@liflig/load-secrets 1.0.3

package/.github/CODEOWNERS

@@ -0,0 +1 @@
+* @capralifecycle/team-infra

package/.github/workflows/ci.yaml

@@ -0,0 +1,50 @@
+name: ci
+on:
+  push:
+    branches:
+      - "**"
+
+defaults:
+  run:
+    # NOTE: A bit stricter than the default bash options used by GitHub Actions
+    # (bash --noprofile --norc -e -o pipefail {0})
+    shell: bash --noprofile --norc -euo pipefail {0}
+
+# NOTE: Set concurrency for the current workflow to 1
+concurrency: ci-${{ github.ref }}-${{ github.workflow }}
+
+jobs:
+  build-and-release:
+    timeout-minutes: 60
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: capralifecycle/actions-lib/check-runtime-dependencies@7887a32ad872a79a8e00817659a30876f0a8f1be # v1.5.5
+
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          node-version: 22
+
+      - uses: capralifecycle/actions-lib/configure-npm@7887a32ad872a79a8e00817659a30876f0a8f1be # v1.5.5
+
+      - name: install dependencies
+        run: npm ci
+
+      - name: lint
+        run: npm run lint
+
+      - name: conditionally pack
+        if: ${{ github.ref != format('refs/heads/{0}', github.event.repository.default_branch) }}
+        run: npm pack
+
+      - name: conditionally semantic release
+        if: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.SHARED_NPMJS_TOKEN }}
+        run: npm run semantic-release

package/.husky/commit-msg

@@ -0,0 +1 @@
+npx --no-install commitlint --edit "$1"

package/.tool-versions

@@ -0,0 +1 @@
+nodejs 22

package/Makefile

@@ -0,0 +1,9 @@
+.PHONY: all
+all: build
+
+.PHONY: build
+build:
+	@echo "Building..."
+	npm install
+	npm run build
+	npm run lint

package/README.md

@@ -0,0 +1,90 @@
+# load-secrets
+
+Library for loading secrets into AWS Secrets Mananager from a configuration file.
+
+## Installation
+
+```bash
+$ npm install @capraconsulting/load-secrets
+```
+
+## Usage
+
+### 1. Create a script for loading secrets into AWS Secrets Manager
+
+Create a script in your project for loading project secrets into AWS Secrets Manager.
+
+Example: `load-secrets-demo-service.ts`
+
+```ts
+// 1. Import the library
+import { loadSecrets } from "@capraconsulting/load-secrets";
+
+// 2. Define the secrets
+const demoServiceApiKey: loadSecrets.Secret = {
+    name: "demo-service-api-key",
+    description: "API key for the demo service",
+    type: "string"
+}
+
+// 3. Assign the secrets to SecretGroups (collections of associations between secrets and accounts)
+const secretGroups: loadSecrets.SecretGroup[] = [
+  {
+    accountId: "123412341234",
+    region: "eu-west-1",
+    description: "dev",
+    namePrefix: "/dev/demo-svc/",
+    secrets: [demoServiceApiKey]
+  },
+  {
+    accountId: "234523452345",
+    region: "eu-west-1",
+    description: "staging",
+    namePrefix: "/staging/demo-svc/",
+    secrets: [demoServiceApiKey]
+  }
+];
+
+// 4. Load the secrets into AWS Secrets Manager
+loadSecrets.loadSecretsCli({ secretGroups })
+```
+
+### 2. Assume an AWS role with the required permissions
+
+Example: `aws-vault exec team-squirrel-demo-service`
+
+Say, for example, that this command assumes AWS Account 123412341234.
+
+### 3. Run the script
+
+```bash
+$ ./load-secrets-demo-service.ts
+info Checking account for current credentials
+info If any error is given, make sure you have valid credentials active
+info Running for account 123412341234
+
+Select secret to write:
+
+dev (prefix: /dev/demo-svc/)
+  (0) demo-service-api-key (not yet created)
+
+Enter index (or enter to quit): 0
+
+Secret: /dev/demo-svc/demo-service-api-key 
+The secret does not already exist and will be created
+
+Enter value (Ctrl+C to abort): test
+Storing secret value:
+  test
+
+Secret stored:
+ARN: arn:aws:secretsmanager:eu-west-1:123412341234:secret:/dev/demo-svc/demo-service-api-key-UIqJ8N
+Version: bdbf33c1-eda8-4aa1-b744-7c2006eae338
+
+Select secret to write:
+
+dev (prefix: /dev/demo-svc/)
+  0) test-secret-delete-me (last changed 2024-12-03T13:50:44.237Z)
+
+Enter index (or enter to quit):
+```

