Documentation
¶
Overview ¶
Package pipeline provides automatic detection of available clients and features. Clients are auto-enabled based on environment variables - no explicit config required.
Package pipeline provides AWS execution context management for multi-account operations.
AWS Organizations supports two primary patterns for cross-account operations:
1. MANAGEMENT ACCOUNT: The root account that owns the AWS Organization
- Has implicit trust from OrganizationAccountAccessRole in all member accounts
- Can assume AWSControlTowerExecution in Control Tower enrolled accounts
- Full Organizations API access
- Full Identity Center admin access
- NOT recommended for production workloads (security best practice)
2. DELEGATED ADMINISTRATOR: A member account with delegated permissions
- Requires explicit delegation via Organizations RegisterDelegatedAdministrator
- Can be delegated for specific services (SSO, CloudFormation StackSets, etc.)
- More secure - separates admin workloads from org management
- Requires custom cross-account role deployment (StackSets, AFT, etc.)
This package handles both patterns and provides a unified interface for cross-account secrets synchronization.
Package pipeline provides unified configuration and orchestration for secrets syncing pipelines. It supports AWS Control Tower / Organizations patterns for multi-account secrets management.
Package pipeline provides fuzzy account name matching for dynamic target discovery. Supports multiple matching strategies for resolving AWS account names to target configurations.
Package pipeline provides dynamic target discovery from AWS Organizations and Identity Center.
Package pipeline provides a unified secrets synchronization pipeline.
Architecture:
┌─────────────────────────────────────────────────────────────────────────┐
│ Pipeline Configuration │
│ (YAML file or programmatic) │
└─────────────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────────┐
│ Pipeline Engine │
│ • Dependency graph resolution │
│ • Topological ordering │
│ • Parallel execution within levels │
│ • Each operation is distinct and idempotent │
└─────────────────────────────────────────────────────────────────────────┘
│
┌─────────────────────────┴─────────────────────────┐
▼ ▼
┌─────────────────┐ ┌─────────────────┐
│ Merge Phase │ │ Sync Phase │
│ Vault → Vault │ │ Vault → AWS │
│ (or S3) │ │ │
└─────────────────┘ └─────────────────┘
Operations:
- merge: Source stores → Merge store (with inheritance resolution)
- sync: Merge store → Destination stores (AWS)
- pipeline: merge + sync in correct dependency order
Each operation is distinct and idempotent. Running the same operation multiple times produces the same result.
Package pipeline provides automatic resolution of sources and destinations. Supports fuzzy matching of AWS account names with JSON key normalization.
Package pipeline provides S3-based merge store implementation for secrets aggregation.
Package pipeline provides unified configuration and orchestration for secrets syncing pipelines.
Index ¶
- func AutoResolveConfig(ctx context.Context, cfg *Config, awsCtx *AWSExecutionContext) error
- func BundleID(sources []string) string
- func BundlePath(mount string, sources []string) string
- func ExpandDynamicTargets(ctx context.Context, cfg *Config, awsCtx *AWSExecutionContext) error
- func TargetBundlePath(mount, targetName string, sources []string) string
- type AWSConfig
- type AWSDetection
- type AWSExecutionContext
- func (ec *AWSExecutionContext) AssumeRoleConfig(ctx context.Context, accountID string) (aws.Config, error)
- func (ec *AWSExecutionContext) CanAccessIdentityCenter() bool
- func (ec *AWSExecutionContext) CanAccessOrganizations() bool
- func (ec *AWSExecutionContext) GetAccountTags(ctx context.Context, accountID string) (map[string]string, error)
- func (ec *AWSExecutionContext) GetIdentityCenterClient(ctx context.Context) (*ssoadmin.Client, error)
- func (ec *AWSExecutionContext) GetRoleARN(accountID string) string
- func (ec *AWSExecutionContext) GetSSMParameter(ctx context.Context, name string) (string, error)
- func (ec *AWSExecutionContext) ListAccountsInOU(ctx context.Context, ouID string) ([]AccountInfo, error)
- func (ec *AWSExecutionContext) ListChildOUs(ctx context.Context, parentID string) ([]string, error)
- func (ec *AWSExecutionContext) ListOrganizationAccounts(ctx context.Context) ([]AccountInfo, error)
- func (ec *AWSExecutionContext) Summary() string
- type AWSRuntimeAuth
- type AWSSource
- type AccountFactoryConfig
- type AccountInfo
- type AccountNamePattern
- type AccountsListDiscovery
- type AppRoleAuth
- type AuditConfig
- type AuthProviders
- type CallerIdentity
- type Config
- func (c *Config) ApplyAutoDetection(detected DetectedClients)
- func (c *Config) AutoConfigure()
- func (c *Config) AutoDetectAndConfigure() DetectedClients
- func (c *Config) GetRoleARN(accountID string) string
- func (c *Config) GetSourcePath(importName string) string
- func (c *Config) IsInheritedTarget(targetName string) bool
- func (c *Config) Validate() error
- func (c *Config) ValidateTargetInheritance() error
- func (c *Config) WriteConfig(path string) error
- type ControlTowerConfig
- type DelegationConfig
- type DetectedClients
- type DiscoveryConfig
- type DiscoveryService
- type DynamicTarget
- type EncryptionConfig
- type ExecutionContextConfig
- type ExecutionContextType
- type ExecutionRoleConfig
- type Graph
- type IdentityCenterConfig
- type IdentityCenterDiscovery
- type KubernetesAuth
- type LogConfig
- type MatchConfidence
- type MergeRequest
- type MergeSettings
- type MergeStoreConfig
- type MergeStoreS3
- type MergeStoreVault
- type NameMatcher
- func (m *NameMatcher) MatchAccountToTarget(accountName string, patterns []AccountNamePattern) (string, bool)
- func (m *NameMatcher) NormalizeAccountName(name string) string
- func (m *NameMatcher) ResolveAccountImports(acct AccountInfo, patterns []AccountNamePattern, defaultImports []string, ...) []string
- type NameMatchingConfig
- type Node
- type NodeType
- type OUConfig
- type ObservabilityConfig
- type Operation
- type Options
- type OrganizationInfo
- type OrganizationsConfig
- type OrganizationsDiscovery
- type Pipeline
- func New(cfg *Config) (*Pipeline, error)
- func NewFromFile(path string) (*Pipeline, error)
- func NewFromFileWithContext(ctx context.Context, path string) (*Pipeline, error)
- func NewWithContext(ctx context.Context, cfg *Config) (*Pipeline, error)
- func NewWithContextAndRuntimeAuth(ctx context.Context, cfg *Config, auth *RuntimeAuth) (*Pipeline, error)
- func (p *Pipeline) Config() *Config
- func (p *Pipeline) Diff() *diff.PipelineDiff
- func (p *Pipeline) ExitCode() int
- func (p *Pipeline) FormatDiff(format diff.OutputFormat) string
- func (p *Pipeline) GetBundlePath(targetName string) (string, error)
- func (p *Pipeline) Graph() *Graph
- func (p *Pipeline) Results() []Result
- func (p *Pipeline) Run(ctx context.Context, opts Options) ([]Result, error)
- func (p *Pipeline) Shutdown(ctx context.Context) error
- type PipelineRequest
- type PipelineSettings
- type ReplicatingBundleStore
- type ResolvedResource
- type ResourceResolver
- type ResourceType
- type Result
- type ResultDetails
- type RollbackConfig
