@salte-common/terraflow 0.1.0-alpha.1

package/dist/plugins/backends/gcs.js

@@ -0,0 +1,75 @@
+"use strict";
+/**
+ * GCS backend plugin
+ * Handles Google Cloud Storage Terraform state backend
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.gcsBackend = void 0;
+const errors_1 = require("../../core/errors");
+const logger_1 = require("../../utils/logger");
+const templates_1 = require("../../utils/templates");
+/**
+ * GCS backend plugin
+ */
+exports.gcsBackend = {
+    name: 'gcs',
+    /**
+     * Validate GCS backend configuration
+     * @param config - Backend configuration
+     * @throws {ConfigError} If configuration is invalid
+     */
+    validate: async (config) => {
+        if (!config.config) {
+            throw new errors_1.ConfigError('GCS backend requires configuration');
+        }
+        const gcsConfig = config.config;
+        // Required fields
+        if (!gcsConfig.bucket) {
+            throw new errors_1.ConfigError('GCS backend requires "bucket" configuration');
+        }
+    },
+    /**
+     * Generate Terraform backend configuration arguments
+     * @param config - Backend configuration
+     * @param context - Execution context (for template variable resolution)
+     * @returns Array of -backend-config arguments for terraform init
+     */
+    getBackendConfig: async (config, context) => {
+        if (!config.config) {
+            throw new errors_1.ConfigError('GCS backend requires configuration');
+        }
+        // Build template context from execution context
+        const templateVars = {
+            ...context.templateVars,
+        };
+        // Add cloud-specific variables
+        if (context.cloud.gcpProjectId) {
+            templateVars.GCP_PROJECT_ID = context.cloud.gcpProjectId;
+        }
+        // Resolve template variables in config
+        const resolvedConfig = templates_1.TemplateUtils.resolveObject(config.config, templateVars);
+        const gcsConfig = resolvedConfig;
+        // Build backend-config arguments
+        const backendArgs = [];
+        // Required fields
+        backendArgs.push(`-backend-config=bucket=${gcsConfig.bucket}`);
+        // Optional fields with defaults
+        const prefix = gcsConfig.prefix || 'terraform/state';
+        backendArgs.push(`-backend-config=prefix=${prefix}`);
+        if (gcsConfig.credentials) {
+            backendArgs.push(`-backend-config=credentials=${gcsConfig.credentials}`);
+        }
+        if (gcsConfig.impersonate_service_account) {
+            backendArgs.push(`-backend-config=impersonate_service_account=${gcsConfig.impersonate_service_account}`);
+        }
+        if (gcsConfig.access_token) {
+            backendArgs.push(`-backend-config=access_token=${gcsConfig.access_token}`);
+        }
+        if (gcsConfig.encryption_key) {
+            backendArgs.push(`-backend-config=encryption_key=${gcsConfig.encryption_key}`);
+        }
+        logger_1.Logger.debug(`Generated ${backendArgs.length} backend-config arguments for GCS backend`);
+        return backendArgs;
+    },
+};
+//# sourceMappingURL=gcs.js.map

package/dist/plugins/backends/local.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Local backend plugin
+ * Handles local Terraform state backend
+ */
+import type { BackendPlugin } from '../../types';
+/**
+ * Local backend plugin
+ * Default backend that stores state locally in terraform.tfstate
+ */
+export declare const localBackend: BackendPlugin;
+//# sourceMappingURL=local.d.ts.map

