@kirschbaum-development/sst-laravel 0.1.6 → 0.2.7

package/laravel-sst.ts

@@ -10,6 +10,11 @@ import { ClusterArgs } from "../../../.sst/platform/src/components/aws/cluster.j
 import { ServiceArgs } from "../../../.sst/platform/src/components/aws/service.js";
 import { Dns } from "../../../.sst/platform/src/components/dns.js";
 import { applyLinkedResourcesEnv, EnvCallback, EnvCallbacks, extractSecrets } from "./src/laravel-env";
+import { RemoteEnvVault, RemoteEnvVaultArgs } from "./src/laravel-env-manager";
+import { getPackagePath } from "./src/config";
+
+// Re-export RemoteEnvVault for external use
+export { RemoteEnvVault, RemoteEnvVaultArgs };
 
 // duplicate from cluster.ts
 type Port = `${number}/${"http" | "https" | "tcp" | "udp" | "tcp_udp" | "tls"}`;
@@ -181,20 +186,39 @@ export interface LaravelArgs extends ClusterArgs {
       autoInject?: Input<boolean>,
 
       /**
-       * Custom environment variables that will be automatically injected into your application.
-       *
-       * @example
-       * ```js
-       * environment: {
-       *   vars: {
-       *     SESSION_DRIVER: 'redis',
-       *     QUEUE_CONNECTION: 'redis',
-       *   }
-       * }
-       * ```
-       */
-      vars?: FunctionArgs["environment"],
-    };
+        * Custom environment variables that will be automatically injected into your application.
+        *
+        * @example
+        * ```js
+        * environment: {
+        *   vars: {
+        *     SESSION_DRIVER: 'redis',
+        *     QUEUE_CONNECTION: 'redis',
+        *   }
+        * }
+        * ```
+        */
+       vars?: FunctionArgs["environment"],
+
+       /**
+        * Use a `RemoteEnvVault` component to manage environment variables in AWS Secrets Manager.
+        * When provided, secrets will be fetched from AWS Secrets Manager at build time.
+        *
+        * @example
+        * ```js
+        * const env = new RemoteEnvVault("Env");
+        *
+        * new LaravelService("Laravel", {
+        *   config: {
+        *     environment: {
+        *       secrets: env,
+        *     },
+        *   },
+        * });
+        * ```
+        */
+       secrets?: RemoteEnvVault,
+     };
 
     /**
      * Custom deployment configurations.
@@ -223,7 +247,7 @@ export class LaravelService extends Component {
     args.config = args.config ?? {};
     const sitePath = args.path ?? '.';
     const absSitePath = path.resolve(sitePath.toString());
-    const nodeModulePath = path.resolve(__dirname, '../../node_modules/@kirschbaum-development/sst-laravel');
+    const nodeModulePath = getPackagePath();
 
     // Determine the path where our plugin will save build files.
     // SST sets __dirname to the .sst/platform directory.
@@ -287,6 +311,19 @@ export class LaravelService extends Component {
         dev: {
           command: `php ${sitePath}/artisan serve`,
         },
+
+        transform: {
+          taskDefinition: (args) => {
+            args.containerDefinitions = (args.containerDefinitions as $util.Output<string>).apply(a => {
+              return JSON.stringify([{
+                ...JSON.parse(a)[0],
+                linuxParameters: {
+                  initProcessEnabled: false,
+                }
+              }]);
+            })
+          }
+        }
       });
     }
 
@@ -540,8 +577,31 @@ export class LaravelService extends Component {
 
     function prepareEnvironmentFile() {
       const envFile = args.config?.environment?.file as string | undefined;
+      const secrets = args.config?.environment?.secrets;
+
+      // If secrets are configured, the deploy command will have already
+      // fetched them and created the .env file in .sst/laravel/deploy/
+      if (secrets) {
+        // Check if the .env file was created by the deploy command
+        if (fs.existsSync(envFilePath)) {
+          // Secrets were fetched, append auto-inject variables
+          if (args.config?.environment?.autoInject !== false) {
+            applyLinkedResourcesToEnvironment();
+          }
+        } else {
+          // Secrets not fetched yet - this happens during `sst dev` or direct `sst deploy`
+          // Create an empty file and add a warning comment
+          fs.writeFileSync(envFilePath, '# WARNING: RemoteEnvVault secrets not loaded. Use `sst-laravel deploy` to fetch secrets.\n');
+
+          if (args.config?.environment?.autoInject !== false) {
+            applyLinkedResourcesToEnvironment();
+          }
+        }
+        return;
+      }
 