- type RuntimeAuth
- type S3MergeStore
- func (s *S3MergeStore) DeleteBundle(ctx context.Context, targetName, bundleID string) error
- func (s *S3MergeStore) DeleteSecret(ctx context.Context, targetName, secretName string) error
- func (s *S3MergeStore) GetBundlePath(targetName, bundleID string) string
- func (s *S3MergeStore) GetLatest(ctx context.Context, path string) (*SecretVersion, error)
- func (s *S3MergeStore) GetMergePath(targetName string) string
- func (s *S3MergeStore) GetVersion(ctx context.Context, path string, version int) (*SecretVersion, error)
- func (s *S3MergeStore) ListSecrets(ctx context.Context, targetName string) ([]string, error)
- func (s *S3MergeStore) ListVersions(ctx context.Context, path string) ([]SecretVersion, error)
- func (s *S3MergeStore) ReadMergedBundle(ctx context.Context, targetName, bundleID string) (map[string]map[string]interface{}, error)
- func (s *S3MergeStore) ReadSecret(ctx context.Context, targetName, secretName string) (map[string]interface{}, error)
- func (s *S3MergeStore) StoreVersion(ctx context.Context, secret *SecretVersion) error
- func (s *S3MergeStore) WriteMergedBundle(ctx context.Context, targetName, bundleID string, ...) error
- func (s *S3MergeStore) WriteSecret(ctx context.Context, targetName, secretName string, ...) error
- type SecretVersion
- type Source
- type SyncRequest
- type SyncSettings
- type TagFilter
- type Target
- type TargetBackendConfig
- type TokenAuth
- type VaultAuthConfig
- type VaultConfig
- type VaultDetection
- type VaultRuntimeAuth
- type VaultSource
- type VersionStore
- type VersioningConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AutoResolveConfig ¶
func AutoResolveConfig(ctx context.Context, cfg *Config, awsCtx *AWSExecutionContext) error
AutoResolveConfig takes a minimal config with just names and resolves everything
func BundleID ¶
BundleID generates a deterministic, reproducible identifier for a merge bundle based on the ordered sequence of sources. Same sources in same order = same ID.
func BundlePath ¶
BundlePath returns the full path in the merge store for a given bundle. Format: {mount}/bundles/{bundle_id}
func ExpandDynamicTargets ¶
func ExpandDynamicTargets(ctx context.Context, cfg *Config, awsCtx *AWSExecutionContext) error
ExpandDynamicTargets expands dynamic targets in the config and merges them with static targets
func TargetBundlePath ¶
TargetBundlePath returns the merge store path for a specific target. This includes the target name for organization but the bundle ID for reproducibility. Format: {mount}/targets/{target_name}/{bundle_id}
Types ¶
type AWSConfig ¶
type AWSConfig struct {
Region string `mapstructure:"region" yaml:"region"`
ExecutionContext ExecutionContextConfig `mapstructure:"execution_context" yaml:"execution_context"`
ControlTower ControlTowerConfig `mapstructure:"control_tower" yaml:"control_tower"`
Organizations OrganizationsConfig `mapstructure:"organizations" yaml:"organizations"`
IdentityCenter IdentityCenterConfig `mapstructure:"identity_center" yaml:"identity_center"`
// MaxRetries overrides the AWS SDK retry attempt count (0 = SDK default).
MaxRetries int `mapstructure:"max_retries" yaml:"max_retries,omitempty"`
// RetryMode selects the SDK retry strategy: "standard" or "adaptive".
RetryMode string `mapstructure:"retry_mode" yaml:"retry_mode,omitempty"`
}
AWSConfig configures AWS with Control Tower / Organizations awareness
type AWSDetection ¶
type AWSDetection struct {
Available bool
Region string
AuthType string // env, iam-role, profile, sso
HasOrgsAccess bool // Can we access Organizations API?
}
AWSDetection contains AWS auto-detection results
type AWSExecutionContext ¶
type AWSExecutionContext struct {
Config *AWSConfig
BaseConfig aws.Config
CallerIdentity *CallerIdentity
OrganizationInfo *OrganizationInfo
// contains filtered or unexported fields
}
AWSExecutionContext manages AWS credentials and cross-account access
func NewAWSExecutionContext ¶
func NewAWSExecutionContext(ctx context.Context, cfg *AWSConfig) (*AWSExecutionContext, error)
NewAWSExecutionContext creates and initializes an AWS execution context
func NewAWSExecutionContextWithRuntimeAuth ¶
func NewAWSExecutionContextWithRuntimeAuth(ctx context.Context, cfg *AWSConfig, auth *AWSRuntimeAuth) (*AWSExecutionContext, error)
NewAWSExecutionContextWithRuntimeAuth creates and initializes an AWS execution context using caller-supplied session material when provided.
func (*AWSExecutionContext) AssumeRoleConfig ¶
func (ec *AWSExecutionContext) AssumeRoleConfig(ctx context.Context, accountID string) (aws.Config, error)
AssumeRoleConfig returns AWS config with assumed role credentials
func (*AWSExecutionContext) CanAccessIdentityCenter ¶
func (ec *AWSExecutionContext) CanAccessIdentityCenter() bool
CanAccessIdentityCenter checks if we can access Identity Center
func (*AWSExecutionContext) CanAccessOrganizations ¶
func (ec *AWSExecutionContext) CanAccessOrganizations() bool
CanAccessOrganizations checks if we can access Organizations API
func (*AWSExecutionContext) GetAccountTags ¶
func (ec *AWSExecutionContext) GetAccountTags(ctx context.Context, accountID string) (map[string]string, error)
GetAccountTags retrieves tags for an AWS account
Performance Note: This method makes an API call for each account. For large organizations with many accounts (100+), consider:
- Limiting discovery scope using OU filters
- Using tag filtering only when necessary
- Monitoring AWS API rate limits (Organizations API throttles at 20 TPS)
Future optimization: Implement batch tag fetching or caching if needed
func (*AWSExecutionContext) GetIdentityCenterClient ¶
func (ec *AWSExecutionContext) GetIdentityCenterClient(ctx context.Context) (*ssoadmin.Client, error)
GetIdentityCenterClient returns an Identity Center client if accessible
func (*AWSExecutionContext) GetRoleARN ¶
func (ec *AWSExecutionContext) GetRoleARN(accountID string) string
GetRoleARN returns the appropriate role ARN for a target account
func (*AWSExecutionContext) GetSSMParameter ¶
GetSSMParameter retrieves a parameter value from SSM Parameter Store
func (*AWSExecutionContext) ListAccountsInOU ¶
func (ec *AWSExecutionContext) ListAccountsInOU(ctx context.Context, ouID string) ([]AccountInfo, error)
ListAccountsInOU returns accounts in a specific Organizational Unit with tags
func (*AWSExecutionContext) ListChildOUs ¶
ListChildOUs returns child Organizational Units for a given parent OU
func (*AWSExecutionContext) ListOrganizationAccounts ¶
func (ec *AWSExecutionContext) ListOrganizationAccounts(ctx context.Context) ([]AccountInfo, error)
ListOrganizationAccounts returns all accounts in the organization with tags
func (*AWSExecutionContext) Summary ¶
func (ec *AWSExecutionContext) Summary() string
Summary returns a summary of the execution context
type AWSRuntimeAuth ¶
type AWSRuntimeAuth struct {
Region string `json:"-" yaml:"-"`
AccessKeyID string `json:"-" yaml:"-"`
SecretAccessKey string `json:"-" yaml:"-"`
SessionToken string `json:"-" yaml:"-"`
RoleARN string `json:"-" yaml:"-"`
EndpointURL string `json:"-" yaml:"-"`
}
AWSRuntimeAuth describes an authenticated AWS medium supplied by an upstream package. Credential fields are runtime-only and must not be serialized.