package/dist/plugins/backends/local.js

@@ -0,0 +1,37 @@
+"use strict";
+/**
+ * Local backend plugin
+ * Handles local Terraform state backend
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.localBackend = void 0;
+/**
+ * Local backend plugin
+ * Default backend that stores state locally in terraform.tfstate
+ */
+exports.localBackend = {
+    name: 'local',
+    /**
+     * Validate backend configuration
+     * Local backend always validates successfully (no configuration needed)
+     * @param _config - Backend configuration (ignored for local backend)
+     */
+    validate: async (_config) => {
+        // Local backend requires no validation
+        // State is stored in terraform.tfstate in the working directory
+        return Promise.resolve();
+    },
+    /**
+     * Generate Terraform backend configuration arguments
+     * Local backend requires no backend-config flags
+     * @param _config - Backend configuration (ignored for local backend)
+     * @param _context - Execution context (ignored for local backend)
+     * @returns Empty array (no backend-config flags needed)
+     */
+    getBackendConfig: async (_config, _context) => {
+        // Local backend doesn't require any -backend-config flags
+        // Terraform uses local backend by default if no backend is configured
+        return [];
+    },
+};
+//# sourceMappingURL=local.js.map

package/dist/plugins/backends/s3.d.ts

@@ -0,0 +1,10 @@
+/**
+ * S3 backend plugin
+ * Handles AWS S3 Terraform state backend
+ */
+import type { BackendPlugin } from '../../types';
+/**
+ * S3 backend plugin
+ */
+export declare const s3Backend: BackendPlugin;
+//# sourceMappingURL=s3.d.ts.map

