env-secrets 0.1.9 → 0.2.0

package/.devcontainer/devcontainer.json

@@ -0,0 +1,29 @@
+{
+  "name": "Node.js Development",
+  "image": "mcr.microsoft.com/devcontainers/javascript-node:1-20-bullseye",
+  "features": {
+    "ghcr.io/devcontainers/features/git:1": {},
+    "ghcr.io/devcontainers/features/github-cli:1": {}
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "dbaeumer.vscode-eslint",
+        "esbenp.prettier-vscode",
+        "ms-vscode.vscode-typescript-next",
+        "eamodio.gitlens",
+        "streetsidesoftware.code-spell-checker",
+        "orta.vscode-jest"
+      ],
+      "settings": {
+        "editor.formatOnSave": true,
+        "editor.defaultFormatter": "esbenp.prettier-vscode",
+        "editor.codeActionsOnSave": {
+          "source.fixAll.eslint": true
+        }
+      }
+    }
+  },
+  "postCreateCommand": "yarn install",
+  "remoteUser": "node"
+}

package/.github/workflows/release.yml

@@ -3,6 +3,16 @@ name: Release and Publish
 
 on:
   workflow_dispatch:
+    inputs:
+      release_type:
+        description: 'Release type (patch/minor/major)'
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
+        default: 'patch'
+        required: true
 
 permissions:
   contents: write
@@ -37,10 +47,10 @@ jobs:
         run: yarn build
 
       - name: Github release
-        run: yarn release patch --ci
+        run: yarn release ${{ inputs.release_type }} --ci
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Notify failures
         if: failure()

package/.github/workflows/unittests.yaml

@@ -9,12 +9,12 @@ on:
       - main
 
 jobs:
-  build:
+  unit-tests:
     runs-on: ubuntu-latest
 
     strategy:
       matrix:
-        node-version: [16.x, 18.x, 20.x]
+        node-version: [18.x, 20.x, 22.x, 24.x]
 
     steps:
       - name: Checkout repository
@@ -26,13 +26,82 @@ jobs:
           node-version: ${{ matrix.node-version }}
 
       - name: Install dependencies
-        run: yarn
+        run: yarn --ignore-scripts --frozen-lockfile
 
       - name: Build
         run: yarn build
 
       - name: Run the tests
-        run: yarn test --coverage
+        run: yarn test:unit
+
+      - name: Notify failures
+        if: failure()
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_LINK_NAMES: true
+          SLACK_MESSAGE:
+            # prettier-ignore
+            "hey @${{ github.actor }}, @mark, sorry to let you know you broke the build"
+          SLACK_CHANNEL: feed-github
+          SLACK_COLOR: ${{ job.status }}
+
+  coverage:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24.x
+
+      - name: Install dependencies
+        run: yarn --ignore-scripts --frozen-lockfile
+
+      - name: Build
+        run: yarn build
+
+      - name: Run the tests
+        run: yarn test:unit:coverage
+
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+      - name: Notify failures
+        if: failure()
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_LINK_NAMES: true
+          SLACK_MESSAGE:
+            # prettier-ignore
+            "hey @${{ github.actor }}, @mark, sorry to let you know you broke the build"
+          SLACK_CHANNEL: feed-github
+          SLACK_COLOR: ${{ job.status }}
+
+  e2e:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24.x
+
+      - name: Install dependencies
+        run: yarn --ignore-scripts --frozen-lockfile
+
+      - name: Build
+        run: yarn build
+
+      - name: Run the tests
+        run: yarn test:e2e
 
       - name: Notify failures
         if: failure()

package/README.md

@@ -1,57 +1,90 @@
 # env-secrets
 
-Get secrets from a vault and inject them as environment variables
+A Node.js CLI tool that retrieves secrets from vaults and injects them as environment variables into your running applications.
 
 [![Version](https://img.shields.io/npm/v/env-secrets.svg)](https://npmjs.org/package/env-secrets)
 [![build](https://img.shields.io/github/actions/workflow/status/markcallen/env-secrets/build-main.yml)](https://github.com/markcallen/env-secrets/tree/main)
 [![test](https://img.shields.io/github/actions/workflow/status/markcallen/env-secrets/unittests.yaml)](https://github.com/markcallen/env-secrets/tree/main)
-![vulnerabilities](https://img.shields.io/snyk/vulnerabilities/github/markcallen/env-secrets)
 [![Downloads/week](https://img.shields.io/npm/dw/env-secrets.svg)](https://npmjs.org/package/env-secrets)
 [![License](https://img.shields.io/npm/l/env-secrets.svg)](https://github.com/markcallen/env-secrets/blob/main/LICENSE)
 
