Aws Secrets Bundle Laravel Package

Technical Evaluation

Architecture Fit

The constup/aws-secrets-bundle is Symfony-centric but can be leveraged in Laravel due to Laravel’s reliance on Symfony components (e.g., Dependency Injection, HttpClient). Key fit considerations:

• Symfony 5/6 Compatibility: Laravel 9.x (Symfony 5.4+) aligns with v1.x, while Laravel 10.x+ (Symfony 6.0+) aligns with v2.x. Laravel 8.x or older is unsupported.
• AWS Secrets Manager Integration: The bundle abstracts AWS SDK interactions, making it plug-and-play for Laravel apps already using AWS services (e.g., RDS, S3).
• Dynamic Parameter Injection: The %env(aws:...)% syntax integrates with Laravel’s container via Symfony’s parameter bag, enabling zero-code changes for basic use cases (e.g., replacing .env variables).
• Laravel-Specific Gaps:
  • No Native Laravel Config Support: The bundle targets Symfony’s config/packages/, requiring Laravel to adapt (e.g., via config/aws_secrets.php).
  • Laravel’s env() Helper: The bundle doesn’t natively extend Laravel’s env() function, necessitating custom logic (e.g., a service provider) to bridge %env(aws:...)% with Laravel’s environment system.
  • Artisan/Console Commands: The bundle lacks Laravel-specific CLI tools (e.g., php artisan aws:secrets:list), requiring manual AWS CLI usage or custom commands.

Integration Feasibility

• Stack Fit:
  • Laravel 9.x+: Feasible with v1.x (Symfony 5.3+) or v2.x (Symfony 6.0+), assuming PHP 7.4+ or 8.0+ respectively.
  • Legacy Laravel: Infeasible without major refactoring (e.g., upgrading Symfony components).
  • AWS SDK: Laravel’s default AWS SDK (if used) must be aligned with the bundle’s aws/aws-sdk-php to avoid conflicts. Use composer require aws/aws-sdk-php:^3.0 and configure the bundle to reuse the existing SDK instance.
• Migration Path:
  1. Assess Compatibility: Verify Laravel’s Symfony version matches the bundle’s requirements (e.g., symfony/dependency-injection:^5.3 for v1.x).
  2. Configure AWS Credentials: Set up IAM roles/policies for Laravel’s execution environment (e.g., EC2, Lambda, ECS) to access Secrets Manager.
  3. Adapt Configuration:
     • Create config/aws_secrets.php to mirror Symfony’s YAML config:

       return [
           'client_config' => [
               'region' => env('AWS_REGION'),
               'credentials' => [
                   'key' => env('AWS_ACCESS_KEY_ID'),
                   'secret' => env('AWS_SECRET_ACCESS_KEY'),
               ],
           ],
           'cache' => env('AWS_SECRETS_CACHE', 'array'),
           'ignore' => env('AWS_SECRETS_IGNORE', false),
       ];
       

  4. Extend Laravel’s Environment System:
     • Register a service provider to parse %env(aws:...)% in Laravel’s container:

       use Constup\AwsSecretsBundle\DependencyInjection\AwsSecretsExtension;
       use Symfony\Component\DependencyInjection\ContainerBuilder;
       
       class AwsSecretsServiceProvider extends ServiceProvider {
           public function register() {
               $this->app->singleton('aws.secrets', function () {
                   $container = new ContainerBuilder();
                   $loader = new YamlFileLoader($container, new FileLocator(__DIR__.'/../config'));
                   $loader->load('aws_secrets.php');
                   $extension = new AwsSecretsExtension();
                   $extension->load([], $container);
                   return $container->get('aws_secrets.client');
               });
           }
       }
       

  5. Update .env: Replace hardcoded secrets with AWS references (e.g., DB_PASSWORD=%env(aws:RDS_PASSWORD)%).
• Compatibility:
  • Doctrine: The provided Doctrine example works with Laravel’s Doctrine Bridge, but connection parameters may need adjustment for Laravel’s DATABASE_URL format.
  • Queues/APIs: Secrets for queues (e.g., SQS) or APIs (e.g., Stripe) can be injected via container parameters, but Laravel’s queue workers may require additional configuration to resolve %env(aws:...)%.
  • Local Development: Use ignore: true in config to bypass AWS calls locally, but ensure secrets are still available via .env or another fallback.

