Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
2ae6244
feat(parameters): pluggable secret/param storage with 4 providers
fedemaleh Jun 17, 2026
60b4e88
refactor(parameters): resolve provider via specification_id + config …
fedemaleh Jun 23, 2026
24eceb4
feat(parameters): NRN+slug-based naming for external_id with parallel…
fedemaleh Jun 23, 2026
6dc071e
refactor(parameters): rename secret_manager provider to aws_secret_ma…
fedemaleh Jun 23, 2026
82c8331
feat(parameters): PR review fixes - versioning, nullplatform path, ma…
fedemaleh Jun 23, 2026
de99ba9
feat(parameters): version_id in metadata + remove managed_by from pay…
fedemaleh Jun 23, 2026
adb06bc
feat(parameters): encode version_id into external_id suffix (no platf…
fedemaleh Jun 23, 2026
ad83c79
docs(parameters): document native version_id format per provider with…
fedemaleh Jun 23, 2026
8826f2f
feat(parameters): retrieve fails on not-found + complete adding_a_pro…
fedemaleh Jun 24, 2026
75d0bc9
refactor(parameters): unified dispatch script + move shared scripts t…
fedemaleh Jun 24, 2026
693370a
docs(parameters): clarify optional scope entity and optional dimensions
fedemaleh Jun 24, 2026
24dba2a
refactor(parameters): hardcode invariant prefixes; AWS_REGION from ru…
fedemaleh Jun 24, 2026
e8f9a6a
feat(parameters): sts:AssumeRole step for AWS providers (Secrets Mana…
fedemaleh Jun 24, 2026
da5bac0
refactor(parameters): assume_role step takes selector+env-var names a…
fedemaleh Jun 24, 2026
cc8f779
chore: gitignore tofu state, plans, tfvars, tfbackend, overrides
fedemaleh Jun 25, 2026
c303679
refactor(parameters): align provider slugs with platform-derived nami…
fedemaleh Jun 25, 2026
42961a6
feat(parameters): tofu install modules for all four providers (spec +…
fedemaleh Jun 25, 2026
0d6ea9d
fix(parameters): read action from $CONTEXT.action, not from NOTIFICAT…
fedemaleh Jun 25, 2026
600fb69
fix(parameters): build NRN from CONTEXT.entities/value_entities, not …
fedemaleh Jun 25, 2026
2af0da6
fix(parameters): build_external_id reads value_entities for scope-lev…
fedemaleh Jun 25, 2026
523d65d
perf(parameters): parallel np-read prefetch + timing logs (debug)
fedemaleh Jun 25, 2026
5565ce8
docs(parameters): add secretsmanager:TagResource to required IAM perm…
fedemaleh Jun 25, 2026
cafad09
perf(parameters): timing logs for AWS/Vault/Azure calls + dispatch + …
fedemaleh Jun 25, 2026
1fe7685
perf(parameters): per-np-call timings + entrypoint.prep + build_conte…
fedemaleh Jun 26, 2026
39908f2
perf(parameters): cache sts:AssumeRole creds on disk with TTL (skips …
fedemaleh Jun 26, 2026
c3c0a04
refactor(parameters): hardcode sts cache dir to $SERVICE_PATH/credent…
fedemaleh Jun 26, 2026
59df949
fix(parameters): sts cache reads precomputed epoch (handles busybox d…
fedemaleh Jun 26, 2026
f6328bf
docs(parameters): aws-parameter-store iam/architecture — hardcoded /n…
fedemaleh Jun 26, 2026
6113827
fix(parameters): sanitize '=' to '_' in aws-parameter-store path (SSM…
fedemaleh Jun 26, 2026
e67daf0
perf(parameters): add ps.store/retrieve/delete granular timing markers
fedemaleh Jun 26, 2026
764c9dd
perf(parameters): use payload's specification_slug + value_dimensions…
fedemaleh Jun 30, 2026
1621992
feat(parameters): wrap config under setup{} + add sensibility{} to al…
fedemaleh Jun 30, 2026
7992213
perf(parameters): drop managed_by tagging from AWS providers (saves ~…
fedemaleh Jun 30, 2026
066647f
refactor(parameters): rename install/ → specs/ and move <provider>-co…
fedemaleh Jun 30, 2026
eba7780
feat(parameters): optional IAM role creation in AWS specs modules (va…
fedemaleh Jun 30, 2026
5400c14
fix(parameters): conditional IAM policy at string level to satisfy to…
fedemaleh Jun 30, 2026
5b7336b
refactor(parameters): drop spec-lookup fallback (slug now always in p…
fedemaleh Jul 1, 2026
8c7f654
Do not require service path
fedemaleh Jul 2, 2026
b7454b7
Use correct relative path to scripts
fedemaleh Jul 2, 2026
154a449
feat(parameters): per-instance agent api key + notification channel a…
fedemaleh Jul 2, 2026
bbbc5e0
chore(parameters): document per-instance channel vars in examples; ig…
fedemaleh Jul 2, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 23 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ web_modules/
.env.test.local
.env.production.local
.env.local
*.env