func (*AWSRuntimeAuth) HasStaticCredentials ¶
func (a *AWSRuntimeAuth) HasStaticCredentials() bool
HasStaticCredentials reports whether the runtime AWS session contains enough material to create an SDK static credentials provider.
type AWSSource ¶
type AWSSource struct {
AccountID string `mapstructure:"account_id" yaml:"account_id"`
Region string `mapstructure:"region" yaml:"region"`
Prefix string `mapstructure:"prefix" yaml:"prefix"`
Tags map[string]string `mapstructure:"tags" yaml:"tags"`
}
AWSSource imports secrets from AWS Secrets Manager
type AccountFactoryConfig ¶
type AccountFactoryConfig struct {
Enabled bool `mapstructure:"enabled" yaml:"enabled"`
OnAccountCreation bool `mapstructure:"on_account_creation" yaml:"on_account_creation"`
AFTIntegration bool `mapstructure:"aft_integration" yaml:"aft_integration"`
}
AccountFactoryConfig configures Account Factory integration
type AccountInfo ¶
AccountInfo contains basic AWS account information
func FilterAccountsByFuzzyMatch ¶
func FilterAccountsByFuzzyMatch(accounts []AccountInfo, matcher *NameMatcher, patterns []string) []AccountInfo
FilterAccountsByFuzzyMatch filters accounts using fuzzy name matching against a list of target account IDs or names
type AccountNamePattern ¶
type AccountNamePattern struct {
// Pattern is a regex pattern to match against normalized account names
Pattern string `mapstructure:"pattern" yaml:"pattern"`
// Target is the target name to use when pattern matches
Target string `mapstructure:"target" yaml:"target"`
}
AccountNamePattern maps discovered accounts to targets
type AccountsListDiscovery ¶
type AccountsListDiscovery struct {
Source string `mapstructure:"source" yaml:"source"`
}
AccountsListDiscovery discovers accounts from an external source
type AppRoleAuth ¶
type AppRoleAuth struct {
Mount string `mapstructure:"mount" yaml:"mount"`
RoleID string `mapstructure:"role_id" yaml:"role_id"`
SecretID string `mapstructure:"secret_id" yaml:"secret_id"`
}
AppRoleAuth configures AppRole authentication
type AuditConfig ¶
type AuditConfig struct {
// File is a local path to append JSONL audit entries to.
File string `mapstructure:"file" yaml:"file,omitempty"`
// S3Bucket/S3Prefix write one immutable object per entry to S3.
S3Bucket string `mapstructure:"s3_bucket" yaml:"s3_bucket,omitempty"`
S3Prefix string `mapstructure:"s3_prefix" yaml:"s3_prefix,omitempty"`
// CloudWatchGroup/CloudWatchStream write entries as CloudWatch log events.
CloudWatchGroup string `mapstructure:"cloudwatch_group" yaml:"cloudwatch_group,omitempty"`
CloudWatchStream string `mapstructure:"cloudwatch_stream" yaml:"cloudwatch_stream,omitempty"`
}
AuditConfig configures tamper-evident audit logging destinations. When no destination is set, auditing is disabled.
type AuthProviders ¶
type AuthProviders struct {
VaultAvailable bool
VaultMethod string // token, approle, kubernetes
AWSAvailable bool
AWSMethod string // env, iam_role, profile
}
DetectAuthProviders checks what authentication is available
func DetectAuth ¶
func DetectAuth(cfg *Config) AuthProviders
DetectAuth automatically detects available authentication providers
type CallerIdentity ¶
CallerIdentity contains AWS STS GetCallerIdentity information
type Config ¶
type Config struct {
Log LogConfig `mapstructure:"log" yaml:"log"`
Vault VaultConfig `mapstructure:"vault" yaml:"vault"`
AWS AWSConfig `mapstructure:"aws" yaml:"aws"`
Sources map[string]Source `mapstructure:"sources" yaml:"sources"`
MergeStore MergeStoreConfig `mapstructure:"merge_store" yaml:"merge_store"`
Targets map[string]Target `mapstructure:"targets" yaml:"targets"`
DynamicTargets map[string]DynamicTarget `mapstructure:"dynamic_targets" yaml:"dynamic_targets"`
Pipeline PipelineSettings `mapstructure:"pipeline" yaml:"pipeline"`
Observability ObservabilityConfig `mapstructure:"observability" yaml:"observability,omitempty"`
Policy policy.Config `mapstructure:"policy" yaml:"policy,omitempty"`
Audit AuditConfig `mapstructure:"audit" yaml:"audit,omitempty"`
}
Config represents the unified pipeline configuration
func LoadConfig ¶
LoadConfig loads configuration from file with auto-detection and resolution.
Auto-detection: Clients are automatically enabled based on environment:
- Vault: VAULT_ADDR, VAULT_TOKEN, VAULT_ROLE_ID/SECRET_ID
- AWS: AWS_ACCESS_KEY_ID, AWS_PROFILE, IAM roles, etc.
