feat: ✨ serverless-dynamic-secrets plugin created and publishing first time

Author: Siddharth Shah

.github/workflows/release.yml

@@ -0,0 +1,51 @@
+name: CI/CD & Semantic Release
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 22
+          cache: 'yarn'
+
+      - name: Install Dependencies
+        run: yarn install --frozen-lockfile
+        
+      - name: Run Security Audit (Critical Issues Only)
+        run: yarn audit --level critical --groups dependencies
+
+  release:
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 22
+          registry-url: "https://registry.npmjs.org/"
+          cache: 'yarn'
+
+      - name: Install Dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Semantic Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npx semantic-release

.gitignore

@@ -0,0 +1,2 @@
+node_modules/
+.serverless/

.releaserc.json

@@ -0,0 +1,28 @@
+{
+    "branches": ["main"],
+    "plugins": [
+      "@semantic-release/commit-analyzer",
+      "@semantic-release/release-notes-generator",
+      "@semantic-release/changelog",
+      [
+        "@semantic-release/npm",
+        {
+          "npmPublish": true
+        }
+      ],
+      [
+        "@semantic-release/github",
+        {
+          "assets": []
+        }
+      ],
+      [
+        "@semantic-release/git",
+        {
+          "assets": ["package.json", "CHANGELOG.md"],
+          "message": "chore(release): ${nextRelease.version} [skip ci]"
+        }
+      ]
+    ]
+  }
+  

LICENCE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Ryan Sonshine
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,28 @@
+# Serverless Dynamic Secrets Plugin
+
+🚀 **Automate Parameter & Secret Management in Serverless Framework**
+
+
+## 📌 Overview
+
+**Serverless Dynamic Secrets Plugin** is a **custom Serverless Framework plugin** that:
+- **Automatically creates CloudFormation parameters** from a JSON file.
+- **Generates AWS Secrets Manager resources dynamically** using parameter values.
+- **Supports parameter overrides** via CLI and files.
+- **Prevents secret exposure** by setting `NoEcho: true`.
+
+This eliminates the **manual effort of defining parameters and secrets** in your `serverless.yml`!
+
+---
+
+## 🛠 Installation
+
+### Using npm
+```bash
+npm install --save-dev serverless-dynamic-secrets
+```
+
+### Using yarn
+```bash
+yarn add -D serverless-dynamic-secrets
+```