# parcel-bundler cache (https://parceljs.org/)
.cache
Expand Down Expand Up @@ -142,9 +143,28 @@ DS_Store
# Integration test runtime data
frontend/deployment/tests/integration/volume/

# Local sts:AssumeRole credentials cache (parameters/utils/assume_role)
credentials/

# Terraform/OpenTofu
.terraform/
.terraform.lock.hcl
terraform.tfstate
terraform.tfstate.backup
*.tfstate
*.tfstate.*
*.tfplan
*.tfvars
*.tfvars.json
*.tfbackend
override.tf
override.tf.json
*_override.tf
*_override.tf.json
backend-local.tf
!*.tfvars.example
!*.tfbackend.example
!*_override.tf.example

# Generated test certificates
testing/docker/certs/
Expand All @@ -153,4 +173,6 @@ testing/docker/certs/
.claude/

# Visual Studio Code
.vscode/
.vscode/

.DS_Store
Binary file added aws-secret-manager-strategies.docx
Binary file not shown.
139 changes: 139 additions & 0 deletions parameters/PENDING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,139 @@
# Parameters Package — Pending Work

Status snapshot del estado actual del paquete `parameters/` y trabajo pendiente. Para vista de la arquitectura completa: `parameters/docs/architecture.md`.

---

## Estado actual

| Componente | Estado |
|---|---|
| Skeleton (entrypoint, build_context, dispatch, utils, workflows) | ✅ Implementado |
| Provider `hashicorp-vault` | ✅ Implementado |
| Provider `aws-secrets-manager` | ✅ Implementado |
| Provider `aws-parameter-store` | ✅ Implementado |
| Provider `azure-key-vault` | ✅ Implementado |
| Error handling (not_found → idempotent, otros → fail loud) | ✅ Aplicado a deletes y retrieves |
| Tests BATS | ✅ 151 tests pasando |
| Docs globales | ✅ architecture.md, configuration.md, adding_a_provider.md |
| Docs por provider | ✅ architecture.md (4 providers), iam-policy.md (SM + PS) |
| Decision doc para equipo | ✅ `aws-secret-manager-strategies.docx` (en root del repo) |
| **Resolución de provider via `provider.specification_id`** | **✅ Implementado** (era pendiente, hecho hoy) |
| **`PROVIDER_CONFIG` desde `provider.attributes`** | **✅ Implementado** (era pendiente como `fetch_configuration`, ahora viene en payload) |
| Naming NRN+slug-based | ✅ Implementado (utils/build_external_id + 4 providers refactorizados) |
| Rename `secret_manager` → `aws-secrets-manager` | ✅ Implementado |

---

## Decisiones tomadas

| Decisión | Valor | Origen |
|---|---|---|
| Estrategia de granularidad | 1:1 mapping (un secret por parámetro) | Review del equipo sobre el decision doc |
| Naming convention | NRN entities con slugs+ids + dimensiones + parameter_id | Conversación de diseño |
| Provider AWS Secrets Manager | Nombre futuro: `aws-secrets-manager` | Conversación de diseño |
| Provider selection | Via `provider.specification_id` → np CLI → slug | Cambio reciente con payload real |
| Provider config source | `provider.attributes` en el payload (no env vars, no fetch script) | Cambio reciente |
| Workflow YAMLs | 4 workflows unificados (store, retrieve, delete, notify) | Cleanup arquitectónico |
| Discriminación secret/param | En `build_context` desde `$CONTEXT.secret`, no en entrypoint | Cleanup |
| Logging | Todos los niveles routean a stderr (stdout reservado para JSON) | Bug encontrado durante tests |
| Delete failure semantics | "not found" → success idempotente, otros → exit 1 | Feedback de revisión |
| Retrieve failure semantics | Idem delete | Feedback de revisión |

---

## Pendiente

Sin items pendientes a la fecha. Todas las decisiones aprobadas están implementadas.

---

## Contrato del payload — referencia rápida

`$CONTEXT` (después de que el entrypoint extrae `.notification`):

| Campo | Tipo | Acciones | Notas |
|---|---|---|---|
| `parameter_id` | number | todas | nullplatform parameter ID |
| `value` | string | store | el valor a persistir |
| `external_id` | string | retrieve, delete, notify | handle generado en store |
| `secret` | bool | todas | discriminador secret/parameter (informativo en 1:1) |
| `parameter_name` | string | todas | display name |
| `encoding` | string | todas | `plain`, `base64`, etc. |
| `entities` | object | todas | IDs only — slugs vía np CLI (solo en store, para naming) |
| `dimensions` | object | opcional | top-level, NO en `provider.dimensions` |
| `provider.specification_id` | uuid | todas | **el que decide qué provider usar** |
| `provider.attributes` | object | todas | **config del provider, viene en el payload** |
| `provider.nrn` | string | todas | informacional (NRN del provider instance) |
| `provider.dimensions` | object | todas | informacional (dimensions del provider instance) |
| `provider.id` | uuid | todas | informacional |

Ejemplo de payload completo de store:

```json
{
"action": "parameter:store",
"parameter_id": 359535238,
"value": "the-value",
"parameter_name": "test_param",
"secret": false,
"encoding": "plaintext",
"entities": {
"organization": "1255165411",
"account": "95118862",
"namespace": "37094320",
"application": "321402625"
},
"dimensions": {
"environment": "development",
"country": "argentina"
},
"provider": {
"id": "e4105634-4ee0-4ffa-996b-1fb8213e56b6",
"nrn": "organization=1255165411:account=95118862:namespace=37094320:application=321402625",
"dimensions": {},
"specification_id": "ec885dd0-7c38-45b8-af2c-0b9e1deb7d3d",
"attributes": {}
}
}
```

---

## Cómo correr los tests

```bash
bats $(find parameters/tests -name "*.bats")
```

Distribución actual (151 tests):

- Skeleton (entrypoint, build_context, dispatch, utils): 56 tests
- hashicorp-vault: 27 tests
- aws-secrets-manager: 17 tests (renombrado desde `secret_manager`)
- aws-parameter-store: 23 tests
- azure-key-vault: 15 tests
- utils/log + utils/get_config_value: 13 tests

---

## Estructura del paquete

```
parameters/
├── PENDING.md # este archivo
├── entrypoint, build_context # router + provider resolution via spec_id
├── store, retrieve, delete, notify # dispatch one-liners
├── workflows/ # 4 YAMLs (acción-only)
├── utils/
│ ├── get_config_value # priority: provider config > env > default
│ └── log # todos los niveles a stderr
├── providers/
│ ├── README.md # contrato del provider
│ ├── hashicorp-vault/
│ ├── aws-secrets-manager/
│ ├── aws-parameter-store/
│ └── azure-key-vault/
├── tests/ # 151 BATS tests
└── docs/ # docs globales del paquete
```
Loading