@kirschbaum-development/sst-laravel 0.1.5 → 0.2.7

package/dist/bin/utils/sst-config.d.ts

@@ -12,3 +12,10 @@ export declare function extractSstProjectName(configPath: string): string | null
 export declare function extractLaravelComponents(configPath: string): string[];
 export declare function extractEnvironmentFile(configPath: string, stage: string): string | null;
 export declare function validateDeployment(stage: string): void;
+/**
+ * Extract RemoteEnvVault secrets configuration from SST config
+ * Returns the custom path if specified, or null if no RemoteEnvVault is used
+ */
+export declare function extractSecretsConfig(configPath: string): {
+    path?: string;
+} | null;

package/dist/bin/utils/sst-config.js

@@ -88,7 +88,9 @@ export function validateDeployment(stage) {
         throw new Error('Could not find sst.config.ts or sst.config.js in current directory.');
     }
     const envFile = extractEnvironmentFile(configPath, stage);
-    if (envFile) {
+    const secretsConfig = extractSecretsConfig(configPath);
+    // Only validate env file if secrets are not configured
+    if (envFile && !secretsConfig) {
         const cwd = process.cwd();
         const envFilePath = path.join(cwd, envFile);
         if (!fs.existsSync(envFilePath)) {
@@ -96,4 +98,26 @@ export function validateDeployment(stage) {
         }
     }
 }
+/**
+ * Extract RemoteEnvVault secrets configuration from SST config
+ * Returns the custom path if specified, or null if no RemoteEnvVault is used
+ */
+export function extractSecretsConfig(configPath) {
+    const content = fs.readFileSync(configPath, 'utf-8');
+    // Check if RemoteEnvVault is used
+    const laravelEnvMatch = content.match(/new\s+RemoteEnvVault\s*\(/);
+    if (!laravelEnvMatch) {
+        return null;
+    }
+    // Check if secrets is configured in environment
+    const secretsMatch = content.match(/secrets\s*:\s*(\w+)/);
+    if (!secretsMatch) {
+        return null;
+    }
+    // Try to extract custom path from RemoteEnvVault constructor
+    const pathMatch = content.match(/new\s+RemoteEnvVault\s*\([^)]*path\s*:\s*['"`]([^'"`]+)['"`]/);
+    return {
+        path: pathMatch ? pathMatch[1] : undefined,
+    };
+}
 //# sourceMappingURL=sst-config.js.map