-      if (! envFile) {
+      // Handle traditional env file configuration
+      if (!envFile) {
         return;
       }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kirschbaum-development/sst-laravel",
-  "version": "0.1.6",
+  "version": "0.2.7",
   "type": "module",
   "description": "An unofficial extension of SST to deploy containerized Laravel applications to AWS Fargate.",
   "main": "laravel-sst.ts",
@@ -21,7 +21,8 @@
     "images",
     "Dockerfile.web",
     "Dockerfile.worker",
-    ".dockerignore"
+    ".dockerignore",
+    "skills"
   ],
   "scripts": {
     "build": "tsc",
@@ -52,6 +53,7 @@
   "dependencies": {
     "@aws-sdk/client-ecs": "^3.0.0",
     "@aws-sdk/client-iam": "^3.0.0",
+    "@aws-sdk/client-secrets-manager": "^3.0.0",
     "@aws-sdk/client-sts": "^3.0.0",
     "@inquirer/prompts": "^7.0.0",
     "@pulumi/aws": "^7.8.0",

package/src/config.ts

@@ -0,0 +1,24 @@
+import * as path from 'path';
+
+/**
+ * Environment variables set by the CLI to pass configuration to the SST component.
+ * These are prefixed with SST_LARAVEL_ to avoid collisions.
+ */
+export const SST_LARAVEL_ENV = {
+  PACKAGE_ROOT: 'SST_LARAVEL_PACKAGE_ROOT',
+} as const;
+
+/**
+ * Get the root path of the @kirschbaum-development/sst-laravel package.
+ *
+ * When invoked via the CLI, this reads from the SST_LARAVEL_PACKAGE_ROOT env var.
+ * Otherwise, falls back to resolving from node_modules relative to __dirname
+ * (which SST sets to .sst/platform/).
+ */
+export function getPackagePath(): string {
+  if (process.env[SST_LARAVEL_ENV.PACKAGE_ROOT]) {
+    return process.env[SST_LARAVEL_ENV.PACKAGE_ROOT]!;
+  }
+
+  return path.resolve(__dirname, '../../node_modules/@kirschbaum-development/sst-laravel');
+}

package/src/laravel-env-manager.ts

@@ -0,0 +1,109 @@
+/// <reference path="./../../../../.sst/platform/config.d.ts" />
+
+import { Component } from "../../../../.sst/platform/src/components/component.js";
+import { ComponentResourceOptions, Output, output } from "@pulumi/pulumi";
+import { Input } from "../../../../.sst/platform/src/components/input.js";
+
+export interface RemoteEnvVaultArgs {
+  /**
+   * The path in AWS Secrets Manager where environment variables will be stored.
+   * Defaults to `/{app-name}/{stage}/env`.
+   *
+   * @example
+   * ```js
+   * new RemoteEnvVault("Env", {
+   *   path: "/my-app/production/env",
+   * });
+   * ```
+   */
+  path?: Input<string>;
+}
+
+/**
+ * The `RemoteEnvVault` component manages environment variables for your Laravel application
+ * using AWS Secrets Manager.
+ *
+ * The secrets are managed via CLI commands:
+ * - `sst-laravel env:push` - Push local .env file to AWS Secrets Manager
+ * - `sst-laravel env:pull` - Pull secrets from AWS Secrets Manager to local file
+ *
+ * Large environment files are automatically split into multiple chunks to handle
+ * AWS Secrets Manager's 64KB limit per secret.
+ *
+ * @example
+ * ### Basic usage
+ * ```js
+ * const env = new RemoteEnvVault("Env");
+ *
+ * new LaravelService("Laravel", {
+ *   config: {
+ *     environment: {
+ *       secrets: env,
+ *     },
+ *   },
+ * });
+ * ```
+ *
+ * @example
+ * ### Custom path
+ * ```js
+ * const env = new RemoteEnvVault("Env", {
+ *   path: "/custom/path/env",
+ * });
+ * ```
+ *
+ * @example
+ * ### CLI workflow
+ * ```bash
+ * # Push secrets to AWS
+ * sst-laravel env:push --stage production --input .env.production
+ *
+ * # Pull secrets from AWS
+ * sst-laravel env:pull --stage production
+ *
+ * # Deploy (automatically fetches secrets)
+ * sst-laravel deploy --stage production
+ * ```
+ */
+export class RemoteEnvVault extends Component {
+  private readonly _path: Output<string>;
+
+  /**
+   * RemoteEnvVault is a component provided by the sst-laravel package 
+   * to manage environment variables for your Laravel application using AWS Secrets Manager, 
+   * making it simple to manage your environment variables in a remote way that also works well with CI/CD pipelines.
+   */
+  constructor(
+    name: string,
+    args: RemoteEnvVaultArgs = {},
+    opts: ComponentResourceOptions = {},
+  ) {
+    super(__pulumiType, name, args, opts);
+
+    // Build the secret path: /{app-name}/{stage}/env
+    const secretPath = args.path
+      ? output(args.path)
+      : output(`/${$app.name}/${$app.stage}/env`);
+
+    this._path = secretPath;
+
+    // Note: We don't create the secret here. Secrets are managed via CLI commands
+    // (env:push, env:pull) which handle chunking for large environment files.
+    // The deploy command fetches secrets before building the Docker image.
+
+    this.registerOutputs({
+      path: this._path,
+    });
+  }
+
+  /**
+   * The path in AWS Secrets Manager where environment variables are stored.
+   */
+  public get path(): Output<string> {
+    return this._path;
+  }
+}
+
+const __pulumiType = "sst:aws:RemoteEnvVault";
+// @ts-expect-error
+RemoteEnvVault.__pulumiType = __pulumiType;

package/sst-env.d.ts

@@ -2,6 +2,7 @@
 /* tslint:disable */
 /* eslint-disable */
 /* deno-fmt-ignore-file */
+/* biome-ignore-all lint: auto-generated */
 
 /// <reference path="../../../sst-env.d.ts" />
 

package/templates/sst.config.run.template

@@ -1,10 +1,23 @@
-    const { LaravelService } = await import("@kirschbaum-development/sst-laravel");
+    const { LaravelService, RemoteEnvVault } = await import("@kirschbaum-development/sst-laravel");
     const vpc = new sst.aws.Vpc("MyVpc");
     // you can also use an existing VPC
     // const vpc = sst.aws.Vpc.get("DefaultVpc", "vpc-12345678901234567");
 
     const database = new sst.aws.Postgres('MyDB', { vpc });
 
+    /**
+     * With RemoteEnvVault, SST-Laravel will use the environment variables stored in the remote vault (AWS Secrets Manager)
+     * This makes it easy to manage env with teams, and especially makes it ready for CI/CD
+     * 
+     * To get started, create the environment file first, and push it to the remote vault. Examples:
+     * - `cp .env.example .env.dev`
+     * - `php artisan key:generate --env .env.dev`
+     * - `npx sst-laravel env:push --stage dev`
+     * 
+     * Replace `dev` with the stage you want to set up
+     */
+    const env = new RemoteEnvVault("Env");
+
     const app = new LaravelService("MyLaravelApp", {
       vpc,
       link: [database],
@@ -12,7 +25,7 @@
       config: {
         php: 8.4,
         environment: {
-          file: `.env.${$app.stage}`,
+          secrets: env,
         },
         deployment: {
           script: 'infra/deploy.sh',
@@ -33,10 +46,13 @@
         }
       },
 
-      workers: [{
-        horizon: true,
-        scheduler: true,
-      }]
+      // this configuration will create one worker container, which will run horizon and the laravel scheduler as background jobs
+      workers: [
+        {
+          horizon: true,
+          scheduler: true,
+        }
+      ]
     });
 
     return {