ac-awssecrets 2.1.1 → 2.2.0

package/.github/workflows/node.js.yml

@@ -6,7 +6,7 @@ name: Node.js CI
 
 on:
   push:
-    branches: [ develop ]
+    branches: [ develop, master ]
   pull_request:
     branches: [ develop ]
 
@@ -17,7 +17,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [16.x, 18.x]
+        node-version: [18.x, 20.x]
         # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
 
     steps:

package/.ncurc.js

@@ -0,0 +1,8 @@
+// List packages for minor updates
+const minorUpdatePackages = ['chai']
+
+module.exports = {
+  target: packageName => {
+    return minorUpdatePackages.includes(packageName) ? 'minor' : 'latest'
+  }
+}

package/CHANGELOG.md

@@ -1,3 +1,29 @@
+<a name="2.2.0"></a>
+ 
+# [2.2.0](https://github.com/admiralcloud/ac-awssecrets/compare/v2.1.1..v2.2.0) (2024-07-15 08:04:33)
+
+
+### Feature
+
+* **App:** Support for AWS parameter store | MP | [a8427d5086ec1eaaf675c27f04e276ef2f630c17](https://github.com/admiralcloud/ac-awssecrets/commit/a8427d5086ec1eaaf675c27f04e276ef2f630c17)    
+In addition to AWS secrets you can now also use AWS parameter store  
+Related issues: [undefined/undefined#develop](undefined/browse/develop)
+### Tests
+
+* **App:** Fixed tests | MP | [91a21ccede855ee63e2bc15becec9839f3f9702a](https://github.com/admiralcloud/ac-awssecrets/commit/91a21ccede855ee63e2bc15becec9839f3f9702a)    
+Fixed tests  
+Related issues: [undefined/undefined#develop](undefined/browse/develop)
+### Chores
+
+* **App:** Updated packages | MP | [2ed4f507784e6d03c44a9c98a279560550fb00d4](https://github.com/admiralcloud/ac-awssecrets/commit/2ed4f507784e6d03c44a9c98a279560550fb00d4)    
+Updated packages  
+Related issues: [undefined/undefined#develop](undefined/browse/develop)
+* **App:** Updated packages | MP | [0086c4ba8ac53b1527c33a68ba2e1e776b1f2111](https://github.com/admiralcloud/ac-awssecrets/commit/0086c4ba8ac53b1527c33a68ba2e1e776b1f2111)    
+Updated packages  
+Related issues: [undefined/undefined#develop](undefined/browse/develop)
+* **App:** Updated packages | MP | [11c0754761401652d0f9ff7070e9265475bfe624](https://github.com/admiralcloud/ac-awssecrets/commit/11c0754761401652d0f9ff7070e9265475bfe624)    
+Updated packages  
+Related issues: [undefined/undefined#develop](undefined/browse/develop)
 <a name="2.1.1"></a>
 
 ## [2.1.1](https://github.com/admiralcloud/ac-awssecrets/compare/v2.1.0..v2.1.1) (2024-05-08 13:44:22)

package/README.md

@@ -1,6 +1,8 @@
 # AC AWS Secrets
 Reads secrets from AWS secrets manager and adds them to the configuration of the embedding app.
 
+Instead of AWS secrets, you can now also use AWS parameter store (which is not as expensive as AWS secrets)
+
 ![example workflow](https://github.com/admiralcloud/ac-awssecrets/actions/workflows/node.js.yml/badge.svg)
 
 
@@ -9,7 +11,69 @@ Reads secrets from AWS secrets manager and adds them to the configuration of the
 + async/await - no callback!
 + uses AWS IAM roles or AWS IAM profiles instead of IAM credentials
 