package/commitlint.config.mjs

@@ -0,0 +1,3 @@
+export default {
+  extends: ["@commitlint/config-conventional"],
+};

package/eslint.config.mjs

@@ -0,0 +1,33 @@
+import eslint from "@eslint/js";
+import prettierPluginRecommended from "eslint-plugin-prettier/recommended";
+import tseslint from "typescript-eslint";
+
+export default tseslint.config(
+  {
+    ignores: ["lib/"],
+  },
+  {
+    extends: [
+      eslint.configs.recommended,
+      ...tseslint.configs.recommended,
+      // Must be last to override other rules
+      prettierPluginRecommended,
+    ],
+
+    rules: {
+      "@typescript-eslint/no-unused-vars": [
+        "error",
+        {
+          argsIgnorePattern: "^_",
+          varsIgnorePattern: "^_",
+          caughtErrorsIgnorePattern: "^_",
+          ignoreRestSiblings: true,
+        },
+      ],
+      "@typescript-eslint/no-explicit-any": "off",
+      "@typescript-eslint/consistent-type-imports": "error",
+      "@typescript-eslint/no-non-null-assertion": "off",
+      "@typescript-eslint/explicit-module-boundary-types": "off",
+    },
+  },
+);

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "@liflig/load-secrets",
+  "version": "1.0.3",
+  "description": "Library for loading project secrets into AWS Secrets Manager",
+  "license": "Apache-2.0",
+  "type": "module",
+  "main": "lib/index.js",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/capralifecycle/load-secrets.git"
+  },
+  "scripts": {
+    "prepare": "husky",
+    "build": "tsc",
+    "lint": "eslint .",
+    "lint:fix": "eslint --fix .",
+    "semantic-release": "semantic-release"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@aws-sdk/client-secrets-manager": "3.699.0",
+    "@aws-sdk/client-sts": "3.699.0",
+    "chalk": "4.0.0",
+    "typescript": "5.7.2"
+  },
+  "devDependencies": {
+    "@commitlint/cli": "19.6.0",
+    "@commitlint/config-conventional": "19.6.0",
+    "@eslint/js": "9.16.0",
+    "@types/node": "22.10.1",
+    "@types/read": "0.0.32",
+    "eslint": "9.16.0",
+    "eslint-config-prettier": "9.1.0",
+    "eslint-plugin-prettier": "5.2.1",
+    "husky": "9.1.7",
+    "semantic-release": "24.2.0",
+    "typescript-eslint": "8.17.0"
+  }
+}

package/src/cli/reporter.ts

@@ -0,0 +1,54 @@
+import chalk from "chalk";
+import readline from "readline";
+
+const CLEAR_WHOLE_LINE = 0;
+
+export function createReporter(argv: Record<string, unknown>): CLIReporter {
+  return new CLIReporter({
+    verbose: !!argv.verbose,
+    nonInteractive: !!argv.nonInteractive,
+  });
+}
+
+function clearLine(stdout: NodeJS.WriteStream) {
+  readline.clearLine(stdout, CLEAR_WHOLE_LINE);
+  readline.cursorTo(stdout, 0);
+}
+
+export class CLIReporter {
+  public constructor(
+    opts: {
+      nonInteractive?: boolean;
+      verbose?: boolean;
+    } = {},
+  ) {
+    this.nonInteractive = !!opts.nonInteractive;
+    this.isVerbose = !!opts.verbose;
+  }
+
+  public stdout = process.stdout;
+  public stderr = process.stderr;
+  public nonInteractive: boolean;
+  public isVerbose: boolean;
+  public format: typeof chalk = chalk;
+
+  public error(msg: string): void {
+    clearLine(this.stderr);
+    this.stderr.write(`${this.format.red("error")} ${msg}\n`);
+  }
+
+  public log(msg: string): void {
+    clearLine(this.stdout);
+    this.stdout.write(`${msg}\n`);
+  }
+
+  public warn(msg: string): void {
+    clearLine(this.stderr);
+    this.stderr.write(`${this.format.yellow("warning")} ${msg}\n`);
+  }
+
+  public info(msg: string): void {
+    clearLine(this.stdout);
+    this.stdout.write(`${this.format.blue("info")} ${msg}\n`);
+  }
+}

