| | | 1 | | import { SSMClient } from '@aws-sdk/client-ssm'; |
| | | 2 | | import { DefaultAzureCredential } from '@azure/identity'; |
| | | 3 | | import { SecretClient } from '@azure/keyvault-secrets'; |
| | | 4 | | import type { EnvilderOptions } from '../domain/envilder-options.js'; |
| | | 5 | | import type { MapFileConfig } from '../domain/map-file-config.js'; |
| | | 6 | | import type { ISecretProvider } from '../domain/ports/secret-provider.js'; |
| | | 7 | | import { SecretProviderType } from '../domain/secret-provider-type.js'; |
| | | 8 | | import { AwsSsmSecretProvider } from './aws/aws-ssm-secret-provider.js'; |
| | | 9 | | import { AzureKeyVaultSecretProvider } from './azure/azure-key-vault-secret-provider.js'; |
| | | 10 | | |
| | | 11 | | export function createSecretProvider( |
| | | 12 | | config: MapFileConfig, |
| | | 13 | | options?: EnvilderOptions, |
| | | 14 | | ): ISecretProvider { |
| | 10 | 15 | | const provider = options?.provider ?? config.provider; |
| | 10 | 16 | | const profile = normalize(options?.profile ?? config.profile); |
| | 10 | 17 | | const vaultUrl = normalize(options?.vaultUrl ?? config.vaultUrl); |
| | 10 | 18 | | const isAzure = provider === SecretProviderType.Azure; |
| | | 19 | | |
| | 10 | 20 | | if (isAzure && profile) { |
| | 1 | 21 | | throw new Error('AWS profile cannot be used with Azure Key Vault provider'); |
| | | 22 | | } |
| | | 23 | | |
| | 9 | 24 | | if (!isAzure && vaultUrl) { |
| | 1 | 25 | | throw new Error('Vault URL cannot be used with AWS SSM provider'); |
| | | 26 | | } |
| | | 27 | | |
| | 8 | 28 | | if (isAzure) { |
| | 3 | 29 | | return createAzureProvider(vaultUrl); |
| | | 30 | | } |
| | | 31 | | |
| | 5 | 32 | | return createAwsProvider(profile); |
| | | 33 | | } |
| | | 34 | | |
| | | 35 | | function createAzureProvider( |
| | | 36 | | vaultUrl: string | undefined, |
| | | 37 | | ): AzureKeyVaultSecretProvider { |
| | 3 | 38 | | if (!vaultUrl?.trim()) { |
| | 1 | 39 | | throw new Error('Vault URL must be provided for Azure Key Vault provider'); |
| | | 40 | | } |
| | | 41 | | |
| | 2 | 42 | | const credential = new DefaultAzureCredential(); |
| | 2 | 43 | | const client = new SecretClient(vaultUrl, credential); |
| | 2 | 44 | | return new AzureKeyVaultSecretProvider(client); |
| | | 45 | | } |
| | | 46 | | |
| | | 47 | | export async function resolveRegionWithFallback( |
| | | 48 | | profile?: string, |
| | | 49 | | ): Promise<string> { |
| | 9 | 50 | | if (process.env.AWS_REGION) { |
| | 6 | 51 | | return process.env.AWS_REGION; |
| | | 52 | | } |
| | 3 | 53 | | if (process.env.AWS_DEFAULT_REGION) { |
| | 1 | 54 | | return process.env.AWS_DEFAULT_REGION; |
| | | 55 | | } |
| | 2 | 56 | | try { |
| | 2 | 57 | | return await new SSMClient(profile ? { profile } : {}).config.region(); |
| | | 58 | | } catch { |
| | 1 | 59 | | return 'us-east-1'; |
| | | 60 | | } |
| | | 61 | | } |
| | | 62 | | |
| | | 63 | | function createAwsProvider(profile: string | undefined): AwsSsmSecretProvider { |
| | 5 | 64 | | const region = () => resolveRegionWithFallback(profile); |
| | 5 | 65 | | const client = new SSMClient(profile ? { profile, region } : { region }); |
| | 5 | 66 | | return new AwsSsmSecretProvider(client, profile); |
| | | 67 | | } |
| | | 68 | | |
| | | 69 | | function normalize(value: string | undefined): string | undefined { |
| | 20 | 70 | | const trimmed = value?.trim(); |
| | 20 | 71 | | return trimmed || undefined; |
| | | 72 | | } |