Minimal config example (everything else auto-detected):
targets:
Production:
imports: [analytics, data-engineers]
The system will:
- Auto-detect Vault/AWS from environment
- Resolve sources/targets via fuzzy matching against AWS Organizations
- Configure merge store automatically
func LoadConfigWithoutAutoDetect ¶
LoadConfigWithoutAutoDetect loads config without auto-detection (for testing)
func (*Config) ApplyAutoDetection ¶
func (c *Config) ApplyAutoDetection(detected DetectedClients)
ApplyAutoDetection updates config based on auto-detected clients
func (*Config) AutoConfigure ¶
func (c *Config) AutoConfigure()
AutoConfigure applies intelligent defaults and resolves unspecified configuration. Call this after loading config but before validation to fill in gaps.
func (*Config) AutoDetectAndConfigure ¶
func (c *Config) AutoDetectAndConfigure() DetectedClients
AutoDetectAndConfigure performs full auto-detection and config application
func (*Config) GetRoleARN ¶
GetRoleARN returns the role ARN for a target account
func (*Config) GetSourcePath ¶
GetSourcePath returns the full path for a source or inherited target
func (*Config) IsInheritedTarget ¶
IsInheritedTarget checks if a target inherits from another target
func (*Config) Validate ¶
Validate validates the configuration with minimal requirements. The system auto-detects and resolves most configuration via: - AWS Organizations discovery for account resolution - Fuzzy name matching for source/target identification - Auto-detection of Vault vs AWS based on what's available
func (*Config) ValidateTargetInheritance ¶
ValidateTargetInheritance checks for circular dependencies in target inheritance chains
func (*Config) WriteConfig ¶
WriteConfig writes the configuration to a file
type ControlTowerConfig ¶
type ControlTowerConfig struct {
Enabled bool `mapstructure:"enabled" yaml:"enabled"`
ExecutionRole ExecutionRoleConfig `mapstructure:"execution_role" yaml:"execution_role"`
AccountFactory AccountFactoryConfig `mapstructure:"account_factory" yaml:"account_factory"`
}
ControlTowerConfig configures AWS Control Tower integration
type DelegationConfig ¶
type DelegationConfig struct {
Services []string `mapstructure:"services" yaml:"services"`
}
DelegationConfig defines delegated administrator settings
type DetectedClients ¶
type DetectedClients struct {
// Vault client availability
Vault VaultDetection
// AWS client availability
AWS AWSDetection
}
DetectedClients represents which clients are available based on environment
func AutoDetectClients ¶
func AutoDetectClients() DetectedClients
AutoDetectClients detects available clients from environment
type DiscoveryConfig ¶
type DiscoveryConfig struct {
IdentityCenter *IdentityCenterDiscovery `mapstructure:"identity_center" yaml:"identity_center"`
Organizations *OrganizationsDiscovery `mapstructure:"organizations" yaml:"organizations"`
AccountsList *AccountsListDiscovery `mapstructure:"accounts_list" yaml:"accounts_list"`
}
DiscoveryConfig defines how to discover dynamic targets
type DiscoveryService ¶
type DiscoveryService struct {
// contains filtered or unexported fields
}
DiscoveryService handles dynamic target discovery from AWS services
func NewDiscoveryService ¶
func NewDiscoveryService(ctx context.Context, awsCtx *AWSExecutionContext, cfg *Config) *DiscoveryService
NewDiscoveryService creates a new discovery service
func (*DiscoveryService) DiscoverTargets ¶
func (d *DiscoveryService) DiscoverTargets() (map[string]Target, error)
DiscoverTargets discovers and expands dynamic targets into concrete targets
type DynamicTarget ¶
type DynamicTarget struct {
Discovery DiscoveryConfig `mapstructure:"discovery" yaml:"discovery"`
Imports []string `mapstructure:"imports" yaml:"imports"`
Exclude []string `mapstructure:"exclude" yaml:"exclude"`
// AccountNamePatterns maps discovered accounts to specific targets using regex
AccountNamePatterns []AccountNamePattern `mapstructure:"account_name_patterns" yaml:"account_name_patterns"`
Region string `mapstructure:"region" yaml:"region"`
SecretPrefix string `mapstructure:"secret_prefix" yaml:"secret_prefix"`
RoleARN string `mapstructure:"role_arn" yaml:"role_arn"`
}
DynamicTarget defines targets discovered at runtime
type EncryptionConfig ¶
type EncryptionConfig struct {
Enabled bool `mapstructure:"enabled" yaml:"enabled"`
// KMSKeyID enables KMS envelope encryption with the given key.
KMSKeyID string `mapstructure:"kms_key_id" yaml:"kms_key_id,omitempty"`
// KeyEnv names an environment variable holding a base64-encoded 32-byte
// AES-256 key for user-supplied (static) key encryption.
KeyEnv string `mapstructure:"key_env" yaml:"key_env,omitempty"`
// PostQuantumSeedEnv names an environment variable holding a base64-encoded
// ML-KEM-768 decapsulation-key seed for quantum-resistant encryption.
PostQuantumSeedEnv string `mapstructure:"post_quantum_seed_env" yaml:"post_quantum_seed_env,omitempty"`
}
EncryptionConfig configures client-side merge-store encryption. Exactly one of KMSKeyID, KeyEnv, or PostQuantumSeedEnv must be set when Enabled.
type ExecutionContextConfig ¶
type ExecutionContextConfig struct {
Type ExecutionContextType `mapstructure:"type" yaml:"type"`
AccountID string `mapstructure:"account_id" yaml:"account_id"`
Delegation *DelegationConfig `mapstructure:"delegation" yaml:"delegation"`
CustomRolePattern string `mapstructure:"custom_role_pattern" yaml:"custom_role_pattern"`
}
ExecutionContextConfig defines where the pipeline is running from
type ExecutionContextType ¶
type ExecutionContextType string
ExecutionContextType defines where the pipeline runs from
const ( // ExecutionContextManagement runs from the AWS Organizations management account ExecutionContextManagement ExecutionContextType = "management_account" // ExecutionContextDelegated runs from a delegated administrator account ExecutionContextDelegated ExecutionContextType = "delegated_admin" // ExecutionContextHub runs from a custom secrets hub account ExecutionContextHub ExecutionContextType = "hub_account" )
type ExecutionRoleConfig ¶
type ExecutionRoleConfig struct {
Name string `mapstructure:"name" yaml:"name"`
Path string `mapstructure:"path" yaml:"path"`
}
ExecutionRoleConfig defines the cross-account execution role
type Graph ¶
Graph represents the dependency graph for targets
func BuildGraph ¶
BuildGraph builds a dependency graph from the configuration
func (*Graph) GroupByLevel ¶
GroupByLevel groups targets by their dependency level
func (*Graph) IncludeDependencies ¶
IncludeDependencies expands a list of targets to include their dependencies
func (*Graph) PrintGraph ¶
PrintGraph returns a visual representation of the graph
func (*Graph) TopologicalOrder ¶
TopologicalOrder returns targets in dependency order (base first, then derived)
