()
| 27 | * so a misconfigured container crashes instead of booting without its config. |
| 28 | */ |
| 29 | export async function loadRuntimeSecrets(): Promise<void> { |
| 30 | const secretId = process.env[SECRET_ID_ENV] |
| 31 | if (!secretId) { |
| 32 | logger.info(`${SECRET_ID_ENV} not set; skipping runtime secret ingestion`) |
| 33 | return |
| 34 | } |
| 35 | |
| 36 | const client = new SecretsManagerClient( |
| 37 | process.env.AWS_REGION ? { region: process.env.AWS_REGION } : {} |
| 38 | ) |
| 39 | |
| 40 | const secretString = await fetchSecretString(client, secretId) |
| 41 | const entries = parseSecretJson(secretString) |
| 42 | |
| 43 | let loaded = 0 |
| 44 | let skipped = 0 |
| 45 | for (const [key, value] of Object.entries(entries)) { |
| 46 | if (key in process.env) { |
| 47 | skipped++ |
| 48 | continue |
| 49 | } |
| 50 | process.env[key] = typeof value === 'string' ? value : JSON.stringify(value) |
| 51 | loaded++ |
| 52 | } |
| 53 | |
| 54 | logger.info('Runtime secrets ingested', { secretId, loaded, skipped }) |
| 55 | } |
| 56 | |
| 57 | async function fetchSecretString(client: SecretsManagerClient, secretId: string): Promise<string> { |
| 58 | const response = await sendWithRetry(client, secretId) |
no test coverage detected