From e5b0a2355f90459377948d27b5ceb6dbcef312f1 Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete.matsy@gmail.com>
Date: Thu, 8 Aug 2024 21:43:24 +0300
Subject: [PATCH] use aws secret

---
 Gemfile          |  1 +
 Gemfile.lock     |  4 ++++
 config/dotenv.rb | 44 ++++++++++++++++++++++++++++++--------------
 3 files changed, 35 insertions(+), 14 deletions(-)

diff --git a/Gemfile b/Gemfile
index 5600e361..6e0d422e 100644
--- a/Gemfile
+++ b/Gemfile
@@ -6,6 +6,7 @@ ruby '3.3.3'
 
 gem 'arabic-letter-connector', require: 'arabic-letter-connector/logic'
 gem 'aws-sdk-s3', require: false
+gem 'aws-sdk-secretsmanager', require: false
 gem 'azure-storage-blob', require: false
 gem 'bootsnap', require: false
 gem 'cancancan'
diff --git a/Gemfile.lock b/Gemfile.lock
index 10dc6621..6e1b2c8e 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -96,6 +96,9 @@ GEM
       aws-sdk-core (~> 3, >= 3.191.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.8)
+    aws-sdk-secretsmanager (1.91.0)
+      aws-sdk-core (~> 3, >= 3.191.0)
+      aws-sigv4 (~> 1.1)
     aws-sigv4 (1.8.0)
       aws-eventstream (~> 1, >= 1.0.2)
     azure-storage-blob (2.0.3)
@@ -563,6 +566,7 @@ DEPENDENCIES
   annotate
   arabic-letter-connector
   aws-sdk-s3
+  aws-sdk-secretsmanager
   azure-storage-blob
   better_html
   bootsnap
diff --git a/config/dotenv.rb b/config/dotenv.rb
index 70ffa328..319785e7 100644
--- a/config/dotenv.rb
+++ b/config/dotenv.rb
@@ -1,25 +1,41 @@
 # frozen_string_literal: true
 
-if ENV['RAILS_ENV'] == 'production' && ENV['SECRET_KEY_BASE'].to_s.empty?
-  require 'dotenv'
-  require 'securerandom'
+if ENV['RAILS_ENV'] == 'production'
+  if !ENV['AWS_SECRET_MANAGER_ID'].to_s.empty?
+    require 'aws-sdk-secretsmanager'
 
-  dotenv_path = "#{ENV.fetch('WORKDIR', '.')}/docuseal.env"
+    client = Aws::SecretsManager::Client.new
 
-  unless File.exist?(dotenv_path)
-    default_env = <<~TEXT
-      DATABASE_URL= # keep empty to use sqlite or specify postgresql database URL
-      SECRET_KEY_BASE=#{SecureRandom.hex(64)}
-    TEXT
+    secret_id = ENV.fetch('AWS_SECRET_MANAGER_ID', '')
 
-    File.write(dotenv_path, default_env)
-  end
+    client.get_secret_value(secret_id:).secret_string.split("\n").each do |line|
+      key, value = line.split('=', 2)
+
+      ENV[key] = value if !key.to_s.empty? && !value.to_s.empty?
+    end
+
+    RubyVM::YJIT.enable if ENV['RUBY_YJIT_ENABLE'] == 'true'
+  elsif ENV['SECRET_KEY_BASE'].to_s.empty?
+    require 'dotenv'
+    require 'securerandom'
+
+    dotenv_path = "#{ENV.fetch('WORKDIR', '.')}/docuseal.env"
 
-  database_url = ENV.fetch('DATABASE_URL', nil)
+    unless File.exist?(dotenv_path)
+      default_env = <<~TEXT
+        DATABASE_URL= # keep empty to use sqlite or specify postgresql database URL
+        SECRET_KEY_BASE=#{SecureRandom.hex(64)}
+      TEXT
 
-  Dotenv.load(dotenv_path)
+      File.write(dotenv_path, default_env)
+    end
 
-  ENV['DATABASE_URL'] = ENV['DATABASE_URL'].to_s.empty? ? database_url : ENV.fetch('DATABASE_URL', nil)
+    database_url = ENV.fetch('DATABASE_URL', nil)
+
+    Dotenv.load(dotenv_path)
+
+    ENV['DATABASE_URL'] = ENV['DATABASE_URL'].to_s.empty? ? database_url : ENV.fetch('DATABASE_URL', nil)
+  end
 end
 
 if ENV['DATABASE_URL'].to_s.split('@').last.to_s.split('/').first.to_s.include?('_')