package/dist/plugins/backends/s3.js

@@ -0,0 +1,185 @@
+"use strict";
+/**
+ * S3 backend plugin
+ * Handles AWS S3 Terraform state backend
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.s3Backend = void 0;
+const errors_1 = require("../../core/errors");
+const logger_1 = require("../../utils/logger");
+const templates_1 = require("../../utils/templates");
+/**
+ * S3 backend plugin
+ */
+exports.s3Backend = {
+    name: 's3',
+    /**
+     * Validate S3 backend configuration
+     * @param config - Backend configuration
+     * @throws {ConfigError} If configuration is invalid
+     */
+    validate: async (config) => {
+        if (!config.config) {
+            throw new errors_1.ConfigError('S3 backend requires configuration');
+        }
+        const s3Config = config.config;
+        // Required fields
+        if (!s3Config.bucket) {
+            throw new errors_1.ConfigError('S3 backend requires "bucket" configuration');
+        }
+        if (!s3Config.key) {
+            throw new errors_1.ConfigError('S3 backend requires "key" configuration');
+        }
+        // Warn if encrypt is false (not secure)
+        if (s3Config.encrypt === false) {
+            logger_1.Logger.warn('⚠️  S3 backend encryption is disabled. This is not recommended for production use.');
+        }
+    },
+    /**
+     * Generate Terraform backend configuration arguments
+     * @param config - Backend configuration
+     * @param context - Execution context (for template variable resolution)
+     * @returns Array of -backend-config arguments for terraform init
+     */
+    getBackendConfig: async (config, context) => {
+        if (!config.config) {
+            throw new errors_1.ConfigError('S3 backend requires configuration');
+        }
+        // Resolve template variables in config
+        const resolvedConfig = templates_1.TemplateUtils.resolveObject(config.config, context.templateVars);
+        // Apply defaults
+        const s3Config = {
+            encrypt: true, // Default: encryption enabled
+            dynamodb_table: 'terraform-statelock', // Default: standard DynamoDB table name
+            ...resolvedConfig,
+        };
+        // Build backend-config arguments
+        const backendArgs = [];
+        // Required fields
+        backendArgs.push(`-backend-config=bucket=${s3Config.bucket}`);
+        backendArgs.push(`-backend-config=key=${s3Config.key}`);
+        // Optional fields
+        if (s3Config.region) {
+            backendArgs.push(`-backend-config=region=${s3Config.region}`);
+        }
+        if (s3Config.encrypt !== undefined) {
+            backendArgs.push(`-backend-config=encrypt=${s3Config.encrypt}`);
+        }
+        if (s3Config.dynamodb_table) {
+            backendArgs.push(`-backend-config=dynamodb_table=${s3Config.dynamodb_table}`);
+        }
+        if (s3Config.kms_key_id) {
+            backendArgs.push(`-backend-config=kms_key_id=${s3Config.kms_key_id}`);
+        }
+        // AWS credential options (optional)
+        if (s3Config.profile) {
+            backendArgs.push(`-backend-config=profile=${s3Config.profile}`);
+        }
+        if (s3Config.role_arn) {
+            backendArgs.push(`-backend-config=role_arn=${s3Config.role_arn}`);
+        }
+        if (s3Config.session_name) {
+            backendArgs.push(`-backend-config=session_name=${s3Config.session_name}`);
+        }
+        if (s3Config.external_id) {
+            backendArgs.push(`-backend-config=external_id=${s3Config.external_id}`);
+        }
+        if (s3Config.assume_role_duration_seconds) {
+            backendArgs.push(`-backend-config=assume_role_duration_seconds=${s3Config.assume_role_duration_seconds}`);
+        }
+        // Advanced options (optional)
+        if (s3Config.access_key) {
+            backendArgs.push(`-backend-config=access_key=${s3Config.access_key}`);
+        }
+        if (s3Config.secret_key) {
+            backendArgs.push(`-backend-config=secret_key=${s3Config.secret_key}`);
+        }
+        if (s3Config.token) {
+            backendArgs.push(`-backend-config=token=${s3Config.token}`);
+        }
+        if (s3Config.iam_endpoint) {
+            backendArgs.push(`-backend-config=iam_endpoint=${s3Config.iam_endpoint}`);
+        }
+        if (s3Config.max_retries !== undefined) {
+            backendArgs.push(`-backend-config=max_retries=${s3Config.max_retries}`);
+        }
+        if (s3Config.sse_customer_key) {
+            backendArgs.push(`-backend-config=sse_customer_key=${s3Config.sse_customer_key}`);
+        }
+        if (s3Config.skip_credentials_validation !== undefined) {
+            backendArgs.push(`-backend-config=skip_credentials_validation=${s3Config.skip_credentials_validation}`);
+        }
+        if (s3Config.skip_metadata_api_check !== undefined) {
+            backendArgs.push(`-backend-config=skip_metadata_api_check=${s3Config.skip_metadata_api_check}`);
+        }
+        if (s3Config.skip_region_validation !== undefined) {
+            backendArgs.push(`-backend-config=skip_region_validation=${s3Config.skip_region_validation}`);
+        }
+        if (s3Config.force_path_style !== undefined) {
+            backendArgs.push(`-backend-config=force_path_style=${s3Config.force_path_style}`);
+        }
+        return backendArgs;
+    },
+    /**
+     * Optional setup hook to verify bucket exists
+     * @param config - Backend configuration
+     * @param context - Execution context
+     */
+    setup: async (config, context) => {
+        // Resolve template variables in config
+        const resolvedConfig = templates_1.TemplateUtils.resolveObject(config.config, context.templateVars);
+        const bucket = resolvedConfig.bucket;
+        if (!bucket) {
+            return; // Validation will catch this
+        }
+        try {
+            // Try to check if bucket exists using AWS CLI
+            // This is optional, so we'll just log if it fails
+            const { execSync } = await Promise.resolve().then(() => __importStar(require('child_process')));
+            execSync(`aws s3api head-bucket --bucket ${bucket}`, {
+                stdio: 'pipe',
+                encoding: 'utf8',
+            });
+            logger_1.Logger.debug(`✅ S3 bucket ${bucket} exists and is accessible`);
+        }
+        catch (error) {
+            // Bucket might not exist or we might not have permissions
+            // This is not fatal - terraform init will handle it
+            logger_1.Logger.debug(`Could not verify S3 bucket ${bucket}: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    },
+};
+//# sourceMappingURL=s3.js.map