Key Questions

1. Symfony Version Alignment:
   • What versions of Symfony components does Laravel bundle? Do they conflict with the bundle’s requirements?
   • Example: Laravel 9.x uses Symfony 5.4+, but the bundle’s v1.x requires Symfony 5.3+. Are there breaking changes?
2. AWS SDK Conflict:
   • Does Laravel already include aws/aws-sdk-php? If so, how can the bundle reuse it to avoid duplication?
3. Laravel-Specific Extensions:
   • How will %env(aws:...)% be resolved in Laravel’s env() helper or Blade templates? Will a custom resolver be needed?
4. Performance Impact:
   • What is the overhead of AWS Secrets Manager API calls during runtime? Can caching (e.g., filesystem) mitigate this?
5. Testing Strategy:
   • How will AWS Secrets Manager be mocked in unit/integration tests? The bundle supports array caching for local testing, but CI/CD may need a different approach.
6. IAM Permissions:
   • What IAM policies are required for Laravel’s execution environment (e.g., EC2 role, Lambda permissions) to access Secrets Manager?
7. Secret Rotation:
   • How will Laravel handle automated secret rotation (e.g., RDS passwords)? Will the app need to restart, or can it dynamically reload secrets?
8. Multi-Environment Secrets:
   • How will secrets be scoped to environments (e.g., dev-db-password, prod-db-password)? Will AWS Secret names include environment prefixes?
9. Fallback Mechanism:
   • What happens if AWS Secrets Manager is unavailable? Can the app fall back to .env or a default value?
10. Monitoring/Alerts:
    • How will failed AWS API calls (e.g., throttling, permission errors) be logged or alerted? The bundle lacks built-in monitoring.

Integration Approach

Stack Fit

• Laravel 9.x+ with Symfony 5.4+:
  • Bundle Version: Use v1.x (constup/aws-secrets-bundle:^1) for Symfony 5.3+ compatibility.
  • PHP Version: Requires PHP 7.4+ (Laravel 9.x meets this).
  • AWS SDK: Ensure aws/aws-sdk-php:^3.0 is installed and configured to avoid conflicts with Laravel’s dependencies.
• Laravel 10.x+ with Symfony 6.0+:
  • Bundle Version: Use v2.x (constup/aws-secrets-bundle:^2) for Symfony 6.0+ compatibility.
  • PHP Version: Requires PHP 8.0.2+ (Laravel 10.x meets this).
  • HttpClient: The bundle uses Symfony’s HttpClient; ensure Laravel’s symfony/http-client is aligned with the bundle’s version.
• Legacy Laravel:
  • Not Recommended: Upgrade to Laravel 9.x+ or use a custom solution (e.g., wrap AWS SDK directly).

Migration Path

1. Pre-Migration:

   • Audit current secret usage: Identify all hardcoded secrets in .env, config files, or code.
   • Set up IAM roles/policies for Laravel’s execution environment (e.g., EC2 instance profile, Lambda execution role) with secretsmanager:GetSecretValue permissions.
   • Configure AWS credentials in Laravel’s .env (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION).

2. Bundle Installation:

   • Install the bundle via Composer:

     composer require constup/aws-secrets-bundle:^1  # For Laravel 9.x
     composer require constup/aws-secrets-bundle:^2  # For Laravel 10.x
     

   • Install the AWS SDK:

     composer require aws/aws-sdk-php:^3.0
     

3. Configuration:

   • Create config/aws_secrets.php:

     return [
         'client_config' => [
             'region' => env('AWS_REGION'),
             'credentials' => [
                 'key' => env('AWS_ACCESS_KEY_ID'),
                 'secret' => env('AWS_SECRET_ACCESS_KEY'),
             ],
             'version' => 'latest',
         ],
         'cache' => env('AWS_SECRETS_CACHE', 'array'), // Use 'filesystem' for local dev
         'delimiter' => ',',
         'ignore