pipeline

package
v0.0.0-...-0c4b637 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 1, 2026 License: MIT Imports: 49 Imported by: 0

Documentation

Overview

Package pipeline provides automatic detection of available clients and features. Clients are auto-enabled based on environment variables - no explicit config required.

Package pipeline provides AWS execution context management for multi-account operations.

AWS Organizations supports two primary patterns for cross-account operations:

1. MANAGEMENT ACCOUNT: The root account that owns the AWS Organization

  • Has implicit trust from OrganizationAccountAccessRole in all member accounts
  • Can assume AWSControlTowerExecution in Control Tower enrolled accounts
  • Full Organizations API access
  • Full Identity Center admin access
  • NOT recommended for production workloads (security best practice)

2. DELEGATED ADMINISTRATOR: A member account with delegated permissions

  • Requires explicit delegation via Organizations RegisterDelegatedAdministrator
  • Can be delegated for specific services (SSO, CloudFormation StackSets, etc.)
  • More secure - separates admin workloads from org management
  • Requires custom cross-account role deployment (StackSets, AFT, etc.)

This package handles both patterns and provides a unified interface for cross-account secrets synchronization.

Package pipeline provides unified configuration and orchestration for secrets syncing pipelines. It supports AWS Control Tower / Organizations patterns for multi-account secrets management.

Package pipeline provides fuzzy account name matching for dynamic target discovery. Supports multiple matching strategies for resolving AWS account names to target configurations.

Package pipeline provides dynamic target discovery from AWS Organizations and Identity Center.

Package pipeline provides a unified secrets synchronization pipeline.

Architecture:

┌─────────────────────────────────────────────────────────────────────────┐
│                         Pipeline Configuration                          │
│  (YAML file or programmatic)                                            │
└─────────────────────────────────────────────────────────────────────────┘
                                    │
                                    ▼
┌─────────────────────────────────────────────────────────────────────────┐
│                           Pipeline Engine                               │
│  • Dependency graph resolution                                          │
│  • Topological ordering                                                 │
│  • Parallel execution within levels                                     │
│  • Each operation is distinct and idempotent                            │
└─────────────────────────────────────────────────────────────────────────┘
                                    │
          ┌─────────────────────────┴─────────────────────────┐
          ▼                                                   ▼
┌─────────────────┐                                 ┌─────────────────┐
│   Merge Phase   │                                 │   Sync Phase    │
│  Vault → Vault  │                                 │  Vault → AWS    │
│  (or S3)        │                                 │                 │
└─────────────────┘                                 └─────────────────┘

Operations:

  • merge: Source stores → Merge store (with inheritance resolution)
  • sync: Merge store → Destination stores (AWS)
  • pipeline: merge + sync in correct dependency order

Each operation is distinct and idempotent. Running the same operation multiple times produces the same result.

Package pipeline provides automatic resolution of sources and destinations. Supports fuzzy matching of AWS account names with JSON key normalization.

Package pipeline provides S3-based merge store implementation for secrets aggregation.

Package pipeline provides unified configuration and orchestration for secrets syncing pipelines.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AutoResolveConfig

func AutoResolveConfig(ctx context.Context, cfg *Config, awsCtx *AWSExecutionContext) error

AutoResolveConfig takes a minimal config with just names and resolves everything

func BundleID

func BundleID(sources []string) string

BundleID generates a deterministic, reproducible identifier for a merge bundle based on the ordered sequence of sources. Same sources in same order = same ID.

func BundlePath

func BundlePath(mount string, sources []string) string

BundlePath returns the full path in the merge store for a given bundle. Format: {mount}/bundles/{bundle_id}

func ExpandDynamicTargets

func ExpandDynamicTargets(ctx context.Context, cfg *Config, awsCtx *AWSExecutionContext) error

ExpandDynamicTargets expands dynamic targets in the config and merges them with static targets

func TargetBundlePath

func TargetBundlePath(mount, targetName string, sources []string) string

TargetBundlePath returns the merge store path for a specific target. This includes the target name for organization but the bundle ID for reproducibility. Format: {mount}/targets/{target_name}/{bundle_id}

Types

type AWSConfig

type AWSConfig struct {
	Region           string                 `mapstructure:"region" yaml:"region"`
	ExecutionContext ExecutionContextConfig `mapstructure:"execution_context" yaml:"execution_context"`
	ControlTower     ControlTowerConfig     `mapstructure:"control_tower" yaml:"control_tower"`
	Organizations    OrganizationsConfig    `mapstructure:"organizations" yaml:"organizations"`
	IdentityCenter   IdentityCenterConfig   `mapstructure:"identity_center" yaml:"identity_center"`

	// MaxRetries overrides the AWS SDK retry attempt count (0 = SDK default).
	MaxRetries int `mapstructure:"max_retries" yaml:"max_retries,omitempty"`
	// RetryMode selects the SDK retry strategy: "standard" or "adaptive".
	RetryMode string `mapstructure:"retry_mode" yaml:"retry_mode,omitempty"`
}

AWSConfig configures AWS with Control Tower / Organizations awareness

type AWSDetection

type AWSDetection struct {
	Available     bool
	Region        string
	AuthType      string // env, iam-role, profile, sso
	HasOrgsAccess bool   // Can we access Organizations API?
}

AWSDetection contains AWS auto-detection results

type AWSExecutionContext

type AWSExecutionContext struct {
	Config           *AWSConfig
	BaseConfig       aws.Config
	CallerIdentity   *CallerIdentity
	OrganizationInfo *OrganizationInfo
	// contains filtered or unexported fields
}

AWSExecutionContext manages AWS credentials and cross-account access

func NewAWSExecutionContext

func NewAWSExecutionContext(ctx context.Context, cfg *AWSConfig) (*AWSExecutionContext, error)

NewAWSExecutionContext creates and initializes an AWS execution context

func NewAWSExecutionContextWithRuntimeAuth

func NewAWSExecutionContextWithRuntimeAuth(ctx context.Context, cfg *AWSConfig, auth *AWSRuntimeAuth) (*AWSExecutionContext, error)

NewAWSExecutionContextWithRuntimeAuth creates and initializes an AWS execution context using caller-supplied session material when provided.

func (*AWSExecutionContext) AssumeRoleConfig

func (ec *AWSExecutionContext) AssumeRoleConfig(ctx context.Context, accountID string) (aws.Config, error)