package/dist/plugins/secrets/aws-secrets.d.ts

@@ -0,0 +1,12 @@
+/**
+ * AWS Secrets Manager plugin
+ * Retrieves secrets from AWS Secrets Manager and converts them to TF_VAR_* environment variables
+ *
+ * CONVENTION: Every key in the secret automatically becomes TF_VAR_{key}
+ */
+import type { SecretsPlugin } from '../../types';
+/**
+ * AWS Secrets Manager secrets plugin
+ */
+export declare const awsSecrets: SecretsPlugin;
+//# sourceMappingURL=aws-secrets.d.ts.map

package/dist/plugins/secrets/aws-secrets.js

@@ -0,0 +1,125 @@
+"use strict";
+/**
+ * AWS Secrets Manager plugin
+ * Retrieves secrets from AWS Secrets Manager and converts them to TF_VAR_* environment variables
+ *
+ * CONVENTION: Every key in the secret automatically becomes TF_VAR_{key}
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.awsSecrets = void 0;
+const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
+const errors_1 = require("../../core/errors");
+const logger_1 = require("../../utils/logger");
+/**
+ * AWS Secrets Manager secrets plugin
+ */
+exports.awsSecrets = {
+    name: 'aws-secrets',
+    /**
+     * Validate AWS Secrets Manager configuration
+     * @param config - Secrets configuration
+     * @throws {ConfigError} If configuration is invalid
+     */
+    validate: async (config) => {
+        if (!config.config) {
+            throw new errors_1.ConfigError('AWS Secrets Manager requires configuration');
+        }
+        const awsConfig = config.config;
+        // secret_name is required
+        if (!awsConfig.secret_name) {
+            throw new errors_1.ConfigError('AWS Secrets Manager requires "secret_name" configuration');
+        }
+        // region should be set (from config or AWS_REGION env)
+        const region = awsConfig.region || process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION;
+        if (!region) {
+            throw new errors_1.ConfigError('AWS Secrets Manager requires "region" configuration or AWS_REGION environment variable');
+        }
+    },
+    /**
+     * Retrieve secrets from AWS Secrets Manager
+     * All keys are automatically prefixed with TF_VAR_
+     * @param config - Secrets configuration
+     * @param context - Execution context
+     * @returns Record of environment variable key-value pairs (prefixed with TF_VAR_)
+     */
+    getSecrets: async (config, context) => {
+        if (!config.config) {
+            throw new errors_1.ConfigError('AWS Secrets Manager requires configuration');
+        }
+        const awsConfig = config.config;
+        const secretName = awsConfig.secret_name;
+        // Determine region: config > context > env > default
+        const region = awsConfig.region ||
+            context.cloud.awsRegion ||
+            process.env.AWS_REGION ||
+            process.env.AWS_DEFAULT_REGION ||
+            'us-east-1';
+        try {
+            logger_1.Logger.debug(`Fetching secret "${secretName}" from AWS Secrets Manager (region: ${region})`);
+            // Create Secrets Manager client
+            const client = new client_secrets_manager_1.SecretsManagerClient({
+                region,
+            });
+            // Get secret value
+            const command = new client_secrets_manager_1.GetSecretValueCommand({
+                SecretId: secretName,
+            });
+            const response = await client.send(command);
+            if (!response.SecretString) {
+                throw new errors_1.ConfigError(`Secret "${secretName}" exists but does not contain a string value. Binary secrets are not supported.`);
+            }
+            // Parse JSON secret value
+            let secretData;
+            try {
+                secretData = JSON.parse(response.SecretString);
+            }
+            catch (parseError) {
+                throw new errors_1.ConfigError(`Secret "${secretName}" does not contain valid JSON. Error: ${parseError instanceof Error ? parseError.message : String(parseError)}`);
+            }
+            // Convert all keys to TF_VAR_{key} format
+            const tfVars = {};
+            for (const key in secretData) {
+                if (Object.prototype.hasOwnProperty.call(secretData, key)) {
+                    const value = secretData[key];
+                    const tfVarKey = `TF_VAR_${key}`;
+                    // Convert value to string
+                    if (value === null || value === undefined) {
+                        tfVars[tfVarKey] = '';
+                    }
+                    else if (typeof value === 'string') {
+                        tfVars[tfVarKey] = value;
+                    }
+                    else if (typeof value === 'number' || typeof value === 'boolean') {
+                        tfVars[tfVarKey] = String(value);
+                    }
+                    else {
+                        // For objects/arrays, convert to JSON string
+                        tfVars[tfVarKey] = JSON.stringify(value);
+                    }
+                }
+            }
+            logger_1.Logger.info(`✅ Loaded ${Object.keys(tfVars).length} Terraform variables from AWS Secrets Manager`);
+            return tfVars;
+        }
+        catch (error) {
+            // Handle specific AWS errors
+            if (error instanceof client_secrets_manager_1.ResourceNotFoundException) {
+                throw new errors_1.ConfigError(`Secret "${secretName}" not found in AWS Secrets Manager.`);
+            }
+            if (error instanceof Error &&
+                (error.name === 'AccessDeniedException' || error.message.includes('AccessDenied'))) {
+                throw new errors_1.ConfigError(`Access denied when fetching secret "${secretName}". Ensure your AWS credentials have permission to read this secret.`);
+            }
+            if (error instanceof errors_1.ConfigError) {
+                // Re-throw ConfigError as-is
+                throw error;
+            }
+            // Generic error handling
+            if (error instanceof Error) {
+                throw new errors_1.ConfigError(`Failed to fetch secret "${secretName}" from AWS Secrets Manager: ${error.message}. Ensure you have valid AWS credentials and permissions.`);
+            }
+            throw new errors_1.ConfigError(`Failed to fetch secret "${secretName}": ${String(error)}`);
+        }
+    },
+};
+//# sourceMappingURL=aws-secrets.js.map