package/src/index.ts

@@ -0,0 +1 @@
+export * as loadSecrets from "./load-secrets";

package/src/load-secrets/index.ts

@@ -0,0 +1,2 @@
+export { loadSecretsCli } from "./load-secrets";
+export type { JsonSecret, Secret, SecretGroup } from "./types";

package/src/load-secrets/load-secrets.ts

@@ -0,0 +1,463 @@
+import type {
+  DescribeSecretResponse,
+  Tag,
+} from "@aws-sdk/client-secrets-manager";
+import {
+  CreateSecretCommand,
+  DescribeSecretCommand,
+  GetSecretValueCommand,
+  PutSecretValueCommand,
+  RestoreSecretCommand,
+  SecretsManagerClient,
+  TagResourceCommand,
+  UntagResourceCommand,
+  ReplicateSecretToRegionsCommand,
+  RemoveRegionsFromReplicationCommand,
+} from "@aws-sdk/client-secrets-manager";
+import { GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
+import { ResourceNotFoundException } from "@aws-sdk/client-secrets-manager";
+import read from "read";
+import type { CLIReporter } from "../cli/reporter";
+import { createReporter } from "../cli/reporter";
+
+import type { JsonSecret, Secret, SecretGroup } from "./types";
+
+class LoadSecrets {
+  private readonly smClientForRegions: Record<string, SecretsManagerClient> =
+    {};
+  private readonly stsClient: STSClient;
+
+  private readonly reporter: CLIReporter;
+  private readonly silent: boolean;
+
+  constructor(props: { reporter: CLIReporter; silent: boolean }) {
+    this.stsClient = new STSClient({
+      region: "eu-west-1",
+    });
+    this.reporter = props.reporter;
+    this.silent = props.silent;
+  }
+
+  private getSmClient(region: string): SecretsManagerClient {
+    if (!this.smClientForRegions[region]) {
+      this.smClientForRegions[region] = new SecretsManagerClient({
+        region,
+      });
+    }
+
+    return this.smClientForRegions[region];
+  }
+
+  async getInput(options: read.Options): Promise<string> {
+    return new Promise<string>((resolve, reject) => {
+      read(options, (err, answer) => {
+        if (err) {
+          reject(err);
+        }
+        resolve(answer);
+      });
+    });
+  }
+
+  async getSecretDetails(
+    client: SecretsManagerClient,
+    secretId: string,
+  ): Promise<DescribeSecretResponse | null> {
+    try {
+      return await client.send(
+        new DescribeSecretCommand({ SecretId: secretId }),
+      );
+    } catch (e) {
+      if (e instanceof ResourceNotFoundException) {
+        return null;
+      }
+
+      throw e;
+    }
+  }
+
+  async handleStringUpdate() {
+    return await this.getInput({
+      prompt: "Enter value (Ctrl+C to abort): ",
+      silent: this.silent,
+    });
+  }
+  async handleJsonUpdate(secret: JsonSecret) {
+    this.reporter.log("The secret is of type JSON with these expected fields:");
+    for (const field of secret.fields) {
+      const key = typeof field === "string" ? field : field.key;
+      const desc =
+        typeof field === "string"
+          ? ""
+          : field.description
+            ? ` (${field.description})`
+            : "";
+      this.reporter.log(`  - ${key}${desc}`);
+    }
+
+    this.reporter.log("");
+
+    // TODO: Ability to specify full json value as one line.
+
+    const collectedValues: Record<string, string | null> = {};
+    for (const field of secret.fields) {
+      const key = typeof field === "string" ? field : field.key;
+
+      this.reporter.log(`Field: ${this.reporter.format.greenBright(key)}`);
+
+      if (typeof field !== "string" && field.example != null) {
+        this.reporter.log(
+          `Example: ${this.reporter.format.magentaBright(field.example)}`,
+        );
+      }
+
+      const value = await this.getInput({
+        prompt: "Enter value (Ctrl+C to abort): ",
+        silent: this.silent,
+      });
+      collectedValues[key] = value;
+
+      this.reporter.log("");
+    }
+
+    return JSON.stringify(collectedValues, undefined, "  ");
+  }
+
+  getFullName(secretGroup: SecretGroup, secret: Secret) {
+    return `${secretGroup.namePrefix}${secret.name}`;
+  }
+
+  async syncTags(
+    client: SecretsManagerClient,
+    secret: DescribeSecretResponse,
+    tags: Tag[],
+  ) {
+    const keysToRemove = secret
+      .Tags!.filter(
+        (existingTag) => !tags.some((it) => it.Key! === existingTag.Key!),
+      )
+      .map((it) => it.Key!);
+
+    if (keysToRemove.length > 0) {
+      this.reporter.log(`Removing obsolete tags: ${keysToRemove.join(", ")}`);
+      await client.send(
+        new UntagResourceCommand({
+          SecretId: secret.ARN!,
+          TagKeys: keysToRemove,
+        }),
+      );
+    }
+
+    const tagsToUpdate = tags.filter((expectedTag) => {
