAcl, contentType);
+    }
+    catch (error) {
+        console.warn('method=uploadToS3 retrying upload to bucket %s', bucketName);
+        try {
+            await doUpload(s3, bucketName, body, objectName, cannedAcl, contentType);
+        }
+        catch (e2) {
+            console.error('method=uploadToS3 failed retrying upload to bucket %s', bucketName);
+        }
+    }
+}
+exports.uploadToS3 = uploadToS3;
+function doUpload(s3, bucketName, body, filename, cannedAcl, contentType) {
+    return s3.upload({
+        Bucket: bucketName,
+        Body: body,
+        Key: filename,
+        ACL: cannedAcl,
+        ContentType: contentType,
+    }).promise();
+}
+//# sourceMappingURL=s3.js.map

package/dist/aws/runtime/secrets/dbsecret.js

@@ -0,0 +1,96 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkExpectedSecretKeys = exports.withDbSecret = exports.DatabaseEnvironmentKeys = exports.RdsSecretKey = exports.RdsProxySecretKey = void 0;
+const secret_1 = require("./secret");
+var RdsProxySecretKey;
+(function (RdsProxySecretKey) {
+    RdsProxySecretKey["username"] = "username";
+    RdsProxySecretKey["password"] = "password";
+    RdsProxySecretKey["proxy_host"] = "proxy_host";
+    RdsProxySecretKey["proxy_ro_host"] = "proxy_ro_host";
+})(RdsProxySecretKey = exports.RdsProxySecretKey || (exports.RdsProxySecretKey = {}));
+var RdsSecretKey;
+(function (RdsSecretKey) {
+    RdsSecretKey["username"] = "username";
+    RdsSecretKey["password"] = "password";
+    RdsSecretKey["host"] = "host";
+    RdsSecretKey["ro_host"] = "ro_host";
+})(RdsSecretKey = exports.RdsSecretKey || (exports.RdsSecretKey = {}));
+var DatabaseEnvironmentKeys;
+(function (DatabaseEnvironmentKeys) {
+    DatabaseEnvironmentKeys["DB_USER"] = "DB_USER";
+    DatabaseEnvironmentKeys["DB_PASS"] = "DB_PASS";
+    DatabaseEnvironmentKeys["DB_URI"] = "DB_URI";
+    DatabaseEnvironmentKeys["DB_RO_URI"] = "DB_RO_URI";
+    DatabaseEnvironmentKeys["DB_APPLICATION"] = "DB_APPLICATION";
+})(DatabaseEnvironmentKeys = exports.DatabaseEnvironmentKeys || (exports.DatabaseEnvironmentKeys = {}));
+function setDbSecret(secret) {
+    process.env[DatabaseEnvironmentKeys.DB_USER] = secret.username;
+    process.env[DatabaseEnvironmentKeys.DB_PASS] = secret.password;
+    process.env[DatabaseEnvironmentKeys.DB_URI] = secret.host;
+    process.env[DatabaseEnvironmentKeys.DB_RO_URI] = secret.ro_host;
+}
+// cached at Lambda container level
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+let cachedSecret;
+const missingSecretErrorText = 'Missing or empty secretId';
+/**
+ * Run the given function with secret retrieved from Secrets Manager.  Also injects database-credentials into environment.
+ *
+ * @deprecated use SecretHolder & ProxyHolder
+ * @see SecretOptions
+ *
+ * @param {string} secretId
+ * @param {function} fn
+ * @param {SecretOptions} options
+ */
+async function withDbSecret(secretId, fn, options) {
+    if (!secretId) {
+        console.error(missingSecretErrorText);
+        return Promise.reject(missingSecretErrorText);
+    }
+    if (!cachedSecret) {
+        // if prefix is given, first set db values and then fetch secret
+        if (options?.prefix) {
+            // first set db values
+            await (0, secret_1.withSecret)(secretId, (fetchedSecret) => {
+                setDbSecret(fetchedSecret);
+            });
+            // then actual secret
+            await (0, secret_1.withSecretAndPrefix)(secretId, options.prefix, (fetchedSecret) => {
+                cachedSecret = fetchedSecret;
+            });
+        }
+        else {
+            await (0, secret_1.withSecret)(secretId, (fetchedSecret) => {
+                setDbSecret(fetchedSecret);
+                cachedSecret = fetchedSecret;
+            });
+        }
+    }
+    try {
+        if (options?.expectedKeys?.length) {
+            checkExpectedSecretKeys(options.expectedKeys, cachedSecret);
+        }
+        return fn(cachedSecret);
+    }
+    catch (error) {
+        console.error('method=withDbSecret Caught an error, refreshing secret', error);
+        // try to refetch secret in case it has changed
+        await (0, secret_1.withSecret)(secretId, (fetchedSecret) => {
+            setDbSecret(fetchedSecret);
+            cachedSecret = fetchedSecret;
+        });
+        return fn(cachedSecret);
+    }
+}
+exports.withDbSecret = withDbSecret;
+function checkExpectedSecretKeys(keys, secret) {
+    const missingKeys = keys.filter(key => !(key in secret));
+    if (missingKeys.length) {
+        console.error(`method=checkExpectedSecretKeys secret didn't contain the key(s) ${missingKeys}`);
+        throw new Error('Expected keys were not found');
+    }
+}
+exports.checkExpectedSecretKeys = checkExpectedSecretKeys;
+//# sourceMappingURL=dbsecret.js.map