package/dist/bin/utils/sst-config.js.map

@@ -1 +1 @@
-{"version":3,"file":"sst-config.js","sourceRoot":"","sources":["../../../bin/utils/sst-config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AAEpC,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAClD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;AAE3C;;;GAGG;AACH,MAAM,UAAU,cAAc;IAC5B,IAAI,GAAG,GAAG,SAAS,CAAC;IAEpB,yCAAyC;IACzC,OAAO,GAAG,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACjC,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,EAAE,CAAC;YAClD,OAAO,GAAG,CAAC;QACb,CAAC;QACD,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;AAC1E,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,YAAoB;IAClD,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IACrC,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAC1B,MAAM,aAAa,GAAG;QACpB,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC;QAC/B,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC;KAChC,CAAC;IAEF,KAAK,MAAM,UAAU,IAAI,aAAa,EAAE,CAAC;QACvC,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,OAAO,UAAU,CAAC;QACpB,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,UAAkB;IACtD,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACrD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;IAC9D,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,UAAkB;IACzD,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACrD,MAAM,KAAK,GAAG,kDAAkD,CAAC;IACjE,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,IAAI,KAA6B,CAAC;IAElC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC9C,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,UAAkB,EAAE,KAAa;IACtE,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAErD,sCAAsC;IACtC,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;IACzD,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC9C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,mDAAmD;IACnD,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IACvD,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,IAAI,QAAQ,GAAG,UAAU,CAAC;IAE1B,KAAK,IAAI,CAAC,GAAG,UAAU,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACnE,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG;YAAE,UAAU,EAAE,CAAC;QACrC,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG;YAAE,UAAU,EAAE,CAAC;QACrC,QAAQ,GAAG,CAAC,CAAC;IACf,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAEzD,0DAA0D;IAC1D,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;IAErE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IAE3B,gDAAgD;IAChD,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,uBAAuB,EAAE,KAAK,CAAC,CAAC;IAE1D,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAAa;IAC9C,MAAM,UAAU,GAAG,aAAa,EAAE,CAAC;IAEnC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;IACzF,CAAC;IAED,MAAM,OAAO,GAAG,sBAAsB,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAE1D,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAE5C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,qBAAqB,OAAO,iFAAiF,CAAC,CAAC;QACjI,CAAC;IACH,CAAC;AACH,CAAC"}
+{"version":3,"file":"sst-config.js","sourceRoot":"","sources":["../../../bin/utils/sst-config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AAEpC,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAClD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;AAE3C;;;GAGG;AACH,MAAM,UAAU,cAAc;IAC5B,IAAI,GAAG,GAAG,SAAS,CAAC;IAEpB,yCAAyC;IACzC,OAAO,GAAG,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACjC,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,EAAE,CAAC;YAClD,OAAO,GAAG,CAAC;QACb,CAAC;QACD,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;AAC1E,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,YAAoB;IAClD,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IACrC,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAC1B,MAAM,aAAa,GAAG;QACpB,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC;QAC/B,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC;KAChC,CAAC;IAEF,KAAK,MAAM,UAAU,IAAI,aAAa,EAAE,CAAC;QACvC,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,OAAO,UAAU,CAAC;QACpB,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,UAAkB;IACtD,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACrD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;IAC9D,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,UAAkB;IACzD,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACrD,MAAM,KAAK,GAAG,kDAAkD,CAAC;IACjE,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,IAAI,KAA6B,CAAC;IAElC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC9C,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,UAAkB,EAAE,KAAa;IACtE,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAErD,sCAAsC;IACtC,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;IACzD,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC9C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,mDAAmD;IACnD,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IACvD,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,IAAI,QAAQ,GAAG,UAAU,CAAC;IAE1B,KAAK,IAAI,CAAC,GAAG,UAAU,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACnE,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG;YAAE,UAAU,EAAE,CAAC;QACrC,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG;YAAE,UAAU,EAAE,CAAC;QACrC,QAAQ,GAAG,CAAC,CAAC;IACf,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAEzD,0DAA0D;IAC1D,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;IAErE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IAE3B,gDAAgD;IAChD,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,uBAAuB,EAAE,KAAK,CAAC,CAAC;IAE1D,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAAa;IAC9C,MAAM,UAAU,GAAG,aAAa,EAAE,CAAC;IAEnC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;IACzF,CAAC;IAED,MAAM,OAAO,GAAG,sBAAsB,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAC1D,MAAM,aAAa,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;IAEvD,uDAAuD;IACvD,IAAI,OAAO,IAAI,CAAC,aAAa,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAE5C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,qBAAqB,OAAO,iFAAiF,CAAC,CAAC;QACjI,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,UAAkB;IACrD,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAErD,kCAAkC;IAClC,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;IACnE,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gDAAgD;IAChD,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;IAC1D,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6DAA6D;IAC7D,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,8DAA8D,CAAC,CAAC;IAEhG,OAAO;QACL,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;KAC3C,CAAC;AACJ,CAAC"}

package/laravel-sst.ts

@@ -9,7 +9,12 @@ import { Input } from "../../../.sst/platform/src/components/input.js";
 import { ClusterArgs } from "../../../.sst/platform/src/components/aws/cluster.js";
 import { ServiceArgs } from "../../../.sst/platform/src/components/aws/service.js";
 import { Dns } from "../../../.sst/platform/src/components/dns.js";
-import { applyLinkedResourcesEnv, EnvCallback, EnvCallbacks } from "./src/laravel-env";
+import { applyLinkedResourcesEnv, EnvCallback, EnvCallbacks, extractSecrets } from "./src/laravel-env";
+import { RemoteEnvVault, RemoteEnvVaultArgs } from "./src/laravel-env-manager";
+import { getPackagePath } from "./src/config";
+
+// Re-export RemoteEnvVault for external use
+export { RemoteEnvVault, RemoteEnvVaultArgs };
 
 // duplicate from cluster.ts
 type Port = `${number}/${"http" | "https" | "tcp" | "udp" | "tcp_udp" | "tls"}`;
@@ -181,20 +186,39 @@ export interface LaravelArgs extends ClusterArgs {
       autoInject?: Input<boolean>,
 