package/dist/plugins/secrets/azure-keyvault.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Azure Key Vault secrets plugin
+ * Retrieves secrets from Azure Key Vault and converts them to TF_VAR_* environment variables
+ *
+ * CONVENTION: Every key in the secret automatically becomes TF_VAR_{key}
+ */
+import type { SecretsPlugin } from '../../types';
+/**
+ * Azure Key Vault secrets plugin
+ */
+export declare const azureKeyvault: SecretsPlugin;
+//# sourceMappingURL=azure-keyvault.d.ts.map

package/dist/plugins/secrets/azure-keyvault.js

@@ -0,0 +1,178 @@
+"use strict";
+/**
+ * Azure Key Vault secrets plugin
+ * Retrieves secrets from Azure Key Vault and converts them to TF_VAR_* environment variables
+ *
+ * CONVENTION: Every key in the secret automatically becomes TF_VAR_{key}
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.azureKeyvault = void 0;
+const child_process_1 = require("child_process");
+const errors_1 = require("../../core/errors");
+const logger_1 = require("../../utils/logger");
+/**
+ * Azure Key Vault secrets plugin
+ */
+exports.azureKeyvault = {
+    name: 'azure-keyvault',
+    /**
+     * Validate Azure Key Vault configuration
+     * @param config - Secrets configuration
+     * @throws {ConfigError} If configuration is invalid
+     */
+    validate: async (config) => {
+        if (!config.config) {
+            throw new errors_1.ConfigError('Azure Key Vault requires configuration');
+        }
+        const azureConfig = config.config;
+        // vault_name is required
+        if (!azureConfig.vault_name) {
+            throw new errors_1.ConfigError('Azure Key Vault requires "vault_name" configuration');
+        }
+    },
+    /**
+     * Retrieve secrets from Azure Key Vault using Azure CLI
+     * All keys are automatically prefixed with TF_VAR_
+     * @param config - Secrets configuration
+     * @param _context - Execution context (unused but required by interface)
+     * @returns Record of environment variable key-value pairs (prefixed with TF_VAR_)
+     */
+    getSecrets: async (config, _context) => {
+        if (!config.config) {
+            throw new errors_1.ConfigError('Azure Key Vault requires configuration');
+        }
+        const azureConfig = config.config;
+        const vaultName = azureConfig.vault_name;
+        const secretName = azureConfig.secret_name;
+        try {
+            logger_1.Logger.debug(`Fetching secret from Azure Key Vault: ${vaultName}`);
+            const tfVars = {};
+            if (secretName) {
+                // Fetch single secret using Azure CLI
+                logger_1.Logger.debug(`Fetching secret "${secretName}" from Azure Key Vault`);
+                try {
+                    const result = (0, child_process_1.execSync)(`az keyvault secret show --vault-name ${vaultName} --name ${secretName} --output json`, {
+                        encoding: 'utf8',
+                        stdio: ['pipe', 'pipe', 'pipe'],
+                    });
+                    const secretResponse = JSON.parse(result);
+                    const secretValue = secretResponse.value;
+                    if (!secretValue) {
+                        throw new errors_1.ConfigError(`Secret "${secretName}" exists but does not contain a value.`);
+                    }
+                    // Try to parse as JSON
+                    try {
+                        const secretData = JSON.parse(secretValue);
+                        if (typeof secretData === 'object' &&
+                            secretData !== null &&
+                            !Array.isArray(secretData)) {
+                            // It's a JSON object, extract key-value pairs
+                            for (const key in secretData) {
+                                if (Object.prototype.hasOwnProperty.call(secretData, key)) {
+                                    const value = secretData[key];
+                                    const tfVarKey = `TF_VAR_${key}`;
+                                    if (value === null || value === undefined) {
+                                        tfVars[tfVarKey] = '';
+                                    }
+                                    else if (typeof value === 'string') {
+                                        tfVars[tfVarKey] = value;
+                                    }
+                                    else if (typeof value === 'number' || typeof value === 'boolean') {
+                                        tfVars[tfVarKey] = String(value);
+                                    }
+                                    else {
+                                        tfVars[tfVarKey] = JSON.stringify(value);
+                                    }
+                                }
+                            }
+                        }
+                        else {
+                            // Not a JSON object, treat the entire secret value as a single key
+                            const tfVarKey = `TF_VAR_${secretName}`;
+                            tfVars[tfVarKey] = secretValue;
+                        }
+                    }
+                    catch {
+                        // Not valid JSON, treat the entire secret value as a single key
+                        const tfVarKey = `TF_VAR_${secretName}`;
+                        tfVars[tfVarKey] = secretValue;
+                    }
+                }
+                catch (error) {
+                    if (error instanceof errors_1.ConfigError) {
+                        throw error;
+                    }
