feat(thermos): bootstrap env from AWS Secrets Manager at startup

@zen-agentchecks n/achecks…zen/thermos-secrets-manager-bootstrap-tuacpg → master7 files · +396 −22updated 3w ago

▸Description· 1 comment · 4 noise

Description

Adds support for loading all of Thermos's environment variables from a single AWS Secrets Manager secret at startup, gated by a new optional env var AWS_SECRETS_MANAGER_SECRET_ID.

Why

Today, every Thermos required env var (THERMOS_DATABASE_URL, LAMBDA_FUNCTION_NAME, COMPOSIO_ENV, …) has to be plumbed individually through container env / pod spec. For deployments that already manage secrets in AWS Secrets Manager — particularly self-hosted / on-prem installs — that means duplicating credentials across two systems.

This PR lets operators put one Secrets Manager secret of the form

{
  "THERMOS_DATABASE_URL": "postgres://…",
  "LAMBDA_FUNCTION_NAME": "mercury-prod",
  "COMPOSIO_ENV": "production",
  "TEMPORAL_API_KEY": "…",
  …
}

and point Thermos at it with AWS_SECRETS_MANAGER_SECRET_ID=thermos/prod.

What changed

lib/awsutils/secrets.go (new)
- BootstrapSecretsFromEnv(ctx, logger) — reads AWS_SECRETS_MANAGER_SECRET_ID from the env. No-op when unset (fully backward-compatible).
- LoadSecretsIntoEnv(ctx, secretID, region, awsConfig, logger) — fetches the secret, parses it as {string: string} JSON, and writes each pair via os.Setenv. The secret is authoritative — values overwrite any pre-existing env value.
- Supports both SecretString and SecretBinary storage modes.
- Hard-fails on any error (fetch / empty / malformed JSON / non-string value / empty key) so misconfiguration surfaces at startup rather than as a confusing downstream error.
main.go — moves ProvideLogger ahead of the env sanity check, calls awsutils.BootstrapSecretsFromEnv between godotenv.Load() and env.SanityCheck(). This ordering lets required env vars live inside the secret without breaking the sanity check.
lib/env/env.go — registers AWS_SECRETS_MANAGER_SECRET_ID_VAR and AWS_SECRETS_MANAGER_REGION_VAR (both Optional) in the EnvRegistry.
go.mod / go.sum — adds github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.7 (pulls in minor patch bumps of transitive AWS SDK modules).
apps/thermos/CLAUDE.md — documents the two new env vars and the IRSA fallback behavior.

Design notes

IAM role support is preserved. The fetch reuses awsutils.AWSUtilsConfig.Load(region), which only injects static credentials when both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are non-empty (see lib/awsutils/config.go:21-36). When unset, the SDK default credential chain takes over — IRSA via AWS_WEB_IDENTITY_TOKEN_FILE, ECS task role, EC2 instance metadata, etc. No static credentials are introduced.
Region resolution: AWS_SECRETS_MANAGER_REGION if set, otherwise falls back to AWS_LAMBDA_REGION (default us-east-2) so a typical deployment needs zero extra config.
Precedence: Secrets Manager values overwrite existing env vars — the secret is the source of truth. (AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY must NOT be placed inside the secret, since they are needed to fetch it; this is documented in the CLAUDE.md note.)
Bootstrap ordering: Loaded before env.SanityCheck so the secret can satisfy required env vars (COMPOSIO_ENV, LAMBDA_FUNCTION_NAME).
Testability: the secrets-manager client is constructed through an overridable factory (newSecretsManagerClient), so unit tests can inject a fake without hitting AWS.

Backward compatibility

Fully backward-compatible. When AWS_SECRETS_MANAGER_SECRET_ID is unset (the default), BootstrapSecretsFromEnv logs at debug level and returns nil — no AWS call is made and behavior is identical to today.

How did I test this PR

Unit tests for the new package — 13 cases covering:
- empty secretID is a no-op (no API call)
- happy path: JSON SecretString → os.Setenv (and verifies overwrite of a pre-existing env value)
- SecretBinary storage path
- fetch error propagates with secret ID + cause
- empty payload (no SecretString and no SecretBinary)
- invalid JSON → clear error
- non-string value ({"PORT": 8080}) → clear error
- top-level array rejected
- empty key in JSON → clear error
- empty JSON object is a valid no-op
- bootstrap is a no-op when env var unset
- region fallback to AWS_LAMBDA_REGION when AWS_SECRETS_MANAGER_REGION is empty
- explicit AWS_SECRETS_MANAGER_REGION overrides
```
cd apps/thermos && go test ./lib/awsutils/... -count=1 -v
```
→ all 24 tests pass (13 new + 11 pre-existing).
Full thermos test suite — cd apps/thermos && go test ./... → all packages green.
Static checks — go build ./..., go vet ./..., gofmt -l on touched files, and pnpm lint:ent-client-usage all clean. (pnpm lint not runnable in this sandbox: the installed golangci-lint is built against Go 1.23 while the repo targets 1.26.2 — CI will run the real lint.)
Backward-compat verification — confirmed the loader returns nil and emits a debug log when AWS_SECRETS_MANAGER_SECRET_ID is empty (TestLoadSecretsIntoEnv_EmptySecretIDIsNoOp / TestBootstrapSecretsFromEnv_UnsetSecretIDIsNoOp), so existing deployments are unaffected.