       /**
-       * Custom environment variables that will be automatically injected into your application.
-       *
-       * @example
-       * ```js
-       * environment: {
-       *   vars: {
-       *     SESSION_DRIVER: 'redis',
-       *     QUEUE_CONNECTION: 'redis',
-       *   }
-       * }
-       * ```
-       */
-      vars?: FunctionArgs["environment"],
-    };
+        * Custom environment variables that will be automatically injected into your application.
+        *
+        * @example
+        * ```js
+        * environment: {
+        *   vars: {
+        *     SESSION_DRIVER: 'redis',
+        *     QUEUE_CONNECTION: 'redis',
+        *   }
+        * }
+        * ```
+        */
+       vars?: FunctionArgs["environment"],
+
+       /**
+        * Use a `RemoteEnvVault` component to manage environment variables in AWS Secrets Manager.
+        * When provided, secrets will be fetched from AWS Secrets Manager at build time.
+        *
+        * @example
+        * ```js
+        * const env = new RemoteEnvVault("Env");
+        *
+        * new LaravelService("Laravel", {
+        *   config: {
+        *     environment: {
+        *       secrets: env,
+        *     },
+        *   },
+        * });
+        * ```
+        */
+       secrets?: RemoteEnvVault,
+     };
 
     /**
      * Custom deployment configurations.
@@ -223,7 +247,7 @@ export class LaravelService extends Component {
     args.config = args.config ?? {};
     const sitePath = args.path ?? '.';
     const absSitePath = path.resolve(sitePath.toString());
-    const nodeModulePath = path.resolve(__dirname, '../../node_modules/@kirschbaum-development/sst-laravel');
+    const nodeModulePath = getPackagePath();
 
     // Determine the path where our plugin will save build files.
     // SST sets __dirname to the .sst/platform directory.
@@ -287,6 +311,19 @@ export class LaravelService extends Component {
         dev: {
           command: `php ${sitePath}/artisan serve`,
         },
+
+        transform: {
+          taskDefinition: (args) => {
+            args.containerDefinitions = (args.containerDefinitions as $util.Output<string>).apply(a => {
+              return JSON.stringify([{
+                ...JSON.parse(a)[0],
+                linuxParameters: {
+                  initProcessEnabled: false,
+                }
+              }]);
+            })
+          }
+        }
       });
     }
 
@@ -516,6 +553,13 @@ export class LaravelService extends Component {
           fs.appendFileSync(envFilePath, '\n' + envContent);
         }
       });
+
+      const secrets = extractSecrets(resources);
+      secrets.forEach(secret => {
+        all([secret.name, secret.value]).apply(([name, value]) => {
+          fs.appendFileSync(envFilePath, `\n${name}=${value}`);
+        });
+      });
     };
 
     /**
@@ -533,8 +577,31 @@ export class LaravelService extends Component {
 
     function prepareEnvironmentFile() {
       const envFile = args.config?.environment?.file as string | undefined;
+      const secrets = args.config?.environment?.secrets;
+
+      // If secrets are configured, the deploy command will have already
+      // fetched them and created the .env file in .sst/laravel/deploy/
+      if (secrets) {
+        // Check if the .env file was created by the deploy command
+        if (fs.existsSync(envFilePath)) {
+          // Secrets were fetched, append auto-inject variables
+          if (args.config?.environment?.autoInject !== false) {
+            applyLinkedResourcesToEnvironment();
+          }
+        } else {
+          // Secrets not fetched yet - this happens during `sst dev` or direct `sst deploy`
+          // Create an empty file and add a warning comment
+          fs.writeFileSync(envFilePath, '# WARNING: RemoteEnvVault secrets not loaded. Use `sst-laravel deploy` to fetch secrets.\n');
+
+          if (args.config?.environment?.autoInject !== false) {
+            applyLinkedResourcesToEnvironment();
+          }
+        }
+        return;
+      }
 