-# Parameters
+# AWS Parameter Store
+Using parameter store is a less expensive and gives you more flexibility in handling password and other configurations that should not be hardcoded.
+
+## Usage of AWS parmeters
+When you create your parameters in AW parameter store, use the following structure:
+```
+/ENVIRONMENT/CONFIG_PATH[/...]
+```
+
+The script will replace configuration properties based on the path. See example for more information:
+```
+// your app's example configuration
+const config = {
+  http: {
+    port: 8080
+  },
+  database: {
+    servers: [
+      { server: 'mainDB' } 
+    ]
+  }
+}
+
+// AWS parameters (values must be stored as strigified JSON)
+/development/http -> { port: 8090 }
+/development/database -> { host: 'awsAurora', port: 3306 }:
+
+// function payload
+const payload = {
+  secretParameters: [ 
+    { name: 'http', json: true },
+    { name: 'database', json: true, array: true, property: { server: 'mainDB' }}
+  ],
+  config
+}
+await awsSecrets.loadSecretParameters(payload)
+
+// result
+const config = {
+  http: {
+    port: 8090
+  },
+  database: {
+    servers: [
+      { server: 'mainDB', host: 'awsAurora', port: 3306 } 
+    ]
+  }
+}
+
+```
+
+## Options
+|Parameter|Type|Required|Description|
+|---|---|---|---|
+|name|string|yes|name of the parameter (without environment) (and property in config)
+|path|string|-|If your config property does not match name, you can specify the path
+|json|boolean|-|If true, the parameter value will be parsed as JSON
+|array|boolean|-|If true, the the value will be pushed to the array at name or path
+|property|object|-|If set, instead of pushing the value to an array it will inserted at the object which matches the property 
+
+
+# AWS Secrets
+## Parameters
 |Parameter|Type|Required|Description|
 |---|---|---|---|
 |key|string|yes|the local variable name|
@@ -17,12 +81,12 @@ Reads secrets from AWS secrets manager and adds them to the configuration of the
 |servers|bool|-|See below
 |valueHasJSON|bool|-|If true, some properties have JSON content (prefixed with JSON:)
 
-# Usage
+## Usage
 AWS secret is a JSON object. Those properties will be merged with local config properties based on the secret's name.
 
-## Secret
+### Secret
 
-### Store secret in AWS
+#### Store secret in AWS
 ```
 Example secret
 // name: mySecret1
@@ -33,7 +97,7 @@ Example secret
 }
 ```
 
-### Configure a local variable, that should be enhanced with the secret
+#### Configure a local variable, that should be enhanced with the secret
 ```
 const config = {
   key1: {},
@@ -43,7 +107,7 @@ const config = {
 }
 ```
 
-### Fetch secrets
+#### Fetch secrets
 ```
 const secrets = [
   { key: 'key1', name: 'mySecret1' } // key is the config var, name is the AWS secret name
@@ -64,10 +128,10 @@ const config = {
 
 ```
 
-## Multisecrets
+### Multisecrets
 Use multisecrets if you want to add a number of additional secrets to be fetched. Usually it is used to fetch multiple objects for an array of objects:
 
-### Store multisecret in AWS
+#### Store multisecret in AWS
 ```
 Example secret
 // name: mySecret2
@@ -76,7 +140,7 @@ Example secret
 }
 ```
 
-### Store secrets in AWS 
+#### Store secrets in AWS 
 ```
 // name: aws.key1
 {
@@ -91,7 +155,7 @@ Example secret
 }
 ```
 
-### Configure a local variable, that should be enhanced with the secret
+#### Configure a local variable, that should be enhanced with the secret
 ```
 const config = {
   mySecret2: [],
@@ -101,7 +165,7 @@ const config = {
 }
 ```
 
-### Fetch secrets
+#### Fetch secrets
 ```
 const multisecrets = [
   { key: 'mySecret2', name: 'mySecret2' } // key is the config var, name is the AWS secret name
@@ -217,9 +281,8 @@ awsSecrets.loadSecrets(secretParams, (err, result) => {
 
 ```
 
-## Links
+# Links
 - [Website](https://www.admiralcloud.com/)
-- [Facebook](https://www.facebook.com/MediaAssetManagement/)
 