type IdentityCenterConfig ¶
type IdentityCenterConfig struct {
Enabled bool `mapstructure:"enabled" yaml:"enabled"`
AutoDiscover bool `mapstructure:"auto_discover" yaml:"auto_discover"`
InstanceARN string `mapstructure:"instance_arn" yaml:"instance_arn"`
IdentityStoreID string `mapstructure:"identity_store_id" yaml:"identity_store_id"`
}
IdentityCenterConfig configures AWS Identity Center (SSO) integration
type IdentityCenterDiscovery ¶
type IdentityCenterDiscovery struct {
Group string `mapstructure:"group" yaml:"group"`
PermissionSet string `mapstructure:"permission_set" yaml:"permission_set"`
}
IdentityCenterDiscovery discovers accounts from Identity Center
type KubernetesAuth ¶
type KubernetesAuth struct {
Role string `mapstructure:"role" yaml:"role"`
MountPath string `mapstructure:"mount_path" yaml:"mount_path"`
}
KubernetesAuth configures Kubernetes authentication
type LogConfig ¶
type LogConfig struct {
Level string `mapstructure:"level" yaml:"level"`
Format string `mapstructure:"format" yaml:"format"`
}
LogConfig controls logging behavior
type MatchConfidence ¶
type MatchConfidence string
MatchConfidence indicates how confident the match is
const ( // MatchExact means the name matched exactly MatchExact MatchConfidence = "exact" // MatchNormalized means the name matched after JSON key normalization MatchNormalized MatchConfidence = "normalized" // MatchFuzzy means the name matched via fuzzy/loose matching MatchFuzzy MatchConfidence = "fuzzy" // MatchAccountID means matched by AWS account ID MatchAccountID MatchConfidence = "account_id" // MatchNone means no match was found MatchNone MatchConfidence = "none" )
type MergeRequest ¶
type MergeRequest struct {
// Sources in priority order (later sources override earlier on conflict)
Sources []string
// Target name (for organizational purposes)
Target string
// DryRun if true, don't actually write
DryRun bool
}
MergeRequest represents a request to merge N sources into a bundle
type MergeSettings ¶
type MergeSettings struct {
Parallel int `mapstructure:"parallel" yaml:"parallel"`
}
MergeSettings configures the merge phase
type MergeStoreConfig ¶
type MergeStoreConfig struct {
Vault *MergeStoreVault `mapstructure:"vault" yaml:"vault"`
S3 *MergeStoreS3 `mapstructure:"s3" yaml:"s3"`
}
MergeStoreConfig defines intermediate storage for merged secrets
type MergeStoreS3 ¶
type MergeStoreS3 struct {
Bucket string `mapstructure:"bucket" yaml:"bucket"`
Prefix string `mapstructure:"prefix" yaml:"prefix"`
KMSKeyID string `mapstructure:"kms_key_id" yaml:"kms_key_id"`
// Encryption configures optional client-side envelope encryption of bundles
// (zero-knowledge mode) — distinct from KMSKeyID's server-side SSE-KMS.
Encryption *EncryptionConfig `mapstructure:"encryption" yaml:"encryption,omitempty"`
// ReplicaRegions replicates every merged bundle to the same bucket name in
// each listed region for cross-region durability and read-locality. A
// regionally-named bucket per region is assumed (bucket + "-" + region) when
// ReplicaBucketPattern is empty.
ReplicaRegions []string `mapstructure:"replica_regions" yaml:"replica_regions,omitempty"`
// RequireAllReplicas fails a write if any replica write fails (default:
// best-effort, primary success is enough).
RequireAllReplicas bool `mapstructure:"require_all_replicas" yaml:"require_all_replicas,omitempty"`
// Version management
Versioning *VersioningConfig `mapstructure:"versioning" yaml:"versioning"`
}
MergeStoreS3 uses S3 as the merge store
type MergeStoreVault ¶
type MergeStoreVault struct {
Mount string `mapstructure:"mount" yaml:"mount"`
}
MergeStoreVault uses Vault as the merge store
type NameMatcher ¶
type NameMatcher struct {
// contains filtered or unexported fields
}
NameMatcher handles fuzzy matching of AWS account names to targets
func NewNameMatcher ¶
func NewNameMatcher(cfg *NameMatchingConfig) *NameMatcher
NewNameMatcher creates a new name matcher with the given config
func (*NameMatcher) MatchAccountToTarget ¶
func (m *NameMatcher) MatchAccountToTarget(accountName string, patterns []AccountNamePattern) (string, bool)
MatchAccountToTarget finds the best matching target for an account name using configured patterns and fuzzy matching strategy
func (*NameMatcher) NormalizeAccountName ¶
func (m *NameMatcher) NormalizeAccountName(name string) string
NormalizeAccountName normalizes an account name for fuzzy matching Applies configured normalizations: case folding, prefix/suffix stripping, etc.
func (*NameMatcher) ResolveAccountImports ¶
func (m *NameMatcher) ResolveAccountImports( acct AccountInfo, patterns []AccountNamePattern, defaultImports []string, targetConfigs map[string]Target, ) []string
ResolveAccountImports resolves which imports an account should inherit based on fuzzy matching its name to configured patterns
type NameMatchingConfig ¶
type NameMatchingConfig struct {
// Strategy: "exact", "fuzzy", or "loose" (default: "exact")
// - exact: names must match exactly (case-insensitive by default)
// - fuzzy: partial substring matching with normalization
// - loose: most permissive, applies all normalizations
Strategy string `mapstructure:"strategy" yaml:"strategy"`
// NormalizeKeys: apply JSON key normalization (default: false)
// Converts underscores to hyphens, removes special chars
NormalizeKeys bool `mapstructure:"normalize_keys" yaml:"normalize_keys"`
// CaseInsensitive: case-insensitive matching (default: true)
CaseInsensitive bool `mapstructure:"case_insensitive" yaml:"case_insensitive"`
// StripPrefixes: prefixes to remove before matching
// Common values: ["aws-", "fsc-", "org-"]
StripPrefixes []string `mapstructure:"strip_prefixes" yaml:"strip_prefixes"`
// StripSuffixes: suffixes to remove before matching
// Common values: ["-account", "-acct"]
StripSuffixes []string `mapstructure:"strip_suffixes" yaml:"strip_suffixes"`
}
NameMatchingConfig configures fuzzy account name matching
type Node ¶
type Node struct {
Name string
Type NodeType
Level int // Dependency depth (0 = no dependencies)
Deps []string // Nodes this depends on
DependedBy []string // Nodes that depend on this
}
Node represents a node in the dependency graph
type OUConfig ¶
type OUConfig struct {
ID string `mapstructure:"id" yaml:"id"`
Accounts []string `mapstructure:"accounts" yaml:"accounts"`
Children map[string]OUConfig `mapstructure:"children" yaml:"children"`
}
OUConfig represents an Organizational Unit
type ObservabilityConfig ¶
type ObservabilityConfig struct {
Tracing observability.TracingConfig `mapstructure:"tracing" yaml:"tracing,omitempty"`
CustomMetrics []observability.CustomMetricConfig `mapstructure:"custom_metrics" yaml:"custom_metrics,omitempty"`
}
ObservabilityConfig configures metrics and distributed tracing.
