use aws secret

Gemfile

@@ -6,6 +6,7 @@ ruby '3.3.3'
 
 gem 'arabic-letter-connector', require: 'arabic-letter-connector/logic'
 gem 'aws-sdk-s3', require: false
+gem 'aws-sdk-secretsmanager', require: false
 gem 'azure-storage-blob', require: false
 gem 'bootsnap', require: false
 gem 'cancancan'

Gemfile.lock

@@ -96,6 +96,9 @@ GEM
       aws-sdk-core (~> 3, >= 3.191.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.8)
+    aws-sdk-secretsmanager (1.91.0)
+      aws-sdk-core (~> 3, >= 3.191.0)
+      aws-sigv4 (~> 1.1)
     aws-sigv4 (1.8.0)
       aws-eventstream (~> 1, >= 1.0.2)
     azure-storage-blob (2.0.3)
@@ -563,6 +566,7 @@ DEPENDENCIES
   annotate
   arabic-letter-connector
   aws-sdk-s3
+  aws-sdk-secretsmanager
   azure-storage-blob
   better_html
   bootsnap

config/dotenv.rb

@@ -1,6 +1,21 @@
 # frozen_string_literal: true
 
-if ENV['RAILS_ENV'] == 'production' && ENV['SECRET_KEY_BASE'].to_s.empty?
+if ENV['RAILS_ENV'] == 'production'
+  if !ENV['AWS_SECRET_MANAGER_ID'].to_s.empty?
+    require 'aws-sdk-secretsmanager'
+
+    client = Aws::SecretsManager::Client.new
+
+    secret_id = ENV.fetch('AWS_SECRET_MANAGER_ID', '')
+
+    client.get_secret_value(secret_id:).secret_string.split("\n").each do |line|
+      key, value = line.split('=', 2)
+
+      ENV[key] = value if !key.to_s.empty? && !value.to_s.empty?
+    end
+
+    RubyVM::YJIT.enable if ENV['RUBY_YJIT_ENABLE'] == 'true'
+  elsif ENV['SECRET_KEY_BASE'].to_s.empty?
     require 'dotenv'
     require 'securerandom'
 
@@ -21,6 +36,7 @@ if ENV['RAILS_ENV'] == 'production' && ENV['SECRET_KEY_BASE'].to_s.empty?
 
     ENV['DATABASE_URL'] = ENV['DATABASE_URL'].to_s.empty? ? database_url : ENV.fetch('DATABASE_URL', nil)
   end
+end
 
 if ENV['DATABASE_URL'].to_s.split('@').last.to_s.split('/').first.to_s.include?('_')
   require 'addressable'