index.js

@@ -0,0 +1,183 @@
+const fs = require('fs');
+const parseArgs = require('yargs-parser');
+const OPTION_PARAMETER_FILE = 'parameter-file';
+const OPTION_PARAMETER_OVERRIDES = 'parameter-overrides';
+
+module.exports = class CfParametersPlugin {
+    constructor(serverless, options) {
+        console.log("Dynamic CF Parameters and Secrets Plugin Initialized");
+        this.serverless = serverless;
+        this.options = options;
+
+        this.commands = {
+            deploy: {
+                options: {
+                    [OPTION_PARAMETER_FILE]: {
+                        usage: 'Provide a JSON file to define secrets and parameters',
+                        required: true,
+                        type: 'string'
+                    },
+                    [OPTION_PARAMETER_OVERRIDES]: {
+                        usage: 'Override parameters dynamically',
+                        required: false,
+                        type: 'multiple'
+                    }
+                }
+            },
+            package: {
+                options: {
+                    [OPTION_PARAMETER_FILE]: {
+                        usage: 'Provide a JSON file for parameter overrides',
+                        required: false,
+                        type: 'string'
+                    }
+                }
+            }
+        };
+        this.hooks = {
+            'before:package:finalize': this.addSecretsAndParameters.bind(this),
+            'before:aws:deploy:deploy:updateStack': this.injectParameterOverrides.bind(this)
+        };
+        this.providerRequest = this.getProvider().request.bind(this.provider);
+       
+    }
+
+    addSecretsAndParameters() {
+        const parameterFile = this.options[OPTION_PARAMETER_FILE];
+        if (!parameterFile) {
+            throw new Error("The --parameter-file option is required to define secrets and parameters.");
+        }
+
+        const secretsData = JSON.parse(fs.readFileSync(parameterFile, 'utf-8'));
+        const cloudFormationTemplate = this.serverless.service.provider.compiledCloudFormationTemplate;
+
+        // console.log("Loaded Secrets Data:", JSON.stringify(secretsData, null, 2));
+
+        // Add Parameters 
+        // Note: Here need to enhancement to check if same name of other resource or paramteres exist in stack or not
+        cloudFormationTemplate.Parameters = {
+            ...(cloudFormationTemplate.Parameters || {}),
+            ...this.generateParameters(secretsData)
+        };
+
+        // console.log("Generated Parameters:", JSON.stringify(cloudFormationTemplate.Parameters, null, 2));
+
+        // Add Secrets Manager Resources
+        // Note: Here need to enhancement to check if same name of other resource or secret manager exist in stack or not
+        cloudFormationTemplate.Resources = {
+            ...(cloudFormationTemplate.Resources || {}),
+            ...this.generateSecrets(secretsData)
+        };
+
+        // console.log("Generated Secrets Manager Resources:", JSON.stringify(cloudFormationTemplate.Resources, null, 2));
+    }
+
+    generateParameters(secretsData) {
+        const parameters = {};
+
+        for (const [key] of Object.entries(secretsData)) {
+            parameters[key] = {
+                Type: 'String',
+                NoEcho: true
+            };
+        }
+
+        return parameters;
+    }
+
+    generateSecrets(secretsData) {
+        const resources = {};
+
+        for (const [key] of Object.entries(secretsData)) {
+            resources[`SecretFor${key}`] = {
+                Type: 'AWS::SecretsManager::Secret',
+                Properties: {
+                    Name: key,
+                    Description: `Secret dynamically created for ${key}`,
+                    SecretString: {
+                        Ref: key
+                    }
+                }
+            };
+        }
+
+        return resources;
+    }
+    getProvider() {
+        if (!this.provider) {
+            this.provider = this.serverless.getProvider('aws');
+            if (!this.provider) {
+                throw new Error("AWS provider not found. Ensure this plugin is used with the AWS provider.");
+            }
+        }
+        return this.provider;
+    }
+    injectParameterOverrides() {
+    
+        this.provider.request = async (...args) => {
+            let [service, method, params] = args;
+    
+    
+            const compiledParametersTemplate =
+                this.serverless.service.provider.compiledCloudFormationTemplate.Parameters || {};
+            // console.log("compiledParametersTemplate:", compiledParametersTemplate);
+    
+            if (service === 'CloudFormation' && (method === 'updateStack' || method === 'createChangeSet')) {
+                // Fetch current parameters from the deployed template
+                const response = await this.providerRequest('CloudFormation', 'getTemplate', {
+                    StackName: params.StackName
+                });
+                const currentParameters = JSON.parse(response.TemplateBody).Parameters || {};
+                // console.log("currentParameters:", JSON.stringify(currentParameters));
+    
+                // Build the list of parameters
+                const overrides = this.getOverrides();
+                // console.log("overrides:", JSON.stringify(overrides));
+    
+                params.Parameters = Object.keys(compiledParametersTemplate)
+                    .map((paramKey) => {
+                        if (overrides[paramKey] !== undefined) {
+                            return {
+                                ParameterKey: paramKey,
+                                ParameterValue: overrides[paramKey]
+                            };
+                        } else if (currentParameters[paramKey]) {
+                            return {
+                                ParameterKey: paramKey,
+                                UsePreviousValue: true
+                            };
+                        }
+                    })
+                    .filter(Boolean);
+    
+                // console.log("Final Parameters:", JSON.stringify(params.Parameters));
+            }
+    
+            return this.providerRequest(...args);
+        };
+    }
+    
+    
+    
+
+    getOverrides() {
+        let parameterOverrides = this.options[OPTION_PARAMETER_OVERRIDES] || [];
+        if (!Array.isArray(parameterOverrides)) {
+            parameterOverrides = [parameterOverrides];
+        }
+
+        const cliOverrides = parseArgs(
+            parameterOverrides.map((param) => `--${param}`).join(' '),
+            { configuration: { 'parse-numbers': false } }
+        );
+        // console.log("Parameter Overrides from CLI:", JSON.stringify(cliOverrides));
+
+        const fileOverrides = this.options[OPTION_PARAMETER_FILE]
+            ? JSON.parse(fs.readFileSync(this.options[OPTION_PARAMETER_FILE], 'utf-8'))
+            : {};
+
+        // console.log("Parameter Overrides from File:", JSON.stringify(fileOverrides));
+
+        return { ...fileOverrides, ...cliOverrides };
+    }
+};

package.json

@@ -0,0 +1,42 @@
+{
+  "name": "serverless-dynamic-secrets",
+  "version": "1.0.0",
+  "main": "index.js",
+  "description": "A Serverless Framework plugin for dynamic parameter and secret creation",
+  "scripts": {
+    "test": "jest",
+    "lint": "eslint .",
+    "semantic-release": "semantic-release"
+  },
+  "files": [
+    "index.js",
+    "package.json",
+    "README.md"
+  ],
+  "keywords": [
+    "serverless",
+    "plugin",
+    "aws",
+    "secrets-manager"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/distinction-dev/serverless-dynamic-secrets.git"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "author": "Sid2601",
+  "license": "MIT",
+  "dependencies": {
+    "yargs-parser": "^21.1.1"
+  },
+  "devDependencies": {
+    "@semantic-release/changelog": "^6.0.0",
+    "@semantic-release/git": "^10.0.0",
+    "@semantic-release/github": "^10.0.0",
+    "@semantic-release/npm": "^10.0.0",
+    "jest": "^29.0.0",
+    "semantic-release": "^20.0.0"
+  }
+}