+      const existing = secret.Tags!.find((it) => it.Key! === expectedTag.Key!);
+      return existing == null || existing.Value != expectedTag.Value;
+    });
+
+    if (tagsToUpdate.length > 0) {
+      this.reporter.log(
+        `Storing tags: ${tagsToUpdate.map((it) => it.Key!).join(", ")}`,
+      );
+      await client.send(
+        new TagResourceCommand({
+          SecretId: secret.ARN!,
+          Tags: tagsToUpdate,
+        }),
+      );
+    }
+  }
+
+  async getSecretValue(client: SecretsManagerClient, secretId: string) {
+    const result = await client.send(
+      new GetSecretValueCommand({
+        SecretId: secretId,
+      }),
+    );
+
+    if (result.SecretString == null) {
+      throw new Error("Missing SecretString (is it a binary?)");
+    }
+
+    return result.SecretString;
+  }
+
+  async handleUpdate(secretGroup: SecretGroup, secret: Secret) {
+    const client = this.getSmClient(secretGroup.region);
+
+    const fullName = this.getFullName(secretGroup, secret);
+    const describeSecret = await this.getSecretDetails(client, fullName);
+
+    this.reporter.log(`Secret: ${this.reporter.format.greenBright(fullName)}`);
+
+    if (describeSecret == null) {
+      this.reporter.log(
+        "The secret does not already exist and will be created",
+      );
+    } else {
+      this.reporter.log("Current value:");
+      this.reporter.log(
+        this.reporter.format.yellowBright(
+          (await this.getSecretValue(client, fullName)).replace(/^/gm, "  "),
+        ),
+      );
+    }
+
+    this.reporter.log("");
+
+    let secretValue: string;
+
+    if (secret.type === "json") {
+      try {
+        secretValue = await this.handleJsonUpdate(secret);
+      } catch (e) {
+        if (e instanceof Error && e.message === "canceled") {
+          this.reporter.log("Aborted");
+          return;
+        }
+        throw e;
+      }
+    } else if (secret.type === "string") {
+      secretValue = await this.handleStringUpdate();
+    } else {
+      throw new Error(`Unsupported type`);
+    }
+
+    this.reporter.log("Storing secret value:");
+    this.reporter.log(
+      this.reporter.format.yellowBright(secretValue.replace(/^/gm, "  ")),
+    );
+
+    const tags: Tag[] = [
+      {
+        Key: "Source",
+        Value: "load-secrets script",
+      },
+    ];
+
+    let arn: string;
+    let version: string;
+    let newReplicaRegions: string[] = [];
+    let removedReplicaRegions: string[] = [];
+
+    if (describeSecret == null) {
+      newReplicaRegions = secret.replicaRegions ?? [];
+      const createResult = await client.send(
+        new CreateSecretCommand({
+          Name: fullName,
+          AddReplicaRegions: secret.replicaRegions
+            ? secret.replicaRegions.map((replicaRegion) => ({
+                Region: replicaRegion,
+              }))
+            : undefined,
+          Description: "Created by load-secrets",
+          SecretString: secretValue,
+          Tags: tags,
+        }),
+      );
+
+      if (createResult.VersionId == null) {
+        throw new Error("Expected versionId");
+      }
+
+      arn = createResult.ARN!;
+      version = createResult.VersionId;
+    } else {
+      if (describeSecret.DeletedDate != null) {
+        await client.send(
+          new RestoreSecretCommand({
+            SecretId: fullName,
+          }),
+        );
+      }
+
+      const updateResult = await client.send(
+        new PutSecretValueCommand({
+          SecretId: fullName,
+          SecretString: secretValue,
+        }),
+      );
+      const currentReplicaRegions =
+        describeSecret.ReplicationStatus?.map(
+          (replicationStatus) => replicationStatus.Region,
+        ) ?? [];
+      newReplicaRegions =
+        secret.replicaRegions?.filter(
+          (region) => !currentReplicaRegions.includes(region),
+        ) ?? [];
+      removedReplicaRegions = currentReplicaRegions
+        .filter(
+          (region): region is string => !!region && typeof region === "string",
+        )
+        .filter((region) => !(secret.replicaRegions || []).includes(region));
+      if (newReplicaRegions.length > 0) {
+        await client.send(
+          new ReplicateSecretToRegionsCommand({
+            SecretId: fullName,
+            AddReplicaRegions: newReplicaRegions.map((region) => ({
+              Region: region,
+            })),
+          }),
+        );
+      }
+      if (removedReplicaRegions.length > 0) {
+        await client.send(
+          new RemoveRegionsFromReplicationCommand({
+            SecretId: fullName,
+            RemoveReplicaRegions: removedReplicaRegions,
+          }),
+        );
+      }
+
+      if (updateResult.VersionId == null) {
+        throw new Error("Expected versionId");
+      }
+
+      await this.syncTags(client, describeSecret, tags);
+
+      arn = updateResult.ARN!;
+      version = updateResult.VersionId;
+    }
+
+    this.reporter.log("");
+    this.reporter.log("Secret stored:");
+    this.reporter.log(`ARN: ${this.reporter.format.greenBright(arn)}`);
+    this.reporter.log(`Version: ${this.reporter.format.greenBright(version)}`);
+    if (newReplicaRegions.length > 0) {
+      this.reporter.log(
+        `Read replicas added to regions: ${newReplicaRegions
+          .map((r) => this.reporter.format.greenBright(r))
+          .join(", ")}`,
+      );
+    }
+    if (removedReplicaRegions.length > 0) {
+      this.reporter.log(
+        `Read replicas removed from regions: ${removedReplicaRegions
+          .map((r) => this.reporter.format.redBright(r))
+          .join(", ")}`,
+      );
+    }
+  }
+
+  checkSecretGroup(secretGroup: SecretGroup) {
+    if (
+      !secretGroup.namePrefix.startsWith("/") ||
+      !secretGroup.namePrefix.endsWith("/")
+    ) {
+      throw new Error(
+        `namePrefix should start and end with /. Current value: ${secretGroup.namePrefix}`,
+      );
+    }
+  }
+
+  getSecretDescription(details: DescribeSecretResponse | null) {
+    return details == null
+      ? "not yet created"
+      : details?.DeletedDate != null
+        ? `scheduled for deletion ${details.DeletedDate.toISOString()}`
+        : `last changed ${details.LastChangedDate?.toISOString() ?? "unknown"}`;
+  }
+
+  /**
+   * Returns false if aborted.
+   */
+  async selectAndUpdate(secretGroups: SecretGroup[]): Promise<boolean> {
+    const secrets: { secretGroup: SecretGroup; secret: Secret }[] = [];
+
+    this.reporter.log("Select secret to write:");
+    this.reporter.log("");
+
+    for (const secretGroup of secretGroups) {
+      this.reporter.log(
+        `${secretGroup.description} (prefix: ${secretGroup.namePrefix})`,
+      );
+
+      for (let i = 0; i < secretGroup.secrets.length; i++) {
+        const offset = secrets.length;
+        const secret = secretGroup.secrets[i];
+
+        secrets.push({
+          secret: secret,
+          secretGroup,
+        });
+
+        const client = this.getSmClient(secretGroup.region);
+        const details = await this.getSecretDetails(
+          client,
+          this.getFullName(secretGroup, secret),
+        );
+        const desc = this.getSecretDescription(details);
+
+        this.reporter.log(`  (${offset}) ${secret.name} (${desc})`);
+      }
+      this.reporter.log("");
+    }
+
+    let index: number;
+    try {
+      const answer = await this.getInput({
+        prompt: "Enter index (or enter to quit): ",
+      });
+      if (answer.trim() === "") {
+        return false;
+      }
+
+      index = parseInt(answer);
+      if (!secrets[index]) {
+        throw new Error();
+      }
+    } catch (_) {
+      this.reporter.warn("Secret not found - aborting");
+      return false;
+    }
+
+    this.reporter.log("");
+    await this.handleUpdate(secrets[index].secretGroup, secrets[index].secret);
+    this.reporter.log("");
+
+    return true;
+  }
+
+  async process(secretGroups: SecretGroup[]) {
+    this.reporter.info("Checking account for current credentials");
+    this.reporter.info(
+      "If any error is given, make sure you have valid credentials active",
+    );
+    const currentAccount = await this.stsClient.send(
+      new GetCallerIdentityCommand({}),
+    );
+
+    this.reporter.info(`Running for account ${currentAccount.Account!}`);
+    this.reporter.log("");
+
+    const matchedSecretGroups = secretGroups.filter(
+      (it) => it.accountId === currentAccount.Account!,
+    );
+    if (matchedSecretGroups.length === 0) {
+      this.reporter.error(`No secrets specified for this account - aborting`);
+      return;
+    }
+
+    for (const secretGroup of matchedSecretGroups) {
+      this.checkSecretGroup(secretGroup);
+    }
+
+    // eslint-disable-next-line no-empty
+    while (await this.selectAndUpdate(matchedSecretGroups)) {}
+  }
+}
+
+/**
+ * Load secrets interactively into Secrets Manager.
+ */
+export function loadSecretsCli(props: { secretGroups: SecretGroup[] }): void {
+  const loadSecrets = new LoadSecrets({
+    reporter: createReporter({}),
+    // For now, we show the secrets, so that we get positive feedback that the value
+    // is correctly entered.
+    silent: false,
+  });
+
+  loadSecrets.process(props.secretGroups).catch((error) => {
+    console.error(error.stack || error.message || error);
+    process.exitCode = 1;
+  });
+}