AssumeRoleConfig returns AWS config with assumed role credentials

func (*AWSExecutionContext) CanAccessIdentityCenter

func (ec *AWSExecutionContext) CanAccessIdentityCenter() bool

CanAccessIdentityCenter checks if we can access Identity Center

func (*AWSExecutionContext) CanAccessOrganizations

func (ec *AWSExecutionContext) CanAccessOrganizations() bool

CanAccessOrganizations checks if we can access Organizations API

func (*AWSExecutionContext) GetAccountTags

func (ec *AWSExecutionContext) GetAccountTags(ctx context.Context, accountID string) (map[string]string, error)

GetAccountTags retrieves tags for an AWS account

Performance Note: This method makes an API call for each account. For large organizations with many accounts (100+), consider:

  • Limiting discovery scope using OU filters
  • Using tag filtering only when necessary
  • Monitoring AWS API rate limits (Organizations API throttles at 20 TPS)

Future optimization: Implement batch tag fetching or caching if needed

func (*AWSExecutionContext) GetIdentityCenterClient

func (ec *AWSExecutionContext) GetIdentityCenterClient(ctx context.Context) (*ssoadmin.Client, error)

GetIdentityCenterClient returns an Identity Center client if accessible

func (*AWSExecutionContext) GetRoleARN

func (ec *AWSExecutionContext) GetRoleARN(accountID string) string

GetRoleARN returns the appropriate role ARN for a target account

func (*AWSExecutionContext) GetSSMParameter

func (ec *AWSExecutionContext) GetSSMParameter(ctx context.Context, name string) (string, error)

GetSSMParameter retrieves a parameter value from SSM Parameter Store

func (*AWSExecutionContext) ListAccountsInOU

func (ec *AWSExecutionContext) ListAccountsInOU(ctx context.Context, ouID string) ([]AccountInfo, error)

ListAccountsInOU returns accounts in a specific Organizational Unit with tags

func (*AWSExecutionContext) ListChildOUs

func (ec *AWSExecutionContext) ListChildOUs(ctx context.Context, parentID string) ([]string, error)

ListChildOUs returns child Organizational Units for a given parent OU

func (*AWSExecutionContext) ListOrganizationAccounts

func (ec *AWSExecutionContext) ListOrganizationAccounts(ctx context.Context) ([]AccountInfo, error)

ListOrganizationAccounts returns all accounts in the organization with tags

func (*AWSExecutionContext) Summary

func (ec *AWSExecutionContext) Summary() string

Summary returns a summary of the execution context

type AWSRuntimeAuth

type AWSRuntimeAuth struct {
	Region          string `json:"-" yaml:"-"`
	AccessKeyID     string `json:"-" yaml:"-"`
	SecretAccessKey string `json:"-" yaml:"-"`
	SessionToken    string `json:"-" yaml:"-"`
	RoleARN         string `json:"-" yaml:"-"`
	EndpointURL     string `json:"-" yaml:"-"`
}

AWSRuntimeAuth describes an authenticated AWS medium supplied by an upstream package. Credential fields are runtime-only and must not be serialized.

func (*AWSRuntimeAuth) HasStaticCredentials

func (a *AWSRuntimeAuth) HasStaticCredentials() bool

HasStaticCredentials reports whether the runtime AWS session contains enough material to create an SDK static credentials provider.

type AWSSource

type AWSSource struct {
	AccountID string            `mapstructure:"account_id" yaml:"account_id"`
	Region    string            `mapstructure:"region" yaml:"region"`
	Prefix    string            `mapstructure:"prefix" yaml:"prefix"`
	Tags      map[string]string `mapstructure:"tags" yaml:"tags"`
}

AWSSource imports secrets from AWS Secrets Manager

type AccountFactoryConfig

type AccountFactoryConfig struct {
	Enabled           bool `mapstructure:"enabled" yaml:"enabled"`
	OnAccountCreation bool `mapstructure:"on_account_creation" yaml:"on_account_creation"`
	AFTIntegration    bool `mapstructure:"aft_integration" yaml:"aft_integration"`
}

AccountFactoryConfig configures Account Factory integration

type AccountInfo

type AccountInfo struct {
	ID     string
	Name   string
	Email  string
	Status string
	Tags   map[string]string
}

AccountInfo contains basic AWS account information

func FilterAccountsByFuzzyMatch

func FilterAccountsByFuzzyMatch(accounts []AccountInfo, matcher *NameMatcher, patterns []string) []AccountInfo

FilterAccountsByFuzzyMatch filters accounts using fuzzy name matching against a list of target account IDs or names

type AccountNamePattern

type AccountNamePattern struct {
	// Pattern is a regex pattern to match against normalized account names
	Pattern string `mapstructure:"pattern" yaml:"pattern"`
	// Target is the target name to use when pattern matches
	Target string `mapstructure:"target" yaml:"target"`
}

AccountNamePattern maps discovered accounts to targets

type AccountsListDiscovery

type AccountsListDiscovery struct {
	Source string `mapstructure:"source" yaml:"source"`
}

AccountsListDiscovery discovers accounts from an external source

type AppRoleAuth

type AppRoleAuth struct {
	Mount    string `mapstructure:"mount" yaml:"mount"`
	RoleID   string `mapstructure:"role_id" yaml:"role_id"`
	SecretID string `mapstructure:"secret_id" yaml:"secret_id"`
}

AppRoleAuth configures AppRole authentication

type AuditConfig

type AuditConfig struct {
	// File is a local path to append JSONL audit entries to.
	File string `mapstructure:"file" yaml:"file,omitempty"`
	// S3Bucket/S3Prefix write one immutable object per entry to S3.
	S3Bucket string `mapstructure:"s3_bucket" yaml:"s3_bucket,omitempty"`
	S3Prefix string `mapstructure:"s3_prefix" yaml:"s3_prefix,omitempty"`
	// CloudWatchGroup/CloudWatchStream write entries as CloudWatch log events.
	CloudWatchGroup  string `mapstructure:"cloudwatch_group" yaml:"cloudwatch_group,omitempty"`
	CloudWatchStream string `mapstructure:"cloudwatch_stream" yaml:"cloudwatch_stream,omitempty"`
}

AuditConfig configures tamper-evident audit logging destinations. When no destination is set, auditing is disabled.

type AuthProviders

type AuthProviders struct {
	VaultAvailable bool
	VaultMethod    string // token, approle, kubernetes
	AWSAvailable   bool
	AWSMethod      string // env, iam_role, profile
}

DetectAuthProviders checks what authentication is available

func DetectAuth

func DetectAuth(cfg *Config) AuthProviders

DetectAuth automatically detects available authentication providers

type CallerIdentity

type CallerIdentity struct {
	AccountID string
	ARN       string
	UserID    string
}