-## Setup
+## Features
 
-Install node
+- 🔐 Retrieve secrets from AWS Secrets Manager
+- 🌍 Inject secrets as environment variables
+- 🚀 Run any command with injected secrets
+- 🔍 Debug logging support
+- 📦 Works globally or project-specific
+- 🛡️ Secure credential handling
+- 🔄 JSON secret parsing
+
+## Quick Start
+
+1. **Install the tool:**
+
+   ```bash
+   npm install -g env-secrets
+   ```
+
+2. **Run a command with secrets:**
+
+   ```bash
+   env-secrets aws -s my-secret-name -r us-east-1 -- echo "Hello, ${USER_NAME}!"
+   ```
+
+3. **Run your application with secrets:**
+   ```bash
+   env-secrets aws -s my-app-secrets -r us-west-2 -- node app.js
+   ```
+
+## Prerequisites
+
+- Node.js 18.0.0 or higher
+- AWS CLI (for AWS Secrets Manager integration)
+- AWS credentials configured (via AWS CLI, environment variables, or IAM roles)
 
 ## Installation
 
-Globally
+### Global Installation
 
-```
+```bash
 npm install -g env-secrets
 ```
 
-Project specific
+### Project-Specific Installation
 
-```
+```bash
 npm install env-secrets
 ```
 
-when using project specific run using npx
+When using project-specific installation, run using `npx`:
 
-```
+```bash
 npx env-secrets ...
 ```
 
 ## Usage
 
-AWS
+### AWS Secrets Manager
 
-```
-env-secrets aws -s <secret name> -r <region> -p <profile> -- <program to run>
-```
+Retrieve secrets from AWS Secrets Manager and inject them as environment variables:
 
-`<secret name>` is the name of the secret in Secrets Manager
+```bash
+env-secrets aws -s <secret-name> -r <region> -p <profile> -- <program-to-run>
+```
 
-`<region>` is the region where the secret to stored. It is optional, the AWS_DEFAULT_REGION environment variable will be used instead.
+#### Parameters
 
-`<profile>` is the local aws profile to use. It is optional, the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables will be used instead.
+- `-s, --secret <secret-name>` (required): The name of the secret in AWS Secrets Manager
+- `-r, --region <region>` (optional): AWS region where the secret is stored. If not provided, uses `AWS_DEFAULT_REGION` environment variable
+- `-p, --profile <profile>` (optional): Local AWS profile to use. If not provided, uses `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables
+- `-- <program-to-run>`: The program to run with the injected environment variables
 
-example:
+#### Examples
 
-Create a Secret using AWS cli
+1. **Create a secret using AWS CLI:**
 
-```
+```bash
 aws secretsmanager create-secret \
     --region us-east-1 \
     --profile marka \
@@ -60,75 +93,190 @@ aws secretsmanager create-secret \
     --secret-string "{\"user\":\"marka\",\"password\":\"mypassword\"}"
 ```
 
-List the secret using AWS cli
+2. **List the secret using AWS CLI:**
 
-```
+```bash
 aws secretsmanager get-secret-value \
     --region us-east-1 \
     --profile marka \
-    --secret-id  local/sample \
+    --secret-id local/sample \
     --query SecretString
 ```
 
-```
+3. **Run a command with injected secrets:**
+
+```bash
 env-secrets aws -s local/sample -r us-east-1 -p marka -- echo \${user}/\${password}
 ```
 
-## Development
-
-Setup node using [nvm](https://github.com/nvm-sh/nvm). Or use node 20 (LTS).
+4. **Run a Node.js application with secrets:**
 
+```bash
+env-secrets aws -s my-app-secrets -r us-west-2 -- node app.js
 ```
-nvm use
+
+5. **Check environment variables:**
+
+```bash
+env-secrets aws -s local/sample -r us-east-1 -p marka -- env | grep -E "(user|password)"
 ```
 
-Install yarn
+6. **Use with Docker containers:**
 
+```bash
+env-secrets aws -s docker-secrets -r us-east-1 -- docker run -e DATABASE_URL -e API_KEY my-app
 ```
-npm install -y yarn
+
+## Security Considerations
+
+- 🔐 **Credential Management**: The tool respects AWS credential precedence (environment variables, IAM roles, profiles)
+- 🛡️ **Secret Exposure**: Secrets are only injected into the child process environment, not logged
+- 🔒 **Network Security**: Uses AWS SDK's built-in security features for API calls
+- 📝 **Audit Trail**: AWS CloudTrail logs all Secrets Manager API calls
+- 🚫 **No Persistence**: Secrets are not stored locally or cached
+
+## Troubleshooting
+
+### Common Issues
+
+1. **"Unable to connect to AWS"**
+
+   - Verify AWS credentials are configured correctly
+   - Check if the specified region is valid
+   - Ensure network connectivity to AWS services
+
+2. **"Secret not found"**
+
+   - Verify the secret name exists in the specified region
+   - Check if you have permissions to access the secret
+   - Ensure the secret name is correct (case-sensitive)
+
+3. **"ConfigError"**
+
+   - Verify AWS profile configuration in `~/.aws/credentials`
+   - Check if environment variables are set correctly
+   - Ensure IAM role permissions if using EC2/ECS
+
+4. **Environment variables not injected**
+   - Verify the secret contains valid JSON
+   - Check if the secret is accessible
+   - Use debug mode to troubleshoot: `DEBUG=env-secrets env-secrets aws ...`
+
+### Debug Mode
+
+Enable debug logging to troubleshoot issues:
+
+```bash
+# Debug main application
+DEBUG=env-secrets env-secrets aws -s my-secret -r us-east-1 -- env
+
+# Debug vault-specific operations
+DEBUG=env-secrets,env-secrets:secretsmanager env-secrets aws -s my-secret -r us-east-1 -- env
 ```
 
