secrete key manager to env

package-lock.json

@@ -10,6 +10,7 @@
       "license": "MIT",
       "dependencies": {
         "@google-cloud/pubsub": "^5.0.0",
+        "@google-cloud/secret-manager": "^6.0.1",
         "@nestjs/swagger": "^11.2.0",
         "@nestjs/throttler": "^6.4.0",
         "@prisma/client": "^6.8.2",
@@ -96,6 +97,18 @@
         "node": ">=18"
       }
     },
+    "node_modules/@google-cloud/secret-manager": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/@google-cloud/secret-manager/-/secret-manager-6.0.1.tgz",
+      "integrity": "sha512-xvFzeqXZh7u6Pv1awJH/iOYudpvLXc45cCrjgsodWPm1SmYkXvLYtKfJLkEpkJGRMdteyfzGay4CueSZCVy8Eg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "google-gax": "^5.0.1-rc.0"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/@grpc/grpc-js": {
       "version": "1.13.3",
       "resolved": "https://registry.npmjs.org/@grpc/grpc-js/-/grpc-js-1.13.3.tgz",

package.json

@@ -29,6 +29,7 @@
   },
   "dependencies": {
     "@google-cloud/pubsub": "^5.0.0",
+    "@google-cloud/secret-manager": "^6.0.1",
     "@nestjs/swagger": "^11.2.0",
     "@nestjs/throttler": "^6.4.0",
     "@prisma/client": "^6.8.2",

src/index.ts

@@ -26,6 +26,7 @@ export * from './utils/prisma-seed.util';
 export * from './utils/custom-exception.utils';
 export * from './utils/prisma-exception.utils';
 export * from './utils/filenet.utils';
+export * from './utils/gcp-secretes.utils';
 
 export * from './guards/http-throttler.guard';
 

src/utils/gcp-secretes.utils.ts

+// fetch-all-secrets.ts
+import { SecretManagerServiceClient } from '@google-cloud/secret-manager';
+import * as fs from 'fs';
+import * as path from 'path';
+
+async function createSecretManagerClient(): Promise<{
+    client: SecretManagerServiceClient;
+    projectId: string;
+}> {
+    try {
+        const keyPath = path.resolve(__dirname, 'gcp-key.json');
+        if (fs.existsSync(keyPath)) {
+            const credentials = JSON.parse(fs.readFileSync(keyPath, 'utf8'));
+            const client = new SecretManagerServiceClient({
+                credentials: {
+                    client_email: credentials.client_email,
+                    private_key: credentials.private_key,
+                },
+                projectId: credentials.project_id,
+            });
+            console.log('Using service account from local JSON file');
+            return { client, projectId: credentials.project_id };
+        } else {
+            throw new Error('No local key file found');
+        }
+    } catch {
+        const client = new SecretManagerServiceClient();
+        const projectId = await client.getProjectId();
+        console.log('Using Google Application Default Credentials');
+        return { client, projectId };
+    }
+}
+
+function toEnvKey(secretId: string): string {
+    return secretId.toUpperCase().replace(/[^A-Z0-9_]/gi, '_');
+}
+
+async function listSecrets(client: SecretManagerServiceClient, projectId: string): Promise<string[]> {
+    const [secrets] = await client.listSecrets({ parent: `projects/${projectId}` });
+    return secrets.map(secret => {
+        const fullName = secret.name || '';
+        const parts = fullName.split('/');
+        return parts[parts.length - 1];
+    });
+}
+
+async function getSecretValue(client: SecretManagerServiceClient, projectId: string, secretId: string): Promise<string> {
+    try {
+        const [version] = await client.accessSecretVersion({
+            name: `projects/${projectId}/secrets/${secretId}/versions/latest`,
+        });
+        const rawData = version.payload?.data ?? new Uint8Array();
+        return Buffer.from(rawData).toString('utf8');
+    } catch (error: any) {
+        console.error(`Failed to fetch secret "${secretId}": ${error.message}`);
+        return '';
+    }
+}
+
+async function fetchAllSecretsAndWriteEnv() {
+    const { client, projectId } = await createSecretManagerClient();
+    const envFilePath = path.resolve(process.cwd(), '.env');
+
+    const secretIds = await listSecrets(client, projectId);
+    let envContent = '';
+
+    for (const secretId of secretIds) {
+        const value = await getSecretValue(client, projectId, secretId);
+        if (value) {
+            const envKey = toEnvKey(secretId);
+            envContent += `${envKey}=${value}\n`;
+            console.log(`Added ${envKey}`);
+        }
+    }
+
+    fs.writeFileSync(envFilePath, envContent);
+    console.log(`All secrets written to ${envFilePath}`);
+}
+
+fetchAllSecretsAndWriteEnv().catch(err => {
+    console.error('Error fetching secrets:', err);
+});