package/src/load-secrets/types.ts

@@ -0,0 +1,40 @@
+export interface BaseSecret {
+  name: string;
+  description?: string;
+  /**
+   * A list of regions to create read replicas
+   * of the secret in.
+   */
+  replicaRegions?: string[];
+}
+
+export type JsonSecretSimpleField = string;
+
+export interface JsonSecretDescribedField {
+  key: string;
+  description?: string;
+  example?: string;
+}
+
+/**
+ * Used for secrets that are a single plaintext string,
+ * and do not require JSON formating.
+ */
+export interface StringSecret extends BaseSecret {
+  type: "string";
+}
+
+export interface JsonSecret extends BaseSecret {
+  type: "json";
+  fields: (JsonSecretSimpleField | JsonSecretDescribedField)[];
+}
+
+export type Secret = JsonSecret | StringSecret;
+
+export interface SecretGroup {
+  accountId: string;
+  region: string;
+  description: string;
+  namePrefix: string;
+  secrets: Secret[];
+}

package/tsconfig.json

@@ -0,0 +1,25 @@
+{
+  "compilerOptions": {
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "target": "ES2022",
+    "moduleDetection": "force",
+    "allowJs": true,
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "strict": true,
+    "sourceMap": true,
+    "verbatimModuleSyntax": false,
+    "useUnknownInCatchVariables": false,
+
+    "noEmit": false,
+    "declaration": true,
+
+    "module": "preserve",
+    "outDir": "./lib",
+
+    "lib": ["es2022"]
+  },
+  "include": ["src"],
+  "exclude": ["cdk.out", "node_modules"]
+}