-      if (! envFile) {
+      // Handle traditional env file configuration
+      if (!envFile) {
         return;
       }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kirschbaum-development/sst-laravel",
-  "version": "0.1.5",
+  "version": "0.2.7",
   "type": "module",
   "description": "An unofficial extension of SST to deploy containerized Laravel applications to AWS Fargate.",
   "main": "laravel-sst.ts",
@@ -21,7 +21,8 @@
     "images",
     "Dockerfile.web",
     "Dockerfile.worker",
-    ".dockerignore"
+    ".dockerignore",
+    "skills"
   ],
   "scripts": {
     "build": "tsc",
@@ -52,6 +53,7 @@
   "dependencies": {
     "@aws-sdk/client-ecs": "^3.0.0",
     "@aws-sdk/client-iam": "^3.0.0",
+    "@aws-sdk/client-secrets-manager": "^3.0.0",
     "@aws-sdk/client-sts": "^3.0.0",
     "@inquirer/prompts": "^7.0.0",
     "@pulumi/aws": "^7.8.0",

package/src/config.ts

@@ -0,0 +1,24 @@
+import * as path from 'path';
+
+/**
+ * Environment variables set by the CLI to pass configuration to the SST component.
+ * These are prefixed with SST_LARAVEL_ to avoid collisions.
+ */
+export const SST_LARAVEL_ENV = {
+  PACKAGE_ROOT: 'SST_LARAVEL_PACKAGE_ROOT',
+} as const;
+
+/**
+ * Get the root path of the @kirschbaum-development/sst-laravel package.
+ *
+ * When invoked via the CLI, this reads from the SST_LARAVEL_PACKAGE_ROOT env var.
+ * Otherwise, falls back to resolving from node_modules relative to __dirname
+ * (which SST sets to .sst/platform/).
+ */
+export function getPackagePath(): string {
+  if (process.env[SST_LARAVEL_ENV.PACKAGE_ROOT]) {
+    return process.env[SST_LARAVEL_ENV.PACKAGE_ROOT]!;
+  }
+
+  return path.resolve(__dirname, '../../node_modules/@kirschbaum-development/sst-laravel');
+}

package/src/laravel-env-manager.ts

@@ -0,0 +1,109 @@
+/// <reference path="./../../../../.sst/platform/config.d.ts" />
+
+import { Component } from "../../../../.sst/platform/src/components/component.js";
+import { ComponentResourceOptions, Output, output } from "@pulumi/pulumi";
+import { Input } from "../../../../.sst/platform/src/components/input.js";
+
+export interface RemoteEnvVaultArgs {
+  /**
+   * The path in AWS Secrets Manager where environment variables will be stored.
+   * Defaults to `/{app-name}/{stage}/env`.
+   *
+   * @example
+   * ```js
+   * new RemoteEnvVault("Env", {
+   *   path: "/my-app/production/env",
+   * });
+   * ```
+   */
+  path?: Input<string>;
+}
+
+/**
+ * The `RemoteEnvVault` component manages environment variables for your Laravel application
+ * using AWS Secrets Manager.
+ *
+ * The secrets are managed via CLI commands:
+ * - `sst-laravel env:push` - Push local .env file to AWS Secrets Manager
+ * - `sst-laravel env:pull` - Pull secrets from AWS Secrets Manager to local file
+ *
+ * Large environment files are automatically split into multiple chunks to handle
+ * AWS Secrets Manager's 64KB limit per secret.
+ *
+ * @example
+ * ### Basic usage
+ * ```js
+ * const env = new RemoteEnvVault("Env");
+ *
+ * new LaravelService("Laravel", {
+ *   config: {
+ *     environment: {
+ *       secrets: env,
+ *     },
+ *   },
+ * });
+ * ```
+ *
+ * @example
+ * ### Custom path
+ * ```js
+ * const env = new RemoteEnvVault("Env", {
+ *   path: "/custom/path/env",
+ * });
+ * ```
+ *
+ * @example
+ * ### CLI workflow
+ * ```bash
+ * # Push secrets to AWS
+ * sst-laravel env:push --stage production --input .env.production
+ *
+ * # Pull secrets from AWS
+ * sst-laravel env:pull --stage production
+ *
+ * # Deploy (automatically fetches secrets)
+ * sst-laravel deploy --stage production
+ * ```
+ */
+export class RemoteEnvVault extends Component {
+  private readonly _path: Output<string>;
+
+  /**
+   * RemoteEnvVault is a component provided by the sst-laravel package 
+   * to manage environment variables for your Laravel application using AWS Secrets Manager, 
+   * making it simple to manage your environment variables in a remote way that also works well with CI/CD pipelines.
+   */
+  constructor(
+    name: string,
+    args: RemoteEnvVaultArgs = {},
+    opts: ComponentResourceOptions = {},
+  ) {
+    super(__pulumiType, name, args, opts);
+
+    // Build the secret path: /{app-name}/{stage}/env
+    const secretPath = args.path
+      ? output(args.path)
+      : output(`/${$app.name}/${$app.stage}/env`);
+
+    this._path = secretPath;
+
+    // Note: We don't create the secret here. Secrets are managed via CLI commands
+    // (env:push, env:pull) which handle chunking for large environment files.
+    // The deploy command fetches secrets before building the Docker image.
+
+    this.registerOutputs({
+      path: this._path,
+    });
+  }
+
+  /**
+   * The path in AWS Secrets Manager where environment variables are stored.
+   */
+  public get path(): Output<string> {
+    return this._path;
+  }
+}
+
+const __pulumiType = "sst:aws:RemoteEnvVault";
+// @ts-expect-error
+RemoteEnvVault.__pulumiType = __pulumiType;