-## License
+# License
 [MIT License](https://opensource.org/licenses/MIT) Copyright © 2009-present, AdmiralCloud AG, Mark Poepping

package/eslint.config.js

@@ -0,0 +1,30 @@
+const globals = require('globals');
+
+module.exports = {
+  ignores: [
+    'config/env/**'
+  ],
+  languageOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+    globals: {
+      ...globals.commonjs,
+      ...globals.es6,
+      ...globals.node,
+      expect: 'readonly',
+      describe: 'readonly',
+      it: 'readonly'
+    }
+  },
+  rules: {
+    'no-const-assign': 'error', // Ensure this rule is enabled
+    'space-before-function-paren': 'off',
+    'no-extra-semi': 'off',
+    'object-curly-spacing': ['error', 'always'],
+    'brace-style': ['error', 'stroustrup', { allowSingleLine: true }],
+    'no-useless-escape': 'off',
+    'standard/no-callback-literal': 'off',
+    'new-cap': 'off',
+    'no-console': ['warn', { allow: ['warn', 'error'] }]
+  }
+};

package/index.js

@@ -1,6 +1,8 @@
 const { SecretsManagerClient, GetSecretValueCommand } = require('@aws-sdk/client-secrets-manager')
+const { SSMClient, GetParameterCommand } = require("@aws-sdk/client-ssm")
 
-const testConfig = require('./test/config');
+const testConfig = require('./test/config')
+const functionName = 'ac-awsSecrets'.padEnd(15)
 
 /**
 * Replaces configuration variables with secrets
@@ -29,13 +31,104 @@ const awsSecrets = () => {
         : setKey(obj[head], rest.join('.'), value)
   }
 
+  const setValue = (config, { path, value, array = false, property }) => {
+    // path can be from AWS parametes store (/a/b/c) or a real JSON path (a.b.c)    
+    const keys = path.includes('/') ? path.split('/').filter(Boolean) : path.split('.')
+    const lastKey = keys.pop()
+    let pointer = config
+  
+    for (const key of keys) {
+      if (!pointer[key]) {
+        pointer[key] = {}
+      }
+      pointer = pointer[key]
+    }
+  
+    if (array) {
+      if (!Array.isArray(pointer[lastKey])) {
+        pointer[lastKey] = []
+      }
+      if (property) {
+        const [propKey, propValue] = Object.entries(property)[0]
+        const index = pointer[lastKey].findIndex(item => item[propKey] === propValue)
+  
+        if (index !== -1) {
+          if (typeof value !== 'object' || Array.isArray(value)) {
+            throw new Error("Value must be an object when replacing an entry in the array.")
+          }
+          // Merge existing properties with new ones
+          pointer[lastKey][index] = { ...pointer[lastKey][index], ...value }
+        } 
+        else {
+          pointer[lastKey].push(value)
+        }
+      } 
+      else {
+        pointer[lastKey].push(value)
+      }
+    } 
+    else {
+      pointer[lastKey] = value
+    }
+  }
+  
+
+
+  const loadSecretParameters = async({ secretParameters = [], config = {}, testMode = 0, debug = false, region = 'eu-central-1' } = {}) => {
+    const environment = config?.environment || process.env.NODE_ENV || 'development'
+
+    const awsConfig = {
+      region
+    }
+    const ssmClient = new SSMClient(awsConfig)
+
+    const getSecretParameter = async({ name, json = false, array = false, path, property, debug }) => {
+      const parameterName = `/${environment}/${name}`
+      try {
+        let value
+        if (testMode === 3) {
+          // fetch from availableSecrets
+          let found = testConfig.parameterStore.find(item => item.name === parameterName)
+          value = found?.value
+        }
+        else {
+          const command = new GetParameterCommand({
+            Name: parameterName,
+            WithDecryption: true,
+          })
+      
+          // Send the command to retrieve the parameter
+          const response = await ssmClient.send(command)
+          value = response?.Parameter?.Value
+        }
+
+        // Extract and return the parameter value
+        if (json) {
+          value = JSON.parse(value)
+        }
+
+        if (debug) {
+          console.warn('P %s | T %s | V %j', parameterName, typeof value, value)
+        }
+        setValue(config, { path: (path || name), value, array, property })
+
+      } 
+      catch (e) {
+        console.error('%s | %s | %s', functionName, parameterName, e?.message)
+      }
+    }
+
+    for (const secretParameter of secretParameters) {
+      await getSecretParameter(secretParameter)
+    }
+  }
+
 