type Operation ¶
type Operation string
Operation defines what the pipeline should do
const ( // OperationMerge only performs the merge phase (sources → merge store) OperationMerge Operation = "merge" // OperationSync only performs the sync phase (merge store → destinations) OperationSync Operation = "sync" // OperationPipeline performs both merge and sync in order OperationPipeline Operation = "pipeline" )
type Options ¶
type Options struct {
Operation Operation
Targets []string
DryRun bool
ContinueOnError bool
Parallelism int
ComputeDiff bool
OutputFormat diff.OutputFormat
}
Options configures pipeline execution
type OrganizationInfo ¶
type OrganizationInfo struct {
ID string
MasterAccountID string
MasterAccountARN string
IsManagementAccount bool
IsDelegatedAdmin bool
DelegatedServices []string
}
OrganizationInfo contains AWS Organizations information
type OrganizationsConfig ¶
type OrganizationsConfig struct {
AutoDiscover bool `mapstructure:"auto_discover" yaml:"auto_discover"`
RootID string `mapstructure:"root_id" yaml:"root_id"`
OUs map[string]OUConfig `mapstructure:"ous" yaml:"ous"`
}
OrganizationsConfig configures AWS Organizations integration
type OrganizationsDiscovery ¶
type OrganizationsDiscovery struct {
Tags map[string][]string `mapstructure:"tags" yaml:"tags"`
Recursive bool `mapstructure:"recursive" yaml:"recursive"`
NameMatching *NameMatchingConfig `mapstructure:"name_matching" yaml:"name_matching"`
OUs []string `mapstructure:"ous" yaml:"ous"`
TagFilters []TagFilter `mapstructure:"tag_filters" yaml:"tag_filters"`
TagCombination string `mapstructure:"tag_combination" yaml:"tag_combination"` // "AND" or "OR", default "AND"
ExcludeStatuses []string `mapstructure:"exclude_statuses" yaml:"exclude_statuses"` // e.g., ["SUSPENDED", "CLOSED"]
CacheOUStructure bool `mapstructure:"cache_ou_structure" yaml:"cache_ou_structure"` // Cache OU hierarchy
}
OrganizationsDiscovery discovers accounts from AWS Organizations
func (*OrganizationsDiscovery) UnmarshalYAML ¶
func (o *OrganizationsDiscovery) UnmarshalYAML(value *yaml.Node) error
UnmarshalYAML rejects removed single-OU configuration instead of silently ignoring it.
type Pipeline ¶
type Pipeline struct {
// contains filtered or unexported fields
}
Pipeline is the main orchestrator for secrets synchronization
func NewFromFile ¶
NewFromFile creates a Pipeline from a configuration file
func NewFromFileWithContext ¶
NewFromFileWithContext creates a Pipeline from a configuration file with context
func NewWithContext ¶
NewWithContext creates a new Pipeline with AWS execution context
func NewWithContextAndRuntimeAuth ¶
func NewWithContextAndRuntimeAuth(ctx context.Context, cfg *Config, auth *RuntimeAuth) (*Pipeline, error)
NewWithContextAndRuntimeAuth creates a new Pipeline with explicit runtime authentication material supplied by an embedding caller.
func (*Pipeline) Diff ¶
func (p *Pipeline) Diff() *diff.PipelineDiff
Diff returns the computed diff from the last Run
func (*Pipeline) ExitCode ¶
ExitCode returns the appropriate exit code based on diff results 0 = no changes (zero-sum), 1 = changes detected, 2 = errors
func (*Pipeline) FormatDiff ¶
func (p *Pipeline) FormatDiff(format diff.OutputFormat) string
FormatDiff returns the formatted diff output
func (*Pipeline) GetBundlePath ¶
GetBundlePath returns the current bundle path for a target (for sync phase to use)
type PipelineRequest ¶
type PipelineRequest struct {
// Sources in priority order for merge
Sources []string
// Targets to sync the merged bundle to
Targets []string
// DryRun if true, don't actually write
DryRun bool
}
PipelineRequest is merge + sync as a single operation
func (*PipelineRequest) GetBundleID ¶
func (r *PipelineRequest) GetBundleID() string
GetBundleID returns the deterministic bundle ID for this request
func (*PipelineRequest) GetMergePath ¶
func (r *PipelineRequest) GetMergePath(mount string) string
GetMergePath returns the merge store path for this request
type PipelineSettings ¶
type PipelineSettings struct {
Merge MergeSettings `mapstructure:"merge" yaml:"merge"`
Sync SyncSettings `mapstructure:"sync" yaml:"sync"`
Rollback RollbackConfig `mapstructure:"rollback" yaml:"rollback,omitempty"`
DryRun bool `mapstructure:"dry_run" yaml:"dry_run"`
ContinueOnError bool `mapstructure:"continue_on_error" yaml:"continue_on_error"`
}
PipelineSettings configures pipeline execution
type ReplicatingBundleStore ¶
type ReplicatingBundleStore struct {
// RequireAllReplicas, when true, fails a write if any replica write fails.
// When false (default), replica failures are logged and the write succeeds
// as long as the primary write succeeds.
RequireAllReplicas bool
// contains filtered or unexported fields
}
ReplicatingBundleStore writes every merged bundle to a primary bundle store and, synchronously, to one or more replica stores in other regions, giving cross-region durability and read-locality. Reads come from the primary and fall back to replicas in order, so a primary-region outage still serves bundles for the sync phase.
func NewReplicatingBundleStore ¶
func NewReplicatingBundleStore(primary driver.BundleStore, replicas ...driver.BundleStore) *ReplicatingBundleStore
NewReplicatingBundleStore composes a primary with zero or more replicas.
func (*ReplicatingBundleStore) ReadMergedBundle ¶
func (r *ReplicatingBundleStore) ReadMergedBundle(ctx context.Context, targetName, bundleID string) (map[string]map[string]interface{}, error)
ReadMergedBundle reads from the primary, falling back to each replica in order on failure (regional outage or missing object).
func (*ReplicatingBundleStore) WriteMergedBundle ¶
func (r *ReplicatingBundleStore) WriteMergedBundle(ctx context.Context, targetName, bundleID string, secrets map[string]interface{}) error
WriteMergedBundle writes to the primary first (a primary failure aborts), then to each replica.
