Synanetics custom secrets package for GCP environments
Package to handle Synanetics secret usage. It is meant as a replacement (breaking) and extension of synfhir-core resolve utility function.
``javascript`
const secrets = require('@synanetics/secrets');
const { getVersion, resolveVersion, replaceVersion, createSecretWithVersion } = require('@synanetics/secrets');
// or
import * as secrets from '@synanetics/secrets';
import { getVersion, resolveVersion, replaceVersion, createSecretWithVersion } from '@synanetics/secrets';
#### getVersion
Will attempt to fetch a secret value and return it as a string. It surfaces any errors encountered.
`javascript`
await getVersion('my-secret');
// returns my-secret string value
For convenience it will handle a secret:// prefix.
`javascript`
await getVersion('secret://my-secret');
It can be provided a version number - it defaults to latest.
`javascript`
await getVersion('my-secret', '10');
It can be provided with an alternate project id when handling secrets.
`javascript`
await getVersion('my-secret', undefined, { project: 'alternate-project-id' });
By default it will return an empty string for NOT_FOUND and FAILED_PRECONDITION (DISABLED) errors, this can be configured to throw on those errors too.
`javascript`
await getVersion('my-secret', undefined, { throwOnAnyError: true });
#### resolveVersion
Added to act as a substitute for synfhir-core -> resolve function. It handles errors slightly differently and should be considered a breaking change but in reality should be a simple modification.
`javascript`
await resolveVersion('');
await resolveVersion();
// both return '';
It expects all secret names to be passed as one of file://... or secret://.... If none of these prefix patterns match it will return the input value.
_e.g._
my-input-value would just return my-input-value.
file:// prefixes are attempt to read the contents of a file based on the value after removing file://.
_e.g._
file://path/to/a/file will read the file at path/to/a/file.
secret:// prefixes are attempt to read the contents of a GCP Secret Manager secret latest version based on the value after removing secret://. NOTE - This will use getVersion detailed above
_e.g._
secret://my-secret-name will read the file at my-secret-name.
#### replaceVersion
Will attempt to set a secret version value and disable it previous version. It surfaces any errors encountered.
`javascript`
await replaceVersion('my-secret', 'new value');
For convenience it will handle a secret:// prefix.
`javascript`
await replaceVersion('secret://my-secret', 'new value');
It can be provided with an alternate project id.
`javascript`
await replaceVersion('my-secret', ' new data', { project: 'alternate-project-id' });
#### createSecretWithVersion
This will create a new secret (where you are sure it doesn't already exist) and add an optional version to it. It does not allow for replication setting overrides, defaulting to our standard config. It is safe to attempt to re-create a secret as an error will be thrown before a new version can be added.
The new version will be a 'PLACEHOLDER' value by default.
`javascript
await createSecretWithVersion('my-new-secret');
// my-new-secret now has PLACEHOLDER as it's version value
`
It can be provided with an alternate project id.
`javascript``
await createSecretWithVersion('my-new-secret', 'new data', { project: 'alternate-project-id' });
When testing this package it is important to bear in mind that Jest will reload it's modules per file. To prevent memory leaks in this scenario and allow mocking to prevent client instantiation, this module defers client instances until one of the above functions is called.