CallerIdentity contains AWS STS GetCallerIdentity information

type Config

type Config struct {
	Log            LogConfig                `mapstructure:"log" yaml:"log"`
	Vault          VaultConfig              `mapstructure:"vault" yaml:"vault"`
	AWS            AWSConfig                `mapstructure:"aws" yaml:"aws"`
	Sources        map[string]Source        `mapstructure:"sources" yaml:"sources"`
	MergeStore     MergeStoreConfig         `mapstructure:"merge_store" yaml:"merge_store"`
	Targets        map[string]Target        `mapstructure:"targets" yaml:"targets"`
	DynamicTargets map[string]DynamicTarget `mapstructure:"dynamic_targets" yaml:"dynamic_targets"`
	Pipeline       PipelineSettings         `mapstructure:"pipeline" yaml:"pipeline"`
	Observability  ObservabilityConfig      `mapstructure:"observability" yaml:"observability,omitempty"`
	Policy         policy.Config            `mapstructure:"policy" yaml:"policy,omitempty"`
	Audit          AuditConfig              `mapstructure:"audit" yaml:"audit,omitempty"`
}

Config represents the unified pipeline configuration

func LoadConfig

func LoadConfig(path string) (*Config, error)

LoadConfig loads configuration from file with auto-detection and resolution.

Auto-detection: Clients are automatically enabled based on environment:

  • Vault: VAULT_ADDR, VAULT_TOKEN, VAULT_ROLE_ID/SECRET_ID
  • AWS: AWS_ACCESS_KEY_ID, AWS_PROFILE, IAM roles, etc.

Minimal config example (everything else auto-detected):

targets:
  Production:
    imports: [analytics, data-engineers]

The system will:

  1. Auto-detect Vault/AWS from environment
  2. Resolve sources/targets via fuzzy matching against AWS Organizations
  3. Configure merge store automatically

func LoadConfigWithoutAutoDetect

func LoadConfigWithoutAutoDetect(path string) (*Config, error)

LoadConfigWithoutAutoDetect loads config without auto-detection (for testing)

func (*Config) ApplyAutoDetection

func (c *Config) ApplyAutoDetection(detected DetectedClients)

ApplyAutoDetection updates config based on auto-detected clients

func (*Config) AutoConfigure

func (c *Config) AutoConfigure()

AutoConfigure applies intelligent defaults and resolves unspecified configuration. Call this after loading config but before validation to fill in gaps.

func (*Config) AutoDetectAndConfigure

func (c *Config) AutoDetectAndConfigure() DetectedClients

AutoDetectAndConfigure performs full auto-detection and config application

func (*Config) GetRoleARN

func (c *Config) GetRoleARN(accountID string) string

GetRoleARN returns the role ARN for a target account

func (*Config) GetSourcePath

func (c *Config) GetSourcePath(importName string) string

GetSourcePath returns the full path for a source or inherited target

func (*Config) IsInheritedTarget

func (c *Config) IsInheritedTarget(targetName string) bool

IsInheritedTarget checks if a target inherits from another target

func (*Config) Validate

func (c *Config) Validate() error

Validate validates the configuration with minimal requirements. The system auto-detects and resolves most configuration via: - AWS Organizations discovery for account resolution - Fuzzy name matching for source/target identification - Auto-detection of Vault vs AWS based on what's available

func (*Config) ValidateTargetInheritance

func (c *Config) ValidateTargetInheritance() error

ValidateTargetInheritance checks for circular dependencies in target inheritance chains

func (*Config) WriteConfig

func (c *Config) WriteConfig(path string) error

WriteConfig writes the configuration to a file

type ControlTowerConfig

type ControlTowerConfig struct {
	Enabled        bool                 `mapstructure:"enabled" yaml:"enabled"`
	ExecutionRole  ExecutionRoleConfig  `mapstructure:"execution_role" yaml:"execution_role"`
	AccountFactory AccountFactoryConfig `mapstructure:"account_factory" yaml:"account_factory"`
}

ControlTowerConfig configures AWS Control Tower integration

type DelegationConfig

type DelegationConfig struct {
	Services []string `mapstructure:"services" yaml:"services"`
}

DelegationConfig defines delegated administrator settings

type DetectedClients

type DetectedClients struct {
	// Vault client availability
	Vault VaultDetection
	// AWS client availability
	AWS AWSDetection
}

DetectedClients represents which clients are available based on environment

func AutoDetectClients

func AutoDetectClients() DetectedClients

AutoDetectClients detects available clients from environment

type DiscoveryConfig

type DiscoveryConfig struct {
	IdentityCenter *IdentityCenterDiscovery `mapstructure:"identity_center" yaml:"identity_center"`
	Organizations  *OrganizationsDiscovery  `mapstructure:"organizations" yaml:"organizations"`
	AccountsList   *AccountsListDiscovery   `mapstructure:"accounts_list" yaml:"accounts_list"`
}

DiscoveryConfig defines how to discover dynamic targets

type DiscoveryService

type DiscoveryService struct {
	// contains filtered or unexported fields
}

DiscoveryService handles dynamic target discovery from AWS services

func NewDiscoveryService

func NewDiscoveryService(ctx context.Context, awsCtx *AWSExecutionContext, cfg *Config) *DiscoveryService

NewDiscoveryService creates a new discovery service

func (*DiscoveryService) DiscoverTargets

func (d *DiscoveryService) DiscoverTargets() (map[string]Target, error)

DiscoverTargets discovers and expands dynamic targets into concrete targets

type DynamicTarget

type DynamicTarget struct {
	Discovery DiscoveryConfig `mapstructure:"discovery" yaml:"discovery"`
	Imports   []string        `mapstructure:"imports" yaml:"imports"`
	Exclude   []string        `mapstructure:"exclude" yaml:"exclude"`

	// AccountNamePatterns maps discovered accounts to specific targets using regex
	AccountNamePatterns []AccountNamePattern `mapstructure:"account_name_patterns" yaml:"account_name_patterns"`

	Region       string `mapstructure:"region" yaml:"region"`
	SecretPrefix string `mapstructure:"secret_prefix" yaml:"secret_prefix"`
	RoleARN      string `mapstructure:"role_arn" yaml:"role_arn"`
}