type ResolvedResource ¶
type ResolvedResource struct {
// OriginalName is the name as provided by the user
OriginalName string
// ResolvedName is the normalized/matched name
ResolvedName string
// Type indicates whether this is an AWS account or Vault mount
Type ResourceType
// AccountID is set if Type is ResourceTypeAWSAccount
AccountID string
// VaultMount is set if Type is ResourceTypeVaultMount
VaultMount string
// MatchConfidence indicates how the match was made
MatchConfidence MatchConfidence
}
ResolvedResource represents a resolved source or destination
type ResourceResolver ¶
type ResourceResolver struct {
// contains filtered or unexported fields
}
ResourceResolver resolves source/destination names to concrete resources
func NewResourceResolver ¶
func NewResourceResolver(ctx context.Context, cfg *Config) *ResourceResolver
NewResourceResolver creates a resolver that auto-detects resources
func (*ResourceResolver) Initialize ¶
func (r *ResourceResolver) Initialize(awsCtx *AWSExecutionContext) error
Initialize loads AWS accounts and Vault mounts for resolution
func (*ResourceResolver) Resolve ¶
func (r *ResourceResolver) Resolve(name string) ResolvedResource
Resolve determines what type of resource a name refers to Priority: 1) Exact AWS account ID, 2) Exact AWS name, 3) Fuzzy AWS match, 4) Vault mount
func (*ResourceResolver) ResolveAll ¶
func (r *ResourceResolver) ResolveAll(names []string) []ResolvedResource
ResolveAll resolves a list of names
type ResourceType ¶
type ResourceType string
ResourceType identifies the type of a source/destination
const ( // ResourceTypeAWSAccount indicates an AWS account (discovered via Organizations) ResourceTypeAWSAccount ResourceType = "aws_account" // ResourceTypeVaultMount indicates a Vault KV2 mount ResourceTypeVaultMount ResourceType = "vault_mount" // ResourceTypeUnknown indicates the resource could not be resolved ResourceTypeUnknown ResourceType = "unknown" )
type Result ¶
type Result struct {
Target string `json:"target"`
Phase string `json:"phase"`
Operation string `json:"operation"`
Success bool `json:"success"`
Error error `json:"error,omitempty"`
Duration time.Duration `json:"duration"`
Details ResultDetails `json:"details,omitempty"`
Diff *diff.TargetDiff `json:"diff,omitempty"`
}
Result represents the outcome of a single target operation
type ResultDetails ¶
type ResultDetails struct {
SecretsProcessed int `json:"secrets_processed,omitempty"`
SecretsAdded int `json:"secrets_added,omitempty"`
SecretsModified int `json:"secrets_modified,omitempty"`
SecretsRemoved int `json:"secrets_removed,omitempty"`
SecretsUnchanged int `json:"secrets_unchanged,omitempty"`
SourcePaths []string `json:"source_paths,omitempty"`
DestinationPath string `json:"destination_path,omitempty"`
RoleARN string `json:"role_arn,omitempty"`
FailedImports []string `json:"failed_imports,omitempty"`
Message string `json:"message,omitempty"`
}
ResultDetails contains additional information about the operation
type RollbackConfig ¶
type RollbackConfig struct {
// Enabled turns on pre-sync snapshotting and post-failure restore.
Enabled bool `mapstructure:"enabled" yaml:"enabled"`
// MaxSecrets is a safety cap: rollback is skipped (and the failure left as-is
// with a clear error) if the target holds more than this many secrets, to
// avoid a large unintended restore. 0 means no cap.
MaxSecrets int `mapstructure:"max_secrets" yaml:"max_secrets,omitempty"`
}
RollbackConfig configures automatic rollback on sync failure.
type RuntimeAuth ¶
type RuntimeAuth struct {
DelegateAuth bool `json:"-" yaml:"-"`
Vault *VaultRuntimeAuth `json:"-" yaml:"-"`
AWS *AWSRuntimeAuth `json:"-" yaml:"-"`
}
RuntimeAuth carries caller-owned provider authentication material into a pipeline run. It is intentionally excluded from YAML configuration and should be supplied by embedding packages, bindings, or in-process callers.
type S3MergeStore ¶
type S3MergeStore struct {
Bucket string
Prefix string
KMSKeyID string
Region string
// Version management
VersioningEnabled bool
RetainVersions int
// Cipher, when set, performs client-side envelope encryption of bundle
// bodies before upload (zero-knowledge mode) — S3 never sees plaintext.
// This is independent of the server-side KMSKeyID (SSE-KMS) field.
Cipher crypto.Cipher
// contains filtered or unexported fields
}
S3MergeStore implements a merge store using S3 for intermediate secret storage. This is useful when you want to use S3 as a central repository for merged secrets before syncing to target accounts, or for audit/backup purposes.
func NewS3MergeStore ¶
func NewS3MergeStore(ctx context.Context, cfg *MergeStoreS3, region string) (*S3MergeStore, error)
NewS3MergeStore creates a new S3-based merge store
func NewS3MergeStoreWithRuntimeAuth ¶
func NewS3MergeStoreWithRuntimeAuth(ctx context.Context, cfg *MergeStoreS3, region string, auth *AWSRuntimeAuth) (*S3MergeStore, error)
NewS3MergeStoreWithRuntimeAuth creates a new S3-based merge store using caller-supplied AWS session material when provided.
func (*S3MergeStore) DeleteBundle ¶
func (s *S3MergeStore) DeleteBundle(ctx context.Context, targetName, bundleID string) error
DeleteBundle deletes a bundle from S3
func (*S3MergeStore) DeleteSecret ¶
func (s *S3MergeStore) DeleteSecret(ctx context.Context, targetName, secretName string) error
DeleteSecret deletes a secret from S3
func (*S3MergeStore) GetBundlePath ¶
func (s *S3MergeStore) GetBundlePath(targetName, bundleID string) string
GetBundlePath returns the S3 path for a specific bundle
func (*S3MergeStore) GetLatest ¶
func (s *S3MergeStore) GetLatest(ctx context.Context, path string) (*SecretVersion, error)
GetLatest retrieves the latest version of a secret
func (*S3MergeStore) GetMergePath ¶
func (s *S3MergeStore) GetMergePath(targetName string) string
GetMergePath returns the S3 "path" representation for a target This is used for logging and reporting purposes
func (*S3MergeStore) GetVersion ¶
func (s *S3MergeStore) GetVersion(ctx context.Context, path string, version int) (*SecretVersion, error)
GetVersion retrieves a specific version of a secret
func (*S3MergeStore) ListSecrets ¶
ListSecrets lists all secrets for a target
func (*S3MergeStore) ListVersions ¶
func (s *S3MergeStore) ListVersions(ctx context.Context, path string) ([]SecretVersion, error)
ListVersions lists all versions of a secret
func (*S3MergeStore) ReadMergedBundle ¶
func (s *S3MergeStore) ReadMergedBundle(ctx context.Context, targetName, bundleID string) (map[string]map[string]interface{}, error)
ReadMergedBundle reads a complete merged bundle from S3
func (*S3MergeStore) ReadSecret ¶
func (s *S3MergeStore) ReadSecret(ctx context.Context, targetName, secretName string) (map[string]interface{}, error)
ReadSecret reads a secret from S3
func (*S3MergeStore) StoreVersion ¶
func (s *S3MergeStore) StoreVersion(ctx context.Context, secret *SecretVersion) error
StoreVersion stores a new version of a secret
func (*S3MergeStore) WriteMergedBundle ¶
func (s *S3MergeStore) WriteMergedBundle(ctx context.Context, targetName, bundleID string, secrets map[string]interface{}) error
WriteMergedBundle writes a complete merged bundle to S3 as a single JSON blob
func (*S3MergeStore) WriteSecret ¶
func (s *S3MergeStore) WriteSecret(ctx context.Context, targetName, secretName string, data map[string]interface{}) error
WriteSecret writes a secret to S3
type SecretVersion ¶
type SecretVersion struct {
Path string `json:"path"`
Version int `json:"version"`
Data map[string]interface{} `json:"data"`
Timestamp time.Time `json:"timestamp"`
Hash string `json:"hash,omitempty"`
}
SecretVersion represents a versioned secret with metadata
type Source ¶
type Source struct {
Vault *VaultSource `mapstructure:"vault" yaml:"vault"`
AWS *AWSSource `mapstructure:"aws" yaml:"aws"`
}
Source defines where secrets can be imported from
type SyncRequest ¶
type SyncRequest struct {
// BundlePath is the merge store path containing the merged secrets
BundlePath string
// Targets to sync to (account IDs or target names)
Targets []string
// DryRun if true, don't actually write
DryRun bool
}
SyncRequest represents a request to sync a bundle to target(s)
type SyncSettings ¶
type SyncSettings struct {
Parallel int `mapstructure:"parallel" yaml:"parallel"`
DeleteOrphans bool `mapstructure:"delete_orphans" yaml:"delete_orphans"`
}
SyncSettings configures the sync phase
type TagFilter ¶
type TagFilter struct {
Key string `mapstructure:"key" yaml:"key"`
Values []string `mapstructure:"values" yaml:"values"`
Operator string `mapstructure:"operator" yaml:"operator"` // "equals", "contains", "wildcard", default "equals"
}
TagFilter represents a single tag filtering condition with wildcard support
type Target ¶
type Target struct {
AccountID string `mapstructure:"account_id" yaml:"account_id"`
Imports []string `mapstructure:"imports" yaml:"imports"`
Region string `mapstructure:"region" yaml:"region"`
SecretPrefix string `mapstructure:"secret_prefix" yaml:"secret_prefix"`
RoleARN string `mapstructure:"role_arn" yaml:"role_arn"`
// Backend selects the sync destination driver. When unset it defaults to
// AWS Secrets Manager, preserving the historical AWS-only behavior. Set it
// to route a target to Azure, GCP, Kubernetes, HTTP, or Vault instead.