-Setup
+## Development
+
+### Setup
 
+1. **Install Node.js using nvm (recommended):**
+
+```bash
+nvm use
 ```
+
+Or use Node.js 20 (LTS) directly.
+
+2. **Install dependencies:**
+
+```bash
+npm install -g yarn
 yarn
 ```
 
-Run
+### Running in Development
 
-```
+```bash
 npx ts-node src/index.ts aws -s local/sample -r us-east-1 -p marka -- env
 ```
 
-### Debug
+### Debugging
 
-Uses debug-js to show debug logs by passing in env-secrets for the main application
-and env-secrets:{vault} for vault specific debugging
+The application uses `debug-js` for logging. Enable debug logs by setting the `DEBUG` environment variable:
 
-```
+```bash
+# Debug main application
+DEBUG=env-secrets npx ts-node src/index.ts aws -s local/sample -r us-east-1 -p marka -- env
+
+# Debug vault-specific operations
 DEBUG=env-secrets,env-secrets:secretsmanager npx ts-node src/index.ts aws -s local/sample -r us-east-1 -p marka -- env
 ```
 
-## Publishing
+### Devpod Setup
 
-Login into npm
+Create a devpod using Kubernetes provider:
 
+```bash
+devpod up --id env-secretes-dev --provider kubernetes --ide cursor git@github.com:markcallen/env-secrets.git
 ```
-npm login
+
+## Testing
+
+Run the test suite:
+
+```bash
+# Run all tests
+npm test
+
+# Run unit tests only
+npm run test:unit
+
+# Run unit tests with coverage
+npm run test:unit:coverage
+
+# Run end-to-end tests
+npm run test:e2e
 ```
 
-Try a dry run:
+## Publishing
 
+1. **Login to npm:**
+
+```bash
+npm login
 ```
+
+2. **Dry run release:**
+
+```bash
 npm run release -- patch --dry-run
 ```
 
-Run:
+3. **Publish release:**
 
-```
+```bash
 npm run release -- patch
 ```
 
+## Contributing
+
+We welcome contributions! Please follow these steps:
+
+1. Fork the repository
+2. Create a feature branch (`git checkout -b feature/amazing-feature`)
+3. Make your changes
+4. Add tests for new functionality
+5. Run the test suite (`npm test`)
+6. Commit your changes (`git commit -m 'Add amazing feature'`)
+7. Push to the branch (`git push origin feature/amazing-feature`)
+8. Open a Pull Request
+
+### Development Guidelines
+
+- Follow the existing code style (ESLint + Prettier)
+- Add tests for new functionality
+- Update documentation for new features
+- Ensure all tests pass before submitting
+
 ## License
 
 Distributed under the MIT License. See `LICENSE` for more information.
@@ -138,3 +286,7 @@ Distributed under the MIT License. See `LICENSE` for more information.
 Mark C Allen - [@markcallen](https://www.linkedin.com/in/markcallen/)
 
 Project Link: [https://github.com/markcallen/env-secrets](https://github.com/markcallen/env-secrets)
+
+## Changelog
+
+See [GitHub Releases](https://github.com/markcallen/env-secrets/releases) for a complete changelog.

package/__e2e__/index.test.ts

@@ -0,0 +1,37 @@
+import * as path from 'path';
+import { exec } from 'child_process';
+
+type Cli = {
+  code: number;
+  error: Error;
+  stdout: any;
+  stderr: any;
+};
+
+describe('CLI tests', () => {
+  test('general help', async () => {
+    const result = await cli(['-h'], '.');
+    expect(result.code).toBe(0);
+  });
+  test('aws help', async () => {
+    const result = await cli(['aws -h'], '.');
+    expect(result.code).toBe(0);
+  });
+});
+
+function cli(args, cwd): Promise<Cli> {
+  return new Promise((resolve) => {
+    exec(
+      `node ${path.resolve('./dist/index')} ${args.join(' ')}`,
+      { cwd },
+      (error, stdout, stderr) => {
+        resolve({
+          code: error && error.code ? error.code : 0,
+          error: error || new Error(),
+          stdout,
+          stderr
+        });
+      }
+    );
+  });
+}