DynamicTarget defines targets discovered at runtime

type EncryptionConfig

type EncryptionConfig struct {
	Enabled bool `mapstructure:"enabled" yaml:"enabled"`
	// KMSKeyID enables KMS envelope encryption with the given key.
	KMSKeyID string `mapstructure:"kms_key_id" yaml:"kms_key_id,omitempty"`
	// KeyEnv names an environment variable holding a base64-encoded 32-byte
	// AES-256 key for user-supplied (static) key encryption.
	KeyEnv string `mapstructure:"key_env" yaml:"key_env,omitempty"`
	// PostQuantumSeedEnv names an environment variable holding a base64-encoded
	// ML-KEM-768 decapsulation-key seed for quantum-resistant encryption.
	PostQuantumSeedEnv string `mapstructure:"post_quantum_seed_env" yaml:"post_quantum_seed_env,omitempty"`
}

EncryptionConfig configures client-side merge-store encryption. Exactly one of KMSKeyID, KeyEnv, or PostQuantumSeedEnv must be set when Enabled.

type ExecutionContextConfig

type ExecutionContextConfig struct {
	Type              ExecutionContextType `mapstructure:"type" yaml:"type"`
	AccountID         string               `mapstructure:"account_id" yaml:"account_id"`
	Delegation        *DelegationConfig    `mapstructure:"delegation" yaml:"delegation"`
	CustomRolePattern string               `mapstructure:"custom_role_pattern" yaml:"custom_role_pattern"`
}

ExecutionContextConfig defines where the pipeline is running from

type ExecutionContextType

type ExecutionContextType string

ExecutionContextType defines where the pipeline runs from

const (
	// ExecutionContextManagement runs from the AWS Organizations management account
	ExecutionContextManagement ExecutionContextType = "management_account"
	// ExecutionContextDelegated runs from a delegated administrator account
	ExecutionContextDelegated ExecutionContextType = "delegated_admin"
	// ExecutionContextHub runs from a custom secrets hub account
	ExecutionContextHub ExecutionContextType = "hub_account"
)

type ExecutionRoleConfig

type ExecutionRoleConfig struct {
	Name string `mapstructure:"name" yaml:"name"`
	Path string `mapstructure:"path" yaml:"path"`
}

ExecutionRoleConfig defines the cross-account execution role

type Graph

type Graph struct {
	Nodes map[string]*Node
}

Graph represents the dependency graph for targets

func BuildGraph

func BuildGraph(cfg *Config) (*Graph, error)

BuildGraph builds a dependency graph from the configuration

func NewGraph

func NewGraph() *Graph

NewGraph creates a new dependency graph

func (*Graph) GroupByLevel

func (g *Graph) GroupByLevel() [][]string

GroupByLevel groups targets by their dependency level

func (*Graph) IncludeDependencies

func (g *Graph) IncludeDependencies(targets []string) []string

IncludeDependencies expands a list of targets to include their dependencies

func (*Graph) PrintGraph

func (g *Graph) PrintGraph() string

PrintGraph returns a visual representation of the graph

func (*Graph) TopologicalOrder

func (g *Graph) TopologicalOrder() []string

TopologicalOrder returns targets in dependency order (base first, then derived)

type IdentityCenterConfig

type IdentityCenterConfig struct {
	Enabled         bool   `mapstructure:"enabled" yaml:"enabled"`
	AutoDiscover    bool   `mapstructure:"auto_discover" yaml:"auto_discover"`
	InstanceARN     string `mapstructure:"instance_arn" yaml:"instance_arn"`
	IdentityStoreID string `mapstructure:"identity_store_id" yaml:"identity_store_id"`
}

IdentityCenterConfig configures AWS Identity Center (SSO) integration

type IdentityCenterDiscovery

type IdentityCenterDiscovery struct {
	Group         string `mapstructure:"group" yaml:"group"`
	PermissionSet string `mapstructure:"permission_set" yaml:"permission_set"`
}

IdentityCenterDiscovery discovers accounts from Identity Center

type KubernetesAuth

type KubernetesAuth struct {
	Role      string `mapstructure:"role" yaml:"role"`
	MountPath string `mapstructure:"mount_path" yaml:"mount_path"`
}

KubernetesAuth configures Kubernetes authentication

type LogConfig

type LogConfig struct {
	Level  string `mapstructure:"level" yaml:"level"`
	Format string `mapstructure:"format" yaml:"format"`
}

LogConfig controls logging behavior

type MatchConfidence

type MatchConfidence string

MatchConfidence indicates how confident the match is

const (
	// MatchExact means the name matched exactly
	MatchExact MatchConfidence = "exact"
	// MatchNormalized means the name matched after JSON key normalization
	MatchNormalized MatchConfidence = "normalized"
	// MatchFuzzy means the name matched via fuzzy/loose matching
	MatchFuzzy MatchConfidence = "fuzzy"
	// MatchAccountID means matched by AWS account ID
	MatchAccountID MatchConfidence = "account_id"
	// MatchNone means no match was found
	MatchNone MatchConfidence = "none"
)

type MergeRequest

type MergeRequest struct {
	// Sources in priority order (later sources override earlier on conflict)
	Sources []string

	// Target name (for organizational purposes)
	Target string

	// DryRun if true, don't actually write
	DryRun bool
}

MergeRequest represents a request to merge N sources into a bundle

type MergeSettings

type MergeSettings struct {
	Parallel int `mapstructure:"parallel" yaml:"parallel"`
}

MergeSettings configures the merge phase

type MergeStoreConfig

type MergeStoreConfig struct {
	Vault *MergeStoreVault `mapstructure:"vault" yaml:"vault"`
	S3    *MergeStoreS3    `mapstructure:"s3" yaml:"s3"`
}

MergeStoreConfig defines intermediate storage for merged secrets

type MergeStoreS3

type MergeStoreS3 struct {
	Bucket   string `mapstructure:"bucket" yaml:"bucket"`
	Prefix   string `mapstructure:"prefix" yaml:"prefix"`
	KMSKeyID string `mapstructure:"kms_key_id" yaml:"kms_key_id"`

	// Encryption configures optional client-side envelope encryption of bundles
	// (zero-knowledge mode) — distinct from KMSKeyID's server-side SSE-KMS.
	Encryption *EncryptionConfig `mapstructure:"encryption" yaml:"encryption,omitempty"`

	// ReplicaRegions replicates every merged bundle to the same bucket name in
	// each listed region for cross-region durability and read-locality. A
	// regionally-named bucket per region is assumed (bucket + "-" + region) when
	// ReplicaBucketPattern is empty.
	ReplicaRegions []string `mapstructure:"replica_regions" yaml:"replica_regions,omitempty"`
	// RequireAllReplicas fails a write if any replica write fails (default:
	// best-effort, primary success is enough).
	RequireAllReplicas bool `mapstructure:"require_all_replicas" yaml:"require_all_replicas,omitempty"`

	// Version management
	Versioning *VersioningConfig `mapstructure:"versioning" yaml:"versioning"`
}