package/src/laravel-env.ts

@@ -7,10 +7,11 @@ import * as pulumiAws from "@pulumi/aws";
 import { Queue } from "../../../../.sst/platform/src/components/aws/queue.js";
 import { Aurora } from "../../../../.sst/platform/src/components/aws/aurora.js";
 import { Bucket } from "../../../../.sst/platform/src/components/aws/bucket.js";
+import { Secret } from "../../../../.sst/platform/src/components/secret.js";
 
 type EnvType = Record<string, string | Output<string>>|Record<string, string | Output<string | undefined> | undefined>;
 type Database = Postgres | Mysql | Aurora | pulumiAws.rds.Instance;
-type LinkSupportedTypes = Database | Email | Queue | Redis | Bucket;
+type LinkSupportedTypes = Database | Email | Queue | Redis | Bucket | Secret;
 
 export type EnvCallback = (resource: any) => EnvType;
 export type EnvCallbacks = {
@@ -73,11 +74,16 @@ export function applyLinkedResourcesEnv(links: LinkSupportedTypes[], callbacks?:
         ...defaultEnv,
       };
     }
+
   });
 
   return environment;
 }
 
+export function extractSecrets(links: LinkSupportedTypes[]): Secret[] {
+  return links.filter((link): link is Secret => link instanceof Secret);
+}
+
 function applyDatabaseEnv(database: Database, callbacks?: EnvCallbacks): EnvType {
   let port: number | undefined;
 database.port.apply(value => port = value);

package/sst-env.d.ts

@@ -2,6 +2,7 @@
 /* tslint:disable */
 /* eslint-disable */
 /* deno-fmt-ignore-file */
+/* biome-ignore-all lint: auto-generated */
 
 /// <reference path="../../../sst-env.d.ts" />
 

package/templates/sst.config.run.template

@@ -1,10 +1,23 @@
-    const { LaravelService } = await import("@kirschbaum-development/sst-laravel");
+    const { LaravelService, RemoteEnvVault } = await import("@kirschbaum-development/sst-laravel");
     const vpc = new sst.aws.Vpc("MyVpc");
     // you can also use an existing VPC
     // const vpc = sst.aws.Vpc.get("DefaultVpc", "vpc-12345678901234567");
 
     const database = new sst.aws.Postgres('MyDB', { vpc });
 
+    /**
+     * With RemoteEnvVault, SST-Laravel will use the environment variables stored in the remote vault (AWS Secrets Manager)
+     * This makes it easy to manage env with teams, and especially makes it ready for CI/CD
+     * 
+     * To get started, create the environment file first, and push it to the remote vault. Examples:
+     * - `cp .env.example .env.dev`
+     * - `php artisan key:generate --env .env.dev`
+     * - `npx sst-laravel env:push --stage dev`
+     * 
+     * Replace `dev` with the stage you want to set up
+     */
+    const env = new RemoteEnvVault("Env");
+
     const app = new LaravelService("MyLaravelApp", {
       vpc,
       link: [database],
@@ -12,7 +25,7 @@
       config: {
         php: 8.4,
         environment: {
-          file: `.env.${$app.stage}`,
+          secrets: env,
         },
         deployment: {
           script: 'infra/deploy.sh',
@@ -33,10 +46,13 @@
         }
       },
 
-      workers: [{
-        horizon: true,
-        scheduler: true,
-      }]
+      // this configuration will create one worker container, which will run horizon and the laravel scheduler as background jobs
+      workers: [
+        {
+          horizon: true,
+          scheduler: true,
+        }
+      ]
     });
 
     return {