package/dist/aws/runtime/secrets/proxy-holder.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProxyHolder = void 0;
+const secret_holder_1 = require("./secret-holder");
+const dbsecret_1 = require("./dbsecret");
+const utils_1 = require("../../../utils/utils");
+const RDS_PROXY_SECRET_KEYS = Object.values(dbsecret_1.RdsProxySecretKey);
+/**
+ * Holds credentials for RDS Proxy access.
+ */
+class ProxyHolder {
+    constructor(secretId) {
+        this.secretHolder = new secret_holder_1.SecretHolder(secretId, "", RDS_PROXY_SECRET_KEYS);
+    }
+    static create() {
+        return new ProxyHolder((0, utils_1.getEnvVariable)("SECRET_ID"));
+    }
+    async setCredentials() {
+        const secret = await this.secretHolder.get();
+        process.env[dbsecret_1.DatabaseEnvironmentKeys.DB_USER] = secret.username;
+        process.env[dbsecret_1.DatabaseEnvironmentKeys.DB_PASS] = secret.password;
+        process.env[dbsecret_1.DatabaseEnvironmentKeys.DB_URI] = secret.proxy_host;
+        process.env[dbsecret_1.DatabaseEnvironmentKeys.DB_RO_URI] = secret.proxy_ro_host;
+    }
+}
+exports.ProxyHolder = ProxyHolder;
+//# sourceMappingURL=proxy-holder.js.map

package/dist/aws/runtime/secrets/rds-holder.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RdsHolder = void 0;
+const secret_holder_1 = require("./secret-holder");
+const dbsecret_1 = require("./dbsecret");
+const utils_1 = require("../../../utils/utils");
+const RDS_SECRET_KEYS = Object.values(dbsecret_1.RdsSecretKey);
+/**
+ * Holds credentials for RDS access.
+ */
+class RdsHolder {
+    constructor(secretId) {
+        this.secretHolder = new secret_holder_1.SecretHolder(secretId, "", RDS_SECRET_KEYS);
+    }
+    static create() {
+        return new RdsHolder((0, utils_1.getEnvVariable)("SECRET_ID"));
+    }
+    async setCredentials() {
+        const secret = await this.secretHolder.get();
+        process.env[dbsecret_1.DatabaseEnvironmentKeys.DB_USER] = secret.username;
+        process.env[dbsecret_1.DatabaseEnvironmentKeys.DB_PASS] = secret.password;
+        process.env[dbsecret_1.DatabaseEnvironmentKeys.DB_URI] = secret.host;
+        process.env[dbsecret_1.DatabaseEnvironmentKeys.DB_RO_URI] = secret.ro_host;
+    }
+}
+exports.RdsHolder = RdsHolder;
+//# sourceMappingURL=rds-holder.js.map

package/dist/aws/runtime/secrets/secret-holder.js

@@ -0,0 +1,76 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecretHolder = void 0;
+const secret_1 = require("./secret");
+const dbsecret_1 = require("./dbsecret");
+const utils_1 = require("../../../utils/utils");
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const NodeTtl = require("node-ttl");
+const DEFAULT_PREFIX = "";
+const DEFAULT_SECRET_KEY = "SECRET";
+const DEFAULT_CONFIGURATION = {
+    ttl: 5 * 60, // timeout secrets in 5 minutes
+};
+/**
+ * Utility class for getting secrets from Secret Manager.
+ * Supports prefix for secrets, checking of expected keys and ttl-configuration.
+ *
+ * By default, secrets are cached for 5 minutes and then reread from the Secrets Manager(This can be overridden with configuration).
+ *
+ * Supports setting the database environment paramaters from the secret too.
+ */
+class SecretHolder {
+    constructor(secretId, prefix = "", expectedKeys = [], configuration = DEFAULT_CONFIGURATION) {
+        this.secretId = secretId;
+        this.prefix = prefix;
+        this.expectedKeys = expectedKeys;
+        this.secretCache = new NodeTtl(configuration);
+    }
+    async initSecret() {
+        const secretValue = await (0, secret_1.getSecret)(this.secretId);
+        console.info("refreshing secret " + this.secretId);
+        this.secretCache.push(DEFAULT_SECRET_KEY, secretValue);
+    }
+    static create(prefix = DEFAULT_PREFIX, expectedKeys = []) {
+        return new SecretHolder((0, utils_1.getEnvVariable)("SECRET_ID"), prefix, expectedKeys);
+    }
+    async get() {
+        const secret = await this.getSecret();
+        const parsedSecret = this.prefix === DEFAULT_PREFIX
+            ? secret
+            : this.parseSecret(secret, `${this.prefix}.`);
+        if (this.expectedKeys.length > 0) {
+            (0, dbsecret_1.checkExpectedSecretKeys)(this.expectedKeys, parsedSecret);
+        }
+        return parsedSecret;
+    }
+    parseSecret(secret, prefix) {
+        const parsed = {};
+        const skip = prefix.length;
+        for (const key in secret) {
+            if (key.startsWith(prefix)) {
+                parsed[key.substring(skip)] = secret[key];
+            }
+        }
+        return parsed;
+    }
+    async getSecret() {
+        const secret = this.secretCache.get(DEFAULT_SECRET_KEY);
+        if (!secret) {
+            await this.initSecret();
+        }
+        return secret || this.secretCache.get(DEFAULT_SECRET_KEY);
+    }
+    /**
+     * @deprecated Use ProxyHolder
+     */
+    async setDatabaseCredentials() {
+        const secret = await this.getSecret();
+        process.env[dbsecret_1.DatabaseEnvironmentKeys.DB_USER] = secret.username;
+        process.env[dbsecret_1.DatabaseEnvironmentKeys.DB_PASS] = secret.password;
+        process.env[dbsecret_1.DatabaseEnvironmentKeys.DB_URI] = secret.host;
+        process.env[dbsecret_1.DatabaseEnvironmentKeys.DB_RO_URI] = secret.ro_host;
+    }
+}
+exports.SecretHolder = SecretHolder;
+//# sourceMappingURL=secret-holder.js.map