MergeStoreS3 uses S3 as the merge store

type MergeStoreVault

type MergeStoreVault struct {
	Mount string `mapstructure:"mount" yaml:"mount"`
}

MergeStoreVault uses Vault as the merge store

type NameMatcher

type NameMatcher struct {
	// contains filtered or unexported fields
}

NameMatcher handles fuzzy matching of AWS account names to targets

func NewNameMatcher

func NewNameMatcher(cfg *NameMatchingConfig) *NameMatcher

NewNameMatcher creates a new name matcher with the given config

func (*NameMatcher) MatchAccountToTarget

func (m *NameMatcher) MatchAccountToTarget(accountName string, patterns []AccountNamePattern) (string, bool)

MatchAccountToTarget finds the best matching target for an account name using configured patterns and fuzzy matching strategy

func (*NameMatcher) NormalizeAccountName

func (m *NameMatcher) NormalizeAccountName(name string) string

NormalizeAccountName normalizes an account name for fuzzy matching Applies configured normalizations: case folding, prefix/suffix stripping, etc.

func (*NameMatcher) ResolveAccountImports

func (m *NameMatcher) ResolveAccountImports(
	acct AccountInfo,
	patterns []AccountNamePattern,
	defaultImports []string,
	targetConfigs map[string]Target,
) []string

ResolveAccountImports resolves which imports an account should inherit based on fuzzy matching its name to configured patterns

type NameMatchingConfig

type NameMatchingConfig struct {
	// Strategy: "exact", "fuzzy", or "loose" (default: "exact")
	// - exact: names must match exactly (case-insensitive by default)
	// - fuzzy: partial substring matching with normalization
	// - loose: most permissive, applies all normalizations
	Strategy string `mapstructure:"strategy" yaml:"strategy"`

	// NormalizeKeys: apply JSON key normalization (default: false)
	// Converts underscores to hyphens, removes special chars
	NormalizeKeys bool `mapstructure:"normalize_keys" yaml:"normalize_keys"`

	// CaseInsensitive: case-insensitive matching (default: true)
	CaseInsensitive bool `mapstructure:"case_insensitive" yaml:"case_insensitive"`

	// StripPrefixes: prefixes to remove before matching
	// Common values: ["aws-", "fsc-", "org-"]
	StripPrefixes []string `mapstructure:"strip_prefixes" yaml:"strip_prefixes"`

	// StripSuffixes: suffixes to remove before matching
	// Common values: ["-account", "-acct"]
	StripSuffixes []string `mapstructure:"strip_suffixes" yaml:"strip_suffixes"`
}

NameMatchingConfig configures fuzzy account name matching

type Node

type Node struct {
	Name       string
	Type       NodeType
	Level      int      // Dependency depth (0 = no dependencies)
	Deps       []string // Nodes this depends on
	DependedBy []string // Nodes that depend on this
}

Node represents a node in the dependency graph

type NodeType

type NodeType int

NodeType represents the type of node in the dependency graph

const (
	NodeTypeSource NodeType = iota
	NodeTypeTarget
)

type OUConfig

type OUConfig struct {
	ID       string              `mapstructure:"id" yaml:"id"`
	Accounts []string            `mapstructure:"accounts" yaml:"accounts"`
	Children map[string]OUConfig `mapstructure:"children" yaml:"children"`
}

OUConfig represents an Organizational Unit

type ObservabilityConfig

type ObservabilityConfig struct {
	Tracing       observability.TracingConfig        `mapstructure:"tracing" yaml:"tracing,omitempty"`
	CustomMetrics []observability.CustomMetricConfig `mapstructure:"custom_metrics" yaml:"custom_metrics,omitempty"`
}

ObservabilityConfig configures metrics and distributed tracing.

type Operation

type Operation string

Operation defines what the pipeline should do

const (
	// OperationMerge only performs the merge phase (sources → merge store)
	OperationMerge Operation = "merge"
	// OperationSync only performs the sync phase (merge store → destinations)
	OperationSync Operation = "sync"
	// OperationPipeline performs both merge and sync in order
	OperationPipeline Operation = "pipeline"
)

type Options

type Options struct {
	Operation       Operation
	Targets         []string
	DryRun          bool
	ContinueOnError bool
	Parallelism     int
	ComputeDiff     bool
	OutputFormat    diff.OutputFormat
}

Options configures pipeline execution

func DefaultOptions

func DefaultOptions() Options

DefaultOptions returns sensible default options

type OrganizationInfo

type OrganizationInfo struct {
	ID                  string
	MasterAccountID     string
	MasterAccountARN    string
	IsManagementAccount bool
	IsDelegatedAdmin    bool
	DelegatedServices   []string
}

OrganizationInfo contains AWS Organizations information

type OrganizationsConfig

type OrganizationsConfig struct {
	AutoDiscover bool                `mapstructure:"auto_discover" yaml:"auto_discover"`
	RootID       string              `mapstructure:"root_id" yaml:"root_id"`
	OUs          map[string]OUConfig `mapstructure:"ous" yaml:"ous"`
}

OrganizationsConfig configures AWS Organizations integration

type OrganizationsDiscovery

type OrganizationsDiscovery struct {
	Tags         map[string][]string `mapstructure:"tags" yaml:"tags"`
	Recursive    bool                `mapstructure:"recursive" yaml:"recursive"`
	NameMatching *NameMatchingConfig `mapstructure:"name_matching" yaml:"name_matching"`

	OUs              []string    `mapstructure:"ous" yaml:"ous"`
	TagFilters       []TagFilter `mapstructure:"tag_filters" yaml:"tag_filters"`
	TagCombination   string      `mapstructure:"tag_combination" yaml:"tag_combination"`       // "AND" or "OR", default "AND"
	ExcludeStatuses  []string    `mapstructure:"exclude_statuses" yaml:"exclude_statuses"`     // e.g., ["SUSPENDED", "CLOSED"]
	CacheOUStructure bool        `mapstructure:"cache_ou_structure" yaml:"cache_ou_structure"` // Cache OU hierarchy
}

OrganizationsDiscovery discovers accounts from AWS Organizations

func (*OrganizationsDiscovery) UnmarshalYAML

func (o *OrganizationsDiscovery) UnmarshalYAML(value *yaml.Node) error

UnmarshalYAML rejects removed single-OU configuration instead of silently ignoring it.

type Pipeline

type Pipeline struct {
	// contains filtered or unexported fields
}

Pipeline is the main orchestrator for secrets synchronization

func New

func New(cfg *Config) (*Pipeline, error)

New creates a new Pipeline from configuration

func NewFromFile

func NewFromFile(path string) (*Pipeline, error)

NewFromFile creates a Pipeline from a configuration file

func NewFromFileWithContext

func NewFromFileWithContext(ctx context.Context, path string) (*Pipeline, error)

NewFromFileWithContext creates a Pipeline from a configuration file with context

func NewWithContext

func NewWithContext(ctx context.Context, cfg *Config) (*Pipeline, error)

NewWithContext creates a new Pipeline with AWS execution context

func NewWithContextAndRuntimeAuth

func NewWithContextAndRuntimeAuth(ctx context.Context, cfg *Config, auth *RuntimeAuth) (*Pipeline, error)

NewWithContextAndRuntimeAuth creates a new Pipeline with explicit runtime authentication material supplied by an embedding caller.

func (*Pipeline) Config

func (p *Pipeline) Config() *Config

Config returns the pipeline configuration

func (*Pipeline) Diff

func (p *Pipeline) Diff() *diff.PipelineDiff

Diff returns the computed diff from the last Run

func (*Pipeline) ExitCode

func (p *Pipeline) ExitCode() int

ExitCode returns the appropriate exit code based on diff results 0 = no changes (zero-sum), 1 = changes detected, 2 = errors

func (*Pipeline) FormatDiff

func (p *Pipeline) FormatDiff(format diff.OutputFormat) string

FormatDiff returns the formatted diff output

func (*Pipeline) GetBundlePath

func (p *Pipeline) GetBundlePath(targetName string) (string, error)

GetBundlePath returns the current bundle path for a target (for sync phase to use)

func (*Pipeline) Graph

func (p *Pipeline) Graph() *Graph

Graph returns the dependency graph

func (*Pipeline) Results

func (p *Pipeline) Results() []Result

Results returns the results from the last Run

func (*Pipeline) Run

func (p *Pipeline) Run(ctx context.Context, opts Options) ([]Result, error)

Run executes the pipeline with the given options. Each operation (merge, sync) is distinct and idempotent.

func (*Pipeline) Shutdown

func (p *Pipeline) Shutdown(ctx context.Context) error

Shutdown flushes and releases pipeline-owned resources (currently the tracer provider). It is safe to call even when tracing was never configured.

type PipelineRequest

type PipelineRequest struct {
	// Sources in priority order for merge
	Sources []string

	// Targets to sync the merged bundle to
	Targets []string

	// DryRun if true, don't actually write
	DryRun bool
}

PipelineRequest is merge + sync as a single operation

func (*PipelineRequest) GetBundleID

func (r *PipelineRequest) GetBundleID() string

GetBundleID returns the deterministic bundle ID for this request

func (*PipelineRequest) GetMergePath

func (r *PipelineRequest) GetMergePath(mount string) string

GetMergePath returns the merge store path for this request

type PipelineSettings

type PipelineSettings struct {
	Merge           MergeSettings  `mapstructure:"merge" yaml:"merge"`
	Sync            SyncSettings   `mapstructure:"sync" yaml:"sync"`
	Rollback        RollbackConfig `mapstructure:"rollback" yaml:"rollback,omitempty"`
	DryRun          bool           `mapstructure:"dry_run" yaml:"dry_run"`
	ContinueOnError bool           `mapstructure:"continue_on_error" yaml:"continue_on_error"`
}

PipelineSettings configures pipeline execution

type ReplicatingBundleStore

type ReplicatingBundleStore struct {

	// RequireAllReplicas, when true, fails a write if any replica write fails.
	// When false (default), replica failures are logged and the write succeeds
	// as long as the primary write succeeds.
	RequireAllReplicas bool
	// contains filtered or unexported fields
}

ReplicatingBundleStore writes every merged bundle to a primary bundle store and, synchronously, to one or more replica stores in other regions, giving cross-region durability and read-locality. Reads come from the primary and fall back to replicas in order, so a primary-region outage still serves bundles for the sync phase.

func NewReplicatingBundleStore

func NewReplicatingBundleStore(primary driver.BundleStore, replicas ...driver.BundleStore) *ReplicatingBundleStore

NewReplicatingBundleStore composes a primary with zero or more replicas.

func (*ReplicatingBundleStore) ReadMergedBundle

func (r *ReplicatingBundleStore) ReadMergedBundle(ctx context.Context, targetName, bundleID string) (map[string]map[string]interface{}, error)

ReadMergedBundle reads from the primary, falling back to each replica in order on failure (regional outage or missing object).

func (*ReplicatingBundleStore) WriteMergedBundle

func (r *ReplicatingBundleStore) WriteMergedBundle(ctx context.Context, targetName, bundleID string, secrets map[string]interface{}) error

WriteMergedBundle writes to the primary first (a primary failure aborts), then to each replica.

type ResolvedResource

type ResolvedResource struct {
	// OriginalName is the name as provided by the user
	OriginalName string
	// ResolvedName is the normalized/matched name
	ResolvedName string
	// Type indicates whether this is an AWS account or Vault mount
	Type ResourceType
	// AccountID is set if Type is ResourceTypeAWSAccount
	AccountID string
	// VaultMount is set if Type is ResourceTypeVaultMount
	VaultMount string
	// MatchConfidence indicates how the match was made
	MatchConfidence MatchConfidence
}

ResolvedResource represents a resolved source or destination

type ResourceResolver

type ResourceResolver struct {
	// contains filtered or unexported fields
}

ResourceResolver resolves source/destination names to concrete resources

func NewResourceResolver

func NewResourceResolver(ctx context.Context, cfg *Config) *ResourceResolver

NewResourceResolver creates a resolver that auto-detects resources

func (*ResourceResolver) Initialize

func (r *ResourceResolver) Initialize(awsCtx *AWSExecutionContext) error

Initialize loads AWS accounts and Vault mounts for resolution

func (*ResourceResolver) Resolve

func (r *ResourceResolver) Resolve(name string) ResolvedResource

Resolve determines what type of resource a name refers to Priority: 1) Exact AWS account ID, 2) Exact AWS name, 3) Fuzzy AWS match, 4) Vault mount

func (*ResourceResolver) ResolveAll

func (r *ResourceResolver) ResolveAll(names []string) []ResolvedResource

ResolveAll resolves a list of names

type ResourceType

type ResourceType string

ResourceType identifies the type of a source/destination

const (
	// ResourceTypeAWSAccount indicates an AWS account (discovered via Organizations)
	ResourceTypeAWSAccount ResourceType = "aws_account"
	// ResourceTypeVaultMount indicates a Vault KV2 mount
	ResourceTypeVaultMount ResourceType = "vault_mount"
	// ResourceTypeUnknown indicates the resource could not be resolved
	ResourceTypeUnknown ResourceType = "unknown"
)

type Result

type Result struct {
	Target    string           `json:"target"`
	Phase     string           `json:"phase"`
	Operation string           `json:"operation"`
	Success   bool             `json:"success"`
	Error     error            `json:"error,omitempty"`
	Duration  time.Duration    `json:"duration"`
	Details   ResultDetails    `json:"details,omitempty"`
	Diff      *diff.TargetDiff `json:"diff,omitempty"`
}

