Add AWS KMS decryption support for environment variables #55
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit adds support for decrypting KMS-encrypted environment variables with the format '\!kms base64EncodedValue'. The implementation follows these key aspects: - KMS encrypted values are identified by the '\!kms ' prefix - Quoted base64-encoded values are properly decoded - KMS decryption is performed using the AWS SDK - Existing SSM parameter functionality is preserved - Comprehensive test suite added for KMS decryption - README updated with KMS usage documentation The implementation is based on requirements detailed in the CHANGES file and follows the project patterns, including lazy initialization of AWS services and respect for the -no-fail flag. The CHANGES file will be removed in a future commit once the functionality is merged. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
This commit adds detailed comments to the KMS-related tests, making the test suite more readable and easier to review. Each test now has a header comment explaining: - What the test is checking - How it relates to existing SSM tests (when applicable) - Specific behaviors being tested with bullet points These comments help reviewers understand the test coverage for the new KMS decryption functionality without having to analyze each test in detail. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for decrypting AWS KMS–encrypted environment variables. Key changes include:
- Introducing a lazy-initializing KMS client and corresponding decryption function.
- Extending the environment expansion logic and tests to properly handle KMS-encrypted values.
- Updating documentation in the README to include the new KMS parameter format.
Reviewed Changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| main_test.go | Added tests for KMS value extraction, decryption, and error handling |
| main.go | Added lazyKMSClient, decryptKmsValue implementation, and KMS processing logic |
| README.md | Updated parameter format instructions to include KMS-encrypted values |
Files not reviewed (1)
- CHANGES: Language not supported
Comments suppressed due to low confidence (1)
main.go:206
- [nitpick] Consider renaming the field 'envvar' to 'envVar' to maintain consistency with common camelCase naming conventions.
type kmsVar struct {
|
|
||
| func (c *lazyKMSClient) Decrypt(input *kms.DecryptInput) (*kms.DecryptOutput, error) { | ||
| // Initialize the KMS client (and AWS session) if it hasn't been already. | ||
| if c.kms == nil { |
There was a problem hiding this comment.
The lazy initialization of the KMS client in lazyKMSClient is not thread-safe. Consider adding synchronization (e.g., a mutex) if expandEnviron might be called concurrently.
Copilot uses AI. Check for mistakes.
This is quite different from how SSM params work, using |
isobit
approved these changes
Apr 21, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit adds support for decrypting KMS-encrypted environment variables with the format '!kms base64EncodedValue'. The implementation follows these key aspects:
The implementation is based on requirements detailed in the CHANGES file and follows the project patterns, including lazy initialization of AWS services and respect for the -no-fail flag. The CHANGES file will be removed in a future commit once the functionality is ready to be merged.
🤖 Generated with Claude Code