+                    const errorMessage = error instanceof Error ? error.message : String(error);
+                    if (errorMessage.includes('(SecretNotFound)') || errorMessage.includes('404')) {
+                        throw new errors_1.ConfigError(`Secret "${secretName}" not found in Azure Key Vault "${vaultName}".`);
+                    }
+                    throw error;
+                }
+            }
+            else {
+                // List all secrets in the vault and fetch their values using Azure CLI
+                logger_1.Logger.debug('Fetching all secrets from Azure Key Vault');
+                try {
+                    const listResult = (0, child_process_1.execSync)(`az keyvault secret list --vault-name ${vaultName} --output json`, {
+                        encoding: 'utf8',
+                        stdio: ['pipe', 'pipe', 'pipe'],
+                    });
+                    const secrets = JSON.parse(listResult);
+                    for (const secretProperties of secrets) {
+                        if (secretProperties.name) {
+                            try {
+                                const secretResult = (0, child_process_1.execSync)(`az keyvault secret show --vault-name ${vaultName} --name ${secretProperties.name} --output json`, {
+                                    encoding: 'utf8',
+                                    stdio: ['pipe', 'pipe', 'pipe'],
+                                });
+                                const secretResponse = JSON.parse(secretResult);
+                                if (secretResponse.value) {
+                                    const tfVarKey = `TF_VAR_${secretProperties.name}`;
+                                    tfVars[tfVarKey] = secretResponse.value;
+                                }
+                            }
+                            catch (error) {
+                                // Skip secrets we can't read (might not have permissions)
+                                logger_1.Logger.debug(`Skipping secret "${secretProperties.name}": ${error instanceof Error ? error.message : String(error)}`);
+                            }
+                        }
+                    }
+                }
+                catch (error) {
+                    const errorMessage = error instanceof Error ? error.message : String(error);
+                    if (errorMessage.includes('(VaultNotFound)') || errorMessage.includes('404')) {
+                        throw new errors_1.ConfigError(`Azure Key Vault "${vaultName}" not found.`);
+                    }
+                    throw error;
+                }
+            }
+            logger_1.Logger.info(`✅ Loaded ${Object.keys(tfVars).length} Terraform variables from Azure Key Vault`);
+            return tfVars;
+        }
+        catch (error) {
+            // Handle specific Azure CLI errors
+            if (error instanceof errors_1.ConfigError) {
+                throw error;
+            }
+            if (error instanceof Error) {
+                const errorMessage = error.message;
+                if (errorMessage.includes('(Unauthorized)') || errorMessage.includes('401')) {
+                    throw new errors_1.ConfigError(`Authentication failed when accessing Azure Key Vault "${vaultName}". Ensure you have logged in with 'az login' and have valid permissions.`);
+                }
+                if (errorMessage.includes('(Forbidden)') || errorMessage.includes('403')) {
+                    throw new errors_1.ConfigError(`Access denied when accessing Azure Key Vault "${vaultName}". Ensure your Azure credentials have permission to read secrets from this vault.`);
+                }
+                if (errorMessage.includes('(VaultNotFound)')) {
+                    throw new errors_1.ConfigError(`Azure Key Vault "${vaultName}" not found.`);
+                }
+                if (errorMessage.includes('(SecretNotFound)') ||
+                    (errorMessage.includes('404') && secretName)) {
+                    throw new errors_1.ConfigError(`Secret "${secretName}" not found in Azure Key Vault "${vaultName}".`);
+                }
+                throw new errors_1.ConfigError(`Failed to fetch secrets from Azure Key Vault "${vaultName}": ${errorMessage}. Ensure Azure CLI is installed, you are logged in with 'az login', and have valid permissions.`);
+            }
+            throw new errors_1.ConfigError(`Failed to fetch secrets from Azure Key Vault "${vaultName}": ${String(error)}`);
+        }
+    },
+};
+//# sourceMappingURL=azure-keyvault.js.map

package/dist/plugins/secrets/env.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Environment secrets plugin
+ * No-op plugin for when users manage secrets via .env files
+ *
+ * This plugin does not fetch secrets from an external service.
+ * Instead, it allows users to manage TF_VAR_* environment variables
+ * directly in their .env file or existing environment variables.
+ *
+ * The .env file is loaded by EnvironmentSetup.loadEnvFile() which
+ * does NOT automatically convert variables to TF_VAR_* prefix.
+ * Users must manage the TF_VAR_* prefix themselves in .env files.
+ *
+ * This plugin returns an empty object because:
+ * - Secrets come from .env file (loaded separately)
+ * - Secrets come from existing environment variables (already available)
+ * - No automatic conversion or fetching is performed
+ */
+import type { SecretsPlugin } from '../../types';
+/**
+ * Environment secrets plugin
+ * Default and simplest secrets provider - no-op
+ */
+export declare const envSecrets: SecretsPlugin;
+//# sourceMappingURL=env.d.ts.map