🤖 Generated with Claude Code

@zen-agent1mo ago

Post-PR status update

Build checks (/build-checks → thermos profile): doppler run -- go vet ./... PASS (2.0s) · doppler run -- go build ./... PASS (8.9s).
Codex review (/codex-review-loop, base origin/master): 1 iteration, 0 actionable findings. Verbatim: "I did not identify any discrete correctness, security, or maintainability issues introduced by these changes. The Secrets Manager bootstrap is wired before the environment sanity check and the new env vars are registered."
CI: ✅ all 28 checks green at commit 346c8e38 (66s elapsed after first poll).
Tests:
- Unit — 13 new tests in lib/awsutils/secrets_test.go covering no-op when env unset, happy path with overwrite, SecretBinary mode, fetch error, empty payload, invalid JSON, non-string values, top-level array, empty key, empty object no-op, bootstrap no-op, region fallback to AWS_LAMBDA_REGION, explicit region override. go test ./lib/awsutils/... -count=1 → 24/24 pass. go test ./... across all thermos packages → green.
- Runtime / E2E against locally-built binary:
  - With AWS_SECRETS_MANAGER_SECRET_ID unset (backward-compat path): Thermos boots through the new ordering — log shows main.go:357 "Sanity checking environment variables" then main.go:365 "Starting thermos" {"mode":"http"}, no fetch attempt. (The startup then fails on an unrelated, pre-existing local workerdb gap — sandbox has no Postgres on 5432; reproducible on master.)
  - With AWS_SECRETS_MANAGER_SECRET_ID=thermos/no-such-secret-zen-test (fail-fast path): real AWS call issued, AccessDeniedException returned, Thermos hard-fatals with a clear wrapped error including secret ID, region, and the AWS error. Log:
    
    info awsutils/secrets.go:90 Fetching secrets from AWS Secrets Manager {"secret_id":"thermos/no-such-secret-zen-test","region":"us-east-2"} fatal thermos/main.go:353 Failed to load secrets from AWS Secrets Manager {"error":"failed to fetch secret \"thermos/no-such-secret-zen-test\" from Secrets Manager: ... api error AccessDeniedException: User: arn:aws:iam::008971668139:user/thermos is not authorized..."}

▸ 4 bot/status comments hidden

@vercel[bot]1mo ago

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
apollo	Ready	Preview, Comment	May 13, 2026 6:54am

Project	Deployment	Actions	Updated (UTC)
debby	Ignored		May 13, 2026 6:54am

@github-actions[bot]1mo ago

🔍 Suggested Reviewers

Based on git blame analysis of 7 file(s):

Contributor	Contribution	Files
Zen	37%	7
Sarthak Agrawal

loading diff…

Why

This PR lets operators put one Secrets Manager secret of the form

{ "THERMOS_DATABASE_URL": "postgres://…", "LAMBDA_FUNCTION_NAME": "mercury-prod", "COMPOSIO_ENV": "production", "TEMPORAL_API_KEY": "…", … }

and point Thermos at it with AWS_SECRETS_MANAGER_SECRET_ID=thermos/prod.

What changed

lib/awsutils/secrets.go (new)

BootstrapSecretsFromEnv(ctx, logger) — reads AWS_SECRETS_MANAGER_SECRET_ID from the env. No-op when unset (fully backward-compatible).
LoadSecretsIntoEnv(ctx, secretID, region, awsConfig, logger) — fetches the secret, parses it as {string: string} JSON, and writes each pair via os.Setenv. The secret is authoritative — values overwrite any pre-existing env value.
Supports both SecretString and SecretBinary storage modes.
Hard-fails on any error (fetch / empty / malformed JSON / non-string value / empty key) so misconfiguration surfaces at startup rather than as a confusing downstream error.

main.go — moves ProvideLogger ahead of the env sanity check, calls awsutils.BootstrapSecretsFromEnv between godotenv.Load() and env.SanityCheck(). This ordering lets required env vars live inside the secret without breaking the sanity check.

lib/env/env.go — registers AWS_SECRETS_MANAGER_SECRET_ID_VAR and AWS_SECRETS_MANAGER_REGION_VAR (both Optional) in the EnvRegistry.

go.mod / go.sum — adds github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.7 (pulls in minor patch bumps of transitive AWS SDK modules).

apps/thermos/CLAUDE.md — documents the two new env vars and the IRSA fallback behavior.

Design notes

IAM role support is preserved. The fetch reuses awsutils.AWSUtilsConfig.Load(region), which only injects static credentials when both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are non-empty (see lib/awsutils/config.go:21-36). When unset, the SDK default credential chain takes over — IRSA via AWS_WEB_IDENTITY_TOKEN_FILE, ECS task role, EC2 instance metadata, etc. No static credentials are introduced.

Region resolution: AWS_SECRETS_MANAGER_REGION if set, otherwise falls back to AWS_LAMBDA_REGION (default us-east-2) so a typical deployment needs zero extra config.

Precedence: Secrets Manager values overwrite existing env vars — the secret is the source of truth. (AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY must NOT be placed inside the secret, since they are needed to fetch it; this is documented in the CLAUDE.md note.)

Bootstrap ordering: Loaded before env.SanityCheck so the secret can satisfy required env vars (COMPOSIO_ENV, LAMBDA_FUNCTION_NAME).

Testability: the secrets-manager client is constructed through an overridable factory (newSecretsManagerClient), so unit tests can inject a fake without hitting AWS.

How did I test this PR

Unit tests for the new package — 13 cases covering:

empty secretID is a no-op (no API call)
happy path: JSON SecretString → os.Setenv (and verifies overwrite of a pre-existing env value)
SecretBinary storage path
fetch error propagates with secret ID + cause
empty payload (no SecretString and no SecretBinary)
invalid JSON → clear error
non-string value ({"PORT": 8080}) → clear error
top-level array rejected
empty key in JSON → clear error
empty JSON object is a valid no-op
bootstrap is a no-op when env var unset
region fallback to AWS_LAMBDA_REGION when AWS_SECRETS_MANAGER_REGION is empty
explicit AWS_SECRETS_MANAGER_REGION overrides

cd apps/thermos && go test ./lib/awsutils/... -count=1 -v

→ all 24 tests pass (13 new + 11 pre-existing).

Full thermos test suite — cd apps/thermos && go test ./... → all packages green.

Static checks — go build ./..., go vet ./..., gofmt -l on touched files, and pnpm lint:ent-client-usage all clean. (pnpm lint not runnable in this sandbox: the installed golangci-lint is built against Go 1.23 while the repo targets 1.26.2 — CI will run the real lint.)

Backward-compat verification — confirmed the loader returns nil and emits a debug log when AWS_SECRETS_MANAGER_SECRET_ID is empty (TestLoadSecretsIntoEnv_EmptySecretIDIsNoOp / TestBootstrapSecretsFromEnv_UnsetSecretIDIsNoOp), so existing deployments are unaffected.

🤖 Generated with Claude Code

Post-PR status update

Build checks (/build-checks → thermos profile): doppler run -- go vet ./... PASS (2.0s) · doppler run -- go build ./... PASS (8.9s).

Codex review (/codex-review-loop, base origin/master): 1 iteration, 0 actionable findings. Verbatim: "I did not identify any discrete correctness, security, or maintainability issues introduced by these changes. The Secrets Manager bootstrap is wired before the environment sanity check and the new env vars are registered."

CI: ✅ all 28 checks green at commit 346c8e38 (66s elapsed after first poll).

Tests:

Unit — 13 new tests in lib/awsutils/secrets_test.go covering no-op when env unset, happy path with overwrite, SecretBinary mode, fetch error, empty payload, invalid JSON, non-string values, top-level array, empty key, empty object no-op, bootstrap no-op, region fallback to AWS_LAMBDA_REGION, explicit region override. go test ./lib/awsutils/... -count=1 → 24/24 pass. go test ./... across all thermos packages → green.
Runtime / E2E against locally-built binary:
- With AWS_SECRETS_MANAGER_SECRET_ID unset (backward-compat path): Thermos boots through the new ordering — log shows main.go:357 "Sanity checking environment variables" then main.go:365 "Starting thermos" {"mode":"http"}, no fetch attempt. (The startup then fails on an unrelated, pre-existing local workerdb gap — sandbox has no Postgres on 5432; reproducible on master.)
- With AWS_SECRETS_MANAGER_SECRET_ID=thermos/no-such-secret-zen-test (fail-fast path): real AWS call issued, AccessDeniedException returned, Thermos hard-fatals with a clