@synanetics/secrets

Package to handle Synanetics secret usage. It is meant as a replacement (breaking) and extension of synfhir-core resolve utility function.

Usage

const secrets = require('@synanetics/secrets');
const { getVersion, resolveVersion, replaceVersion, createSecretWithVersion } = require('@synanetics/secrets');
// or
import * as secrets from '@synanetics/secrets';
import { getVersion, resolveVersion, replaceVersion, createSecretWithVersion } from '@synanetics/secrets';

Functions

getVersion

Will attempt to fetch a secret value and return it as a string. It will infinitely cache this value by default. It surfaces any errors encountered.

await getVersion('my-secret');
// returns my-secret string value

For convenience it will handle a secret:// prefix.

await getVersion('secret://my-secret');

It can be provided a version number - it defaults to latest.

await getVersion('my-secret', '10');

It can be provided with an alternate project id when handling secrets.

await getVersion('my-secret', undefined, { project: 'alternate-project-id' });

It can be passed a caching TTL.

await getVersion('my-secret', undefined, { cache: { ttl: 100 } });

It can disable the cache entirely.

await getVersion('my-secret', undefined, { cache: { enabled: false } });

By default it will return an empty string for NOT_FOUND and FAILED_PRECONDITION (DISABLED) errors, this can be configured to throw on those errors too.

await getVersion('my-secret', undefined, { throwOnAnyError: true });

resolveVersion

Added to act as a substitute for synfhir-core -> resolve function. It handles errors slightly differently and should be considered a breaking change but in reality should be a simple modification.

await resolveVersion('');
await resolveVersion();
// both return '';

It expects all secret names to be passed as one of file://... or secret://.... If none of these prefix patterns match it will return the input value.

e.g. my-input-value would just return my-input-value.

file:// prefixes are attempt to read the contents of a file based on the value after removing file://.

e.g. file://path/to/a/file will read the file at path/to/a/file.

secret:// prefixes are attempt to read the contents of a GCP Secret Manager secret latest version based on the value after removing secret://. NOTE - This will use getVersion detailed above

e.g. secret://my-secret-name will read the file at my-secret-name.

replaceVersion

Will attempt to set a secret version value and disable it previous version. It surfaces any errors encountered. It does nothing with the cache.

await replaceVersion('my-secret', 'new value');

For convenience it will handle a secret:// prefix.

await replaceVersion('secret://my-secret', 'new value');

It can be provided with an alternate project id.

await replaceVersion('my-secret', ' new data', { project: 'alternate-project-id' });

createSecretWithVersion

This will create a new secret (where you are sure it doesn't already exist) and add an optional version to it. It does not allow for replication setting overrides, defaulting to our standard config. It is safe to attempt to re-create a secret as an error will be thrown before a new version can be added.

The new version will be a 'PLACEHOLDER' value by default.

await createSecretWithVersion('my-new-secret');

// my-new-secret now has PLACEHOLDER as it's version value

It can be provided with an alternate project id.

await createSecretWithVersion('my-new-secret', 'new data', { project: 'alternate-project-id' });

TESTING

When testing this package it is important to bear in mind that Jest will reload it's modules per file. To prevent memory leaks in this scenario and allow mocking to prevent client and cache instantiation, this module defers both client and cache instances until one of the above functions is called.