Result represents the outcome of a single target operation

type ResultDetails

type ResultDetails struct {
	SecretsProcessed int      `json:"secrets_processed,omitempty"`
	SecretsAdded     int      `json:"secrets_added,omitempty"`
	SecretsModified  int      `json:"secrets_modified,omitempty"`
	SecretsRemoved   int      `json:"secrets_removed,omitempty"`
	SecretsUnchanged int      `json:"secrets_unchanged,omitempty"`
	SourcePaths      []string `json:"source_paths,omitempty"`
	DestinationPath  string   `json:"destination_path,omitempty"`
	RoleARN          string   `json:"role_arn,omitempty"`
	FailedImports    []string `json:"failed_imports,omitempty"`
	Message          string   `json:"message,omitempty"`
}

ResultDetails contains additional information about the operation

type RollbackConfig

type RollbackConfig struct {
	// Enabled turns on pre-sync snapshotting and post-failure restore.
	Enabled bool `mapstructure:"enabled" yaml:"enabled"`
	// MaxSecrets is a safety cap: rollback is skipped (and the failure left as-is
	// with a clear error) if the target holds more than this many secrets, to
	// avoid a large unintended restore. 0 means no cap.
	MaxSecrets int `mapstructure:"max_secrets" yaml:"max_secrets,omitempty"`
}

RollbackConfig configures automatic rollback on sync failure.

type RuntimeAuth

type RuntimeAuth struct {
	DelegateAuth bool              `json:"-" yaml:"-"`
	Vault        *VaultRuntimeAuth `json:"-" yaml:"-"`
	AWS          *AWSRuntimeAuth   `json:"-" yaml:"-"`
}

RuntimeAuth carries caller-owned provider authentication material into a pipeline run. It is intentionally excluded from YAML configuration and should be supplied by embedding packages, bindings, or in-process callers.

type S3MergeStore

type S3MergeStore struct {
	Bucket   string
	Prefix   string
	KMSKeyID string
	Region   string

	// Version management
	VersioningEnabled bool
	RetainVersions    int

	// Cipher, when set, performs client-side envelope encryption of bundle
	// bodies before upload (zero-knowledge mode) — S3 never sees plaintext.
	// This is independent of the server-side KMSKeyID (SSE-KMS) field.
	Cipher crypto.Cipher
	// contains filtered or unexported fields
}

S3MergeStore implements a merge store using S3 for intermediate secret storage. This is useful when you want to use S3 as a central repository for merged secrets before syncing to target accounts, or for audit/backup purposes.

func NewS3MergeStore

func NewS3MergeStore(ctx context.Context, cfg *MergeStoreS3, region string) (*S3MergeStore, error)

NewS3MergeStore creates a new S3-based merge store

func NewS3MergeStoreWithRuntimeAuth

func NewS3MergeStoreWithRuntimeAuth(ctx context.Context, cfg *MergeStoreS3, region string, auth *AWSRuntimeAuth) (*S3MergeStore, error)

NewS3MergeStoreWithRuntimeAuth creates a new S3-based merge store using caller-supplied AWS session material when provided.

func (*S3MergeStore) DeleteBundle

func (s *S3MergeStore) DeleteBundle(ctx context.Context, targetName, bundleID string) error

DeleteBundle deletes a bundle from S3

func (*S3MergeStore) DeleteSecret

func (s *S3MergeStore) DeleteSecret(ctx context.Context, targetName, secretName string) error

DeleteSecret deletes a secret from S3

func (*S3MergeStore) GetBundlePath

func (s *S3MergeStore) GetBundlePath(targetName, bundleID string) string

GetBundlePath returns the S3 path for a specific bundle

func (*S3MergeStore) GetLatest

func (s *S3MergeStore) GetLatest(ctx context.Context, path string) (*SecretVersion, error)

GetLatest retrieves the latest version of a secret

func (*S3MergeStore) GetMergePath

func (s *S3MergeStore) GetMergePath(targetName string) string

GetMergePath returns the S3 "path" representation for a target This is used for logging and reporting purposes

func (*S3MergeStore) GetVersion

func (s *S3MergeStore) GetVersion(ctx context.Context, path string, version int) (*SecretVersion, error)

GetVersion retrieves a specific version of a secret

func (*S3MergeStore) ListSecrets

func (s *S3MergeStore) ListSecrets(ctx context.Context, targetName string) ([]string, error)

ListSecrets lists all secrets for a target

func (*S3MergeStore) ListVersions

func (s *S3MergeStore) ListVersions(ctx context.Context, path string) ([]SecretVersion, error)

ListVersions lists all versions of a secret

func (*S3MergeStore) ReadMergedBundle

func (s *S3MergeStore) ReadMergedBundle(ctx context.Context, targetName, bundleID string) (map[string]map[string]interface{}, error)

ReadMergedBundle reads a complete merged bundle from S3

func (*S3MergeStore) ReadSecret

func (s *S3MergeStore) ReadSecret(ctx context.Context, targetName, secretName string) (map[string]interface{}, error)

ReadSecret reads a secret from S3

func (*S3MergeStore) StoreVersion

func (s *S3MergeStore) StoreVersion(ctx context.Context, secret *SecretVersion) error

StoreVersion stores a new version of a secret

func (*S3MergeStore) WriteMergedBundle

func (s *S3MergeStore) WriteMergedBundle(ctx context.Context, targetName, bundleID string, secrets map[string]interface{}) error

WriteMergedBundle writes a complete merged bundle to S3 as a single JSON blob

func (*S3MergeStore) WriteSecret

func (s *S3MergeStore) WriteSecret(ctx context.Context, targetName, secretName string, data map[string]interface{}) error

WriteSecret writes a secret to S3

type SecretVersion

type SecretVersion struct {
	Path      string                 `json:"path"`
	Version   int                    `json:"version"`
	Data      map[string]interface{} `json:"data"`
	Timestamp time.Time              `json:"timestamp"`
	Hash      string                 `json:"hash,omitempty"`
}

