Merge pull request #6 from systeminit/push-llwvquzmlyvu

deploy secrets

Author: adamhjk

package-lock.json

@@ -15,6 +15,7 @@
   "license": "Apache-2.0",
   "description": "API for Tony's World of Chips",
   "dependencies": {
+    "@aws-sdk/client-secrets-manager": "^3.907.0",
     "@prisma/client": "^6.17.0",
     "cors": "^2.8.5",
     "dotenv": "^17.2.3",

packages/api/package.json

@@ -3,7 +3,7 @@ import express from 'express';
 import cors from 'cors';
 import cartRoutes from '../routes/cart';
 import { errorHandler } from '../middleware/errorHandler';
-import prisma from '../config/database';
+import { prisma } from './setup';
 
 // Create test app
 const app = express();

packages/api/prisma/dev.db

@@ -4,7 +4,7 @@ import cors from 'cors';
 import orderRoutes from '../routes/orders';
 import cartRoutes from '../routes/cart';
 import { errorHandler } from '../middleware/errorHandler';
-import prisma from '../config/database';
+import { prisma } from './setup';
 
 // Create test app with both cart and order routes
 const app = express();

packages/api/src/__tests__/cart.test.ts

@@ -3,7 +3,7 @@ import express from 'express';
 import cors from 'cors';
 import productRoutes from '../routes/products';
 import { errorHandler } from '../middleware/errorHandler';
-import prisma from '../config/database';
+import { prisma } from './setup';
 
 // Create test app
 const app = express();

packages/api/src/__tests__/orders.test.ts

@@ -21,3 +21,6 @@ beforeEach(async () => {
   await prisma.cartItem.deleteMany();
   await prisma.order.deleteMany();
 });
+
+// Export for use in tests
+export { prisma };

packages/api/src/__tests__/products.test.ts

@@ -1,7 +1,50 @@
 import { PrismaClient } from '@prisma/client';
+import { buildDatabaseUrl } from './secrets';
 
-const prisma = new PrismaClient({
-  log: process.env.NODE_ENV === 'test' ? ['error'] : ['warn', 'error'],
-});
+let prismaInstance: PrismaClient | null = null;
 
-export default prisma;
+export async function getPrismaClient(): Promise<PrismaClient> {
+  if (prismaInstance) {
+    return prismaInstance;
+  }
+
+  // If DATABASE_URL is already set (local dev, tests), use it directly
+  if (process.env.DATABASE_URL) {
+    prismaInstance = new PrismaClient({
+      log: process.env.NODE_ENV === 'test' ? ['error'] : ['warn', 'error'],
+    });
+    return prismaInstance;
+  }
+
+  // In production, build DATABASE_URL from secrets
+  const databaseUrl = await buildDatabaseUrl();
+  process.env.DATABASE_URL = databaseUrl;
+
+  prismaInstance = new PrismaClient({
+    log: process.env.NODE_ENV === 'test' ? ['error'] : ['warn', 'error'],
+  });
+
+  return prismaInstance;
+}
+
+// For synchronous access (local dev and tests where DATABASE_URL is set)
+// In production with Secrets Manager, use getPrismaClient() instead
+function createPrismaClient(): PrismaClient {
+  if (prismaInstance) {
+    return prismaInstance;
+  }
+
+  if (!process.env.DATABASE_URL) {
+    throw new Error(
+      'DATABASE_URL is not set. For production with AWS Secrets Manager, initialize with getPrismaClient() first.'
+    );
+  }
+
+  prismaInstance = new PrismaClient({
+    log: process.env.NODE_ENV === 'test' ? ['error'] : ['warn', 'error'],
+  });
+
+  return prismaInstance;
+}
+
+export default createPrismaClient();

packages/api/src/__tests__/setup.ts

@@ -0,0 +1,59 @@
+import { SecretsManagerClient, GetSecretValueCommand } from '@aws-sdk/client-secrets-manager';
+
+interface DatabaseSecret {
+  password: string;
+  username?: string;
+  engine?: string;
+  host?: string;
+  port?: number;
+  dbname?: string;
+}
+
+let cachedSecret: string | null = null;
+
+export async function getDatabasePassword(): Promise<string> {
+  // If we already fetched the secret, return it
+  if (cachedSecret) {
+    return cachedSecret;
+  }
+
+  const secretArn = process.env.DB_SECRET_ARN;
+
+  if (!secretArn) {
+    throw new Error('DB_SECRET_ARN environment variable not set');
+  }
+
+  const client = new SecretsManagerClient({ region: process.env.AWS_REGION || 'us-west-1' });
+
+  try {
+    const command = new GetSecretValueCommand({ SecretId: secretArn });
+    const response = await client.send(command);
+
+    if (!response.SecretString) {
+      throw new Error('Secret value is empty');
+    }
+
+    const secret: DatabaseSecret = JSON.parse(response.SecretString);
+    cachedSecret = secret.password;
+
+    return cachedSecret;
+  } catch (error) {
+    console.error('Error fetching database password from Secrets Manager:', error);
+    throw error;
+  }
+}
+
+export async function buildDatabaseUrl(): Promise<string> {
+  const user = process.env.DB_USER || 'postgres';
+  const host = process.env.DB_HOST;
+  const port = process.env.DB_PORT || '5432';
+  const database = process.env.DB_NAME || 'postgres';
+
+  if (!host) {
+    throw new Error('DB_HOST environment variable not set');
+  }
+
+  const password = await getDatabasePassword();
+
+  return `postgresql://${user}:${password}@${host}:${port}/${database}?schema=public`;
+}

packages/api/src/config/database.ts

@@ -5,6 +5,7 @@ import { errorHandler } from './middleware/errorHandler';
 import productRoutes from './routes/products';
 import cartRoutes from './routes/cart';
 import orderRoutes from './routes/orders';
+import { getPrismaClient } from './config/database';
 
 dotenv.config();
 
@@ -28,7 +29,21 @@ app.use('/api/orders', orderRoutes);
 // Error handler (must be last)
 app.use(errorHandler);
 
-// Start server
-app.listen(PORT, () => {
-  console.log(`Server listening on port ${PORT}`);
-});
+// Initialize database and start server
+async function start() {
+  try {
+    // Initialize Prisma client (this will fetch secrets if needed)
+    await getPrismaClient();
+    console.log('Database connection initialized');
+
+    // Start server
+    app.listen(PORT, () => {
+      console.log(`Server listening on port ${PORT}`);
+    });
+  } catch (error) {
+    console.error('Failed to start server:', error);
+    process.exit(1);
+  }
+}
+
+start();