Backend *TargetBackendConfig `mapstructure:"backend" yaml:"backend,omitempty"`
// Tags are arbitrary key/value labels on the target, usable by conditional
// sync rules.
Tags map[string]string `mapstructure:"tags" yaml:"tags,omitempty"`
// Conditions gate whether this target syncs (environment, tag, time-window).
// When unset the target always syncs.
Conditions *condition.Config `mapstructure:"conditions" yaml:"conditions,omitempty"`
}
Target defines a sync destination. Supports two YAML formats:
- Explicit: target: {account_id: "...", imports: [...]}
- Shorthand inheritance: target: [parent1, parent2] (list IS the imports)
func (*Target) UnmarshalYAML ¶
UnmarshalYAML implements custom YAML unmarshaling to support shorthand format.
type TargetBackendConfig ¶
type TargetBackendConfig struct {
Driver string `mapstructure:"driver" yaml:"driver"`
Path string `mapstructure:"path" yaml:"path,omitempty"`
Options map[string]any `mapstructure:"options" yaml:"options,omitempty"`
}
TargetBackendConfig selects and configures a non-default sync target backend. Driver is a driver.DriverName ("azure", "gcp", "kubernetes", "http", "vault", "aws"); Path is the backend's scope (mount, namespace, base URL, ...); Options carries driver-specific settings consumed by that backend's factory.
type TokenAuth ¶
type TokenAuth struct {
Token string `mapstructure:"token" yaml:"token"`
}
TokenAuth configures token authentication
type VaultAuthConfig ¶
type VaultAuthConfig struct {
AppRole *AppRoleAuth `mapstructure:"approle" yaml:"approle"`
Token *TokenAuth `mapstructure:"token" yaml:"token"`
Kubernetes *KubernetesAuth `mapstructure:"kubernetes" yaml:"kubernetes"`
}
VaultAuthConfig supports multiple authentication methods
type VaultConfig ¶
type VaultConfig struct {
Address string `mapstructure:"address" yaml:"address"`
Namespace string `mapstructure:"namespace" yaml:"namespace"`
Auth VaultAuthConfig `mapstructure:"auth" yaml:"auth"`
// Traversal configuration for recursive secret listing
// These settings control memory usage and performance during large Vault traversals
MaxTraversalDepth int `mapstructure:"max_traversal_depth" yaml:"max_traversal_depth,omitempty"`
MaxSecretsPerMount int `mapstructure:"max_secrets_per_mount" yaml:"max_secrets_per_mount,omitempty"`
QueueCompactionThreshold int `mapstructure:"queue_compaction_threshold" yaml:"queue_compaction_threshold,omitempty"`
}
VaultConfig configures Vault connection and authentication
type VaultDetection ¶
type VaultDetection struct {
Available bool
Address string
AuthType string // token, approle, kubernetes, aws-iam
}
VaultDetection contains Vault auto-detection results
type VaultRuntimeAuth ¶
type VaultRuntimeAuth struct {
Address string `json:"-" yaml:"-"`
Namespace string `json:"-" yaml:"-"`
Token string `json:"-" yaml:"-"`
}
VaultRuntimeAuth describes an authenticated Vault medium supplied by an upstream package. Token is runtime-only and must not be serialized.
type VaultSource ¶
type VaultSource struct {
Address string `mapstructure:"address" yaml:"address"`
Namespace string `mapstructure:"namespace" yaml:"namespace"`
Mount string `mapstructure:"mount" yaml:"mount"`
Paths []string `mapstructure:"paths" yaml:"paths"`
// Traversal configuration for recursive secret listing
// These settings control memory usage and performance during large Vault traversals
MaxTraversalDepth int `mapstructure:"max_traversal_depth" yaml:"max_traversal_depth,omitempty"`
MaxSecretsPerMount int `mapstructure:"max_secrets_per_mount" yaml:"max_secrets_per_mount,omitempty"`
QueueCompactionThreshold int `mapstructure:"queue_compaction_threshold" yaml:"queue_compaction_threshold,omitempty"`
}
VaultSource imports secrets from a Vault KV2 mount
type VersionStore ¶
type VersionStore interface {
GetVersion(ctx context.Context, path string, version int) (*SecretVersion, error)
ListVersions(ctx context.Context, path string) ([]SecretVersion, error)
GetLatest(ctx context.Context, path string) (*SecretVersion, error)
StoreVersion(ctx context.Context, secret *SecretVersion) error
}
VersionStore interface for version management
type VersioningConfig ¶
type VersioningConfig struct {
Enabled bool `mapstructure:"enabled" yaml:"enabled"`
RetainVersions int `mapstructure:"retain_versions" yaml:"retain_versions"`
}
VersioningConfig configures secret versioning
Source Files
¶
- audit.go
- autodetect.go
- aws_context.go
- backends.go
- bundle.go
- config.go
- diff_ops.go
- discovery_fuzzy.go
- discovery_helpers.go
- discovery_identitycenter.go
- discovery_organizations.go
- discovery_service.go
- execute.go
- fetch.go
- graph.go
- inheritance.go
- merge.go
- pipeline.go
- replication.go
- resolver.go
- rollback.go
- runtime_auth.go
- runtime_clients.go
- s3_store.go
- sync.go
- types.go