sops-secretsmanager-cdk

sops-secretsmanager-cdk

Safely load secrets from sops into secretsmanager using the CDK

Usage

import { SopsSecretsManager } from 'sops-secretsmanager-cdk';
...
const ssm = new SopsSecretsManager(this, 'StoreSecrets', {
    path: './path/to/secretsfile.yaml',
    kmsKey: myKey,  // or use kms.Key.fromKeyArn, or omit and use the key in the sops file
    secretName: 'TestSecret',  // or secret: mySecret
    mappings: {
        nameInSecretsManager: {
            path: ['path', 'to', 'value', 'in', 'secretsfile'],
            // optionally pass encoding: 'json' to pass a portion of the secrets file
        },
        anotherThingInSecretsManager: {
            path: ['other', 'path'],
        },
        // etc
    },
});

if(ssm.secret) {
    // secret is a Secret you can tag, for example
}

Implementation

Using the CDK's custom resource mini-framework, the sops secrets file is uploaded to S3 as an asset as is, still encoded. The custom resource Lambda then decodes the secrets (in memory, never on disk) and puts them into the SecretsManager secret.

Releasing a new version

• (Almost certainly) be on latest master, with no unpublished changes
• Run npm version (patch|minor|major) as appropriate
• Run git push and git push origin TAG where TAG is the tag that npm version just created

The tag triggers a CircleCI job to publish to npm.

Changelog

1.5.0

3 March 2020

• More construct tests #25
• Keep CDK devDependencies in line #24
• Typescript provider #19
• Linting configuration e76a5b1
• Tests for CDK construct a8ccf77