SecretVersion represents a versioned secret with metadata

type Source

type Source struct {
	Vault *VaultSource `mapstructure:"vault" yaml:"vault"`
	AWS   *AWSSource   `mapstructure:"aws" yaml:"aws"`
}

Source defines where secrets can be imported from

type SyncRequest

type SyncRequest struct {
	// BundlePath is the merge store path containing the merged secrets
	BundlePath string

	// Targets to sync to (account IDs or target names)
	Targets []string

	// DryRun if true, don't actually write
	DryRun bool
}

SyncRequest represents a request to sync a bundle to target(s)

type SyncSettings

type SyncSettings struct {
	Parallel      int  `mapstructure:"parallel" yaml:"parallel"`
	DeleteOrphans bool `mapstructure:"delete_orphans" yaml:"delete_orphans"`
}

SyncSettings configures the sync phase

type TagFilter

type TagFilter struct {
	Key      string   `mapstructure:"key" yaml:"key"`
	Values   []string `mapstructure:"values" yaml:"values"`
	Operator string   `mapstructure:"operator" yaml:"operator"` // "equals", "contains", "wildcard", default "equals"
}

TagFilter represents a single tag filtering condition with wildcard support

type Target

type Target struct {
	AccountID    string   `mapstructure:"account_id" yaml:"account_id"`
	Imports      []string `mapstructure:"imports" yaml:"imports"`
	Region       string   `mapstructure:"region" yaml:"region"`
	SecretPrefix string   `mapstructure:"secret_prefix" yaml:"secret_prefix"`
	RoleARN      string   `mapstructure:"role_arn" yaml:"role_arn"`

	// Backend selects the sync destination driver. When unset it defaults to
	// AWS Secrets Manager, preserving the historical AWS-only behavior. Set it
	// to route a target to Azure, GCP, Kubernetes, HTTP, or Vault instead.
	Backend *TargetBackendConfig `mapstructure:"backend" yaml:"backend,omitempty"`

	// Tags are arbitrary key/value labels on the target, usable by conditional
	// sync rules.
	Tags map[string]string `mapstructure:"tags" yaml:"tags,omitempty"`

	// Conditions gate whether this target syncs (environment, tag, time-window).
	// When unset the target always syncs.
	Conditions *condition.Config `mapstructure:"conditions" yaml:"conditions,omitempty"`
}

Target defines a sync destination. Supports two YAML formats:

  1. Explicit: target: {account_id: "...", imports: [...]}
  2. Shorthand inheritance: target: [parent1, parent2] (list IS the imports)

func (*Target) UnmarshalYAML

func (t *Target) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML implements custom YAML unmarshaling to support shorthand format.

type TargetBackendConfig

type TargetBackendConfig struct {
	Driver  string         `mapstructure:"driver" yaml:"driver"`
	Path    string         `mapstructure:"path" yaml:"path,omitempty"`
	Options map[string]any `mapstructure:"options" yaml:"options,omitempty"`
}

TargetBackendConfig selects and configures a non-default sync target backend. Driver is a driver.DriverName ("azure", "gcp", "kubernetes", "http", "vault", "aws"); Path is the backend's scope (mount, namespace, base URL, ...); Options carries driver-specific settings consumed by that backend's factory.

type TokenAuth

type TokenAuth struct {
	Token string `mapstructure:"token" yaml:"token"`
}

TokenAuth configures token authentication

type VaultAuthConfig

type VaultAuthConfig struct {
	AppRole    *AppRoleAuth    `mapstructure:"approle" yaml:"approle"`
	Token      *TokenAuth      `mapstructure:"token" yaml:"token"`
	Kubernetes *KubernetesAuth `mapstructure:"kubernetes" yaml:"kubernetes"`
}

VaultAuthConfig supports multiple authentication methods

type VaultConfig

type VaultConfig struct {
	Address   string          `mapstructure:"address" yaml:"address"`
	Namespace string          `mapstructure:"namespace" yaml:"namespace"`
	Auth      VaultAuthConfig `mapstructure:"auth" yaml:"auth"`

	// Traversal configuration for recursive secret listing
	// These settings control memory usage and performance during large Vault traversals
	MaxTraversalDepth        int `mapstructure:"max_traversal_depth" yaml:"max_traversal_depth,omitempty"`
	MaxSecretsPerMount       int `mapstructure:"max_secrets_per_mount" yaml:"max_secrets_per_mount,omitempty"`
	QueueCompactionThreshold int `mapstructure:"queue_compaction_threshold" yaml:"queue_compaction_threshold,omitempty"`
}

VaultConfig configures Vault connection and authentication

type VaultDetection

type VaultDetection struct {
	Available bool
	Address   string
	AuthType  string // token, approle, kubernetes, aws-iam
}

VaultDetection contains Vault auto-detection results

type VaultRuntimeAuth

type VaultRuntimeAuth struct {
	Address   string `json:"-" yaml:"-"`
	Namespace string `json:"-" yaml:"-"`
	Token     string `json:"-" yaml:"-"`
}

VaultRuntimeAuth describes an authenticated Vault medium supplied by an upstream package. Token is runtime-only and must not be serialized.

type VaultSource

type VaultSource struct {
	Address   string   `mapstructure:"address" yaml:"address"`
	Namespace string   `mapstructure:"namespace" yaml:"namespace"`
	Mount     string   `mapstructure:"mount" yaml:"mount"`
	Paths     []string `mapstructure:"paths" yaml:"paths"`

	// Traversal configuration for recursive secret listing
	// These settings control memory usage and performance during large Vault traversals
	MaxTraversalDepth        int `mapstructure:"max_traversal_depth" yaml:"max_traversal_depth,omitempty"`
	MaxSecretsPerMount       int `mapstructure:"max_secrets_per_mount" yaml:"max_secrets_per_mount,omitempty"`
	QueueCompactionThreshold int `mapstructure:"queue_compaction_threshold" yaml:"queue_compaction_threshold,omitempty"`
}

VaultSource imports secrets from a Vault KV2 mount

type VersionStore

type VersionStore interface {
	GetVersion(ctx context.Context, path string, version int) (*SecretVersion, error)
	ListVersions(ctx context.Context, path string) ([]SecretVersion, error)
	GetLatest(ctx context.Context, path string) (*SecretVersion, error)
	StoreVersion(ctx context.Context, secret *SecretVersion) error
}

VersionStore interface for version management

type VersioningConfig

type VersioningConfig struct {
	Enabled        bool `mapstructure:"enabled" yaml:"enabled"`
	RetainVersions int  `mapstructure:"retain_versions" yaml:"retain_versions"`
}

VersioningConfig configures secret versioning

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL