npm - @kirschbaum-development/sst-laravel - Versions diffs - 0.2.10 → 0.2.12 - Mend

@kirschbaum-development/sst-laravel 0.2.10 → 0.2.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/bin/commands/deploy.js +1 -43
package/dist/bin/commands/deploy.js.map +1 -1
package/dist/bin/commands/init.js +1 -1
package/dist/bin/commands/init.js.map +1 -1
package/dist/bin/utils/secrets-manager.d.ts +4 -0
package/dist/bin/utils/secrets-manager.js +21 -0
package/dist/bin/utils/secrets-manager.js.map +1 -1
package/laravel-sst.ts +759 -587
package/package.json +1 -1
package/src/laravel-env-manager.ts +1 -1
package/src/remote-env-file.ts +235 -0
package/src/secrets-manager.ts +544 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@kirschbaum-development/sst-laravel",
-  "version": "0.2.10",
+  "version": "0.2.12",
   "type": "module",
   "description": "An unofficial extension of SST to deploy containerized Laravel applications to AWS Fargate.",
   "main": "laravel-sst.ts",

package/src/laravel-env-manager.ts CHANGED Viewed

@@ -62,7 +62,7 @@ export interface RemoteEnvVaultArgs {
  * sst-laravel env:pull --stage production
  *
  * # Deploy (automatically fetches secrets)
- * sst-laravel deploy --stage production
+ * sst deploy --stage production
  * ```
  */
 export class RemoteEnvVault extends Component {

package/src/remote-env-file.ts ADDED Viewed

@@ -0,0 +1,235 @@
+import { CustomResourceOptions, Input, dynamic } from '@pulumi/pulumi';
+export interface RemoteEnvFileLinkedSecret {
+  name: Input<string>;
+  value: Input<string>;
+}
+export interface RemoteEnvFileInputs {
+  secretPath: Input<string>;
+  envFilePath: Input<string>;
+  fingerprint: Input<string>;
+  autoInject?: Input<boolean>;
+  appUrl?: Input<string | undefined>;
+  linkedEnvironment?: Input<Record<string, Input<string | undefined> | undefined>>;
+  linkedSecrets?: Input<RemoteEnvFileLinkedSecret[]>;
+}
+interface ResolvedRemoteEnvFileInputs {
+  secretPath: string;
+  envFilePath: string;
+  fingerprint: string;
+  autoInject?: boolean;
+  appUrl?: string;
+  linkedEnvironment?: Record<string, string | undefined>;
+  linkedSecrets?: Array<{
+    name: string;
+    value: string;
+  }>;
+}
+const provider: dynamic.ResourceProvider<ResolvedRemoteEnvFileInputs, ResolvedRemoteEnvFileInputs> = {
+  async create(inputs) {
+    const outs = await writeRemoteEnvironmentFile(inputs);
+    return {
+      id: `${inputs.secretPath}:${inputs.envFilePath}`,
+      outs,
+    };
+  },
+  async diff(_, olds, news) {
+    return {
+      changes: stableStringify(olds) !== stableStringify(news),
+    };
+  },
+  async update(_, __, news) {
+    const outs = await writeRemoteEnvironmentFile(news);
+    return {
+      outs,
+    };
+  },
+};
+export class RemoteEnvFile extends dynamic.Resource {
+  constructor(
+    name: string,
+    args: RemoteEnvFileInputs,
+    opts?: CustomResourceOptions,
+  ) {
+    super(provider, `${name}.sst.aws.RemoteEnvFile`, args, opts);
+  }
+}
+async function writeRemoteEnvironmentFile(inputs: ResolvedRemoteEnvFileInputs) {
+  const fs = await import('node:fs');
+  const path = await import('node:path');
+  const secrets = await pullSecretsFromAws(inputs.secretPath);
+  if (!secrets) {
+    throw new Error(`RemoteEnvVault secret not found at ${inputs.secretPath}.`);
+  }
+  const envContent = buildEnvFileContent(secrets, inputs);
+  fs.mkdirSync(path.dirname(inputs.envFilePath), { recursive: true });
+  fs.writeFileSync(inputs.envFilePath, envContent + '\n');
+  fs.chmodSync(inputs.envFilePath, 0o755);
+  return {
+    ...inputs,
+  };
+}
+async function pullSecretsFromAws(secretPath: string): Promise<Record<string, string> | null> {
+  const secretValue = await getSecretValue(secretPath);
+  if (!secretValue) {
+    return null;
+  }
+  const data = JSON.parse(secretValue);
+  if (isChunkedSecret(data)) {
+    return pullChunkedSecrets(secretPath, data.chunks);
+  }
+  return data;
+}
+async function pullChunkedSecrets(basePath: string, chunkCount: number): Promise<Record<string, string>> {
+  const allVars: Record<string, string> = {};
+  const chunkPromises = Array.from({ length: chunkCount }, (_, i) =>
+    getSecretValue(getChunkPath(basePath, i + 1))
+  );
+  const chunkValues = await Promise.all(chunkPromises);
+  for (let i = 0; i < chunkValues.length; i++) {
+    const chunkValue = chunkValues[i];
+    if (chunkValue) {
+      Object.assign(allVars, JSON.parse(chunkValue));
+    } else {
+      console.warn(`Warning: Chunk ${i + 1} not found at ${getChunkPath(basePath, i + 1)}`);
+    }
+  }
+  return allVars;
+}
+async function getSecretValue(secretPath: string): Promise<string | null> {
+  const { SecretsManagerClient, GetSecretValueCommand } = await import('@aws-sdk/client-secrets-manager');
+  const client = new SecretsManagerClient({});
+  try {
+    const response = await client.send(new GetSecretValueCommand({
+      SecretId: secretPath,
+    }));
+    return response.SecretString || null;
+  } catch (error) {
+    if (isResourceNotFound(error)) {
+      return null;
+    }
+    throw error;
+  }
+}
+function isChunkedSecret(data: any): data is { chunked: true; chunks: number } {
+  return data && typeof data === 'object' && data.chunked === true && typeof data.chunks === 'number';
+}
+function isResourceNotFound(error: unknown): boolean {
+  return !!error && typeof error === 'object' && 'name' in error && error.name === 'ResourceNotFoundException';
+}
+function getChunkPath(basePath: string, chunkIndex: number): string {
+  return `${basePath}/${chunkIndex}`;
+}
+function buildEnvFileContent(
+  secrets: Record<string, string>,
+  inputs: ResolvedRemoteEnvFileInputs,
+) {
+  const baseEnv = toEnvFileContent(secrets);
+  if (inputs.autoInject === false) {
+    return baseEnv;
+  }
+  const autoInjected: Record<string, string> = {};
+  if (!hasOwnVariable(secrets, 'APP_URL') && inputs.appUrl) {
+    autoInjected.APP_URL = inputs.appUrl;
+  }
+  if (!hasOwnVariable(secrets, 'LOG_CHANNEL')) {
+    autoInjected.LOG_CHANNEL = 'stderr';
+  }
+  Object.entries(inputs.linkedEnvironment || {}).forEach(([key, value]) => {
+    if (typeof value === 'string') {
+      autoInjected[key] = value;
+    }
+  });
+  (inputs.linkedSecrets || []).forEach((secret) => {
+    autoInjected[secret.name] = secret.value;
+  });
+  if (Object.keys(autoInjected).length === 0) {
+    return baseEnv;
+  }
+  return [
+    baseEnv,
+    '# --- SST-LARAVEL AUTO-INJECTED VARIABLES ---',
+    toEnvFileContent(autoInjected),
+  ].filter(Boolean).join('\n\n');
+}
+function toEnvFileContent(vars: Record<string, string>): string {
+  const sortedKeys = Object.keys(vars).sort();
+  return sortedKeys
+    .map((key) => {
+      const value = vars[key];
+      if (value.includes(' ') || value.includes('"') || value.includes("'") || value.includes('\n')) {
+        const escaped = value.replace(/"/g, '\\"');
+        return `${key}="${escaped}"`;
+      }
+      return `${key}=${value}`;
+    })
+    .join('\n');
+}
+function hasOwnVariable(vars: Record<string, string>, key: string) {
+  return Object.prototype.hasOwnProperty.call(vars, key);
+}
+function stableStringify(value: unknown): string {
+  return JSON.stringify(sortValue(value));
+}
+function sortValue(value: unknown): unknown {
+  if (Array.isArray(value)) {
+    return value.map(sortValue);
+  }
+  if (value && typeof value === 'object') {
+    return Object.keys(value as Record<string, unknown>)
+      .sort()
+      .reduce((result, key) => {
+        result[key] = sortValue((value as Record<string, unknown>)[key]);
+        return result;
+      }, {} as Record<string, unknown>);
+  }
+  return value;
+}