-  const functionName = 'ac-awsSecrets'.padEnd(15)
-  const loadSecrets = async({ secrets = [], multisecrets = [], config = {}, testMode = 0, debug = false } = {}) => {
+  const loadSecrets = async({ secrets = [], multisecrets = [], config = {}, testMode = 0, debug = false, region = 'eu-central-1' } = {}) => {
     const environment = config?.environment || 'development'
 
     const awsConfig = {
-      region: 'eu-central-1'
+      region
     }
     const client = new SecretsManagerClient(awsConfig)
 
@@ -155,15 +248,16 @@ const awsSecrets = () => {
         }
 
         if (secret?.log || debug) {
-          console.log('%s | %s | %j', functionName, secret?.name, existingValue)
+          console.warn('%s | %s | %j', functionName, secret?.name, existingValue)
         }
       }
     }  
   }
 
   return {
+    loadSecretParameters,
     loadSecrets
   }
 }
 
-module.exports = awsSecrets()
+module.exports = awsSecrets()

package/package.json

@@ -3,19 +3,20 @@
   "author": "Mark Poepping (https://www.admiralcloud.com)",
   "license": "MIT",
   "repository": "admiralcloud/ac-awssecrets",
-  "version": "2.1.1",
+  "version": "2.2.0",
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.569.0"
+    "@aws-sdk/client-secrets-manager": "^3.614.0",
+    "@aws-sdk/client-ssm": "^3.614.0"
   },
   "devDependencies": {
     "ac-semantic-release": "^0.4.2",
-    "c8": "^9.1.0",
-    "chai": "^4.4.1",
-    "eslint": "8.x",
-    "mocha": "^10.4.0"
+    "c8": "^10.1.2",
+    "chai": "^4.x",
+    "eslint": "9.x",
+    "mocha": "^10.6.0"
   },
   "scripts": {
-    "test": "mocha --reporter spec",
+    "test": "NODE_ENV=test mocha --reporter spec",
     "coverage": "./node_modules/c8/bin/c8.js yarn test"
   },
   "engines": {

package/test/config.js

@@ -25,6 +25,51 @@ const config = {
   }
 }
 
+
+// AWS PARAMETER STORE
+const secretParameters = [
+  { name: 'configVar1', json: true },
+  { name: 'configVar2', json: true, array: true, path: 'configVar2.servers', property: { server: 'cacheRead' } },
+  { name: 'configVar4/api', json: true },
+  { name: 'configVar5.path', json: true },
+  { name: 'configVar6', json: true },
+]
+
+const parameterStore = [
+  { name: '/test/configVar1', value: JSON.stringify({ c1: true, c2: 123, c3: 'abc' }) },
+  {
+    name: '/test/configVar2',
+    value: JSON.stringify({
+      port: 6360,
+      host: 'myRedisHost'
+    })
+  },
+  {
+    name: '/test/configVar3',
+  }, 
+  {
+    name: '/test/configVar4/api',
+    value: JSON.stringify({ "url":"https://api.admiralcloud.com" })
+  },
+  {
+    name: '/test/errorVar1',
+    value: 'JSON:abc',
+  },
+  {
+    name: '/test/configVar5.path',
+    value: JSON.stringify({ cookie: true })
+  },
+  {
+    name: '/test/configVar6',
+    value: JSON.stringify({
+      prop1: 123,
+      prop2: 'abc'
+    })
+  },
+]
+
+
+// AWS SECRETS 
 const secrets = [
   { key: 'configVar1', name: 'simple' },
   { key: 'configVar2', name: 'server', servers: true, serverName: 'cacheRead' },
@@ -34,6 +79,8 @@ const secrets = [
   { key: 'configVar7', name: 'notExistingKey' },
 ]
 
+
+
 const availableSecrets = [{
   key: 'configVar1',
   name: 'simple',
@@ -126,6 +173,8 @@ const multisecretsFail = [
 
 module.exports = {
   config,
+  parameterStore,
+  secretParameters,
   availableSecrets,
   multisecretsFail,
   secrets,

package/test/test.js

@@ -9,6 +9,9 @@ const multisecrets = testConfig?.multisecrets
 const config = testConfig.config
 let secrets = testConfig.secrets
 
+const parameterStore = testConfig.parameterStore
+let secretParameters = testConfig.secretParameters
+
 // HELPER for console.log checks
 const captureStream = (stream) => {
   let oldWrite = stream.write
@@ -28,6 +31,44 @@ const captureStream = (stream) => {
   }
 }
 
+describe('Reading secretParameters', () => {
+  it('Read secretParameters', async() => {
+    await awsSecrets.loadSecretParameters({ secretParameters, config, testMode: 3 })
+  })
+
+  it('Check configVar1', async() => {
+    const expected = parameterStore.find(item => item.name === '/test/configVar1')
+    expected.value = JSON.parse(expected.value)
+    expect(config.configVar1).to.have.property('c1', true)
+    expect(config.configVar1).to.have.property('c2', expected.value.c2)
+    expect(config.configVar1).to.have.property('c3', expected.value.c3)
+
+  })
+
+  it('Check server', async() => {
+    const expected = testConfig.parameterStore.find(item => item.name === '/test/configVar2');
+    expected.value = JSON.parse(expected.value);
+    expect(config.configVar2.servers[0]).to.have.property('port', expected.value.port);
+  })
+
+  it('Check JSON', async() => {
+    expect(config.configVar4.api).to.have.property('url', 'https://api.admiralcloud.com')
+  })
+
+  it('Check path', async() => {
+    expect(config.configVar5.path).to.have.property('cookie', true)
+  })
+
+  it('Check non existing local config', async() => {
+    expect(config.configVar6).to.have.property('prop1', 123)
+    expect(config.configVar6).to.have.property('prop2', 'abc')
+  })
+
+  it('Check non existing key - should fallback to existing value without error', async() => {
+    expect(config.configVar7).to.have.property('level', 'info')
+  })
+})
+
 
 describe('Reading secrets', () => {
   it('Read secrets', async() => {
@@ -92,7 +133,7 @@ describe('Check errors', () => {
 describe('Misc', () => {
   var hook
   beforeEach(function(){
-    hook = captureStream(process.stdout)
+    hook = captureStream(process.stderr)
   })
   afterEach(function(){
     hook.unhook()
@@ -102,4 +143,4 @@ describe('Misc', () => {
     await awsSecrets.loadSecrets({ secrets, config, multisecrets, testMode: 3, debug: true })
     expect(hook.captured()).to.include('ac-awsSecrets')
   })
-})
+})

package/.eslintrc.js

@@ -1,29 +0,0 @@
-const config = {
-  root: true,
-  'env': {
-    'commonjs': true,
-    'es6': true,
-    'node': true
-  },
-  'extends': 'eslint:recommended',
-  "rules": {
-    "space-before-function-paren": 0,
-    "no-extra-semi": 0,
-    "object-curly-spacing": ["error", "always"],
-    "brace-style": ["error", "stroustrup", { "allowSingleLine": true }],
-    "no-useless-escape": 0,
-    "standard/no-callback-literal": 0,
-    "new-cap": 0
-  },
-  globals: {
-    describe: true,
-    it: true,
-    beforeEach: true,
-    afterEach: true
-  },
-  'parserOptions': {
-    'ecmaVersion': 2022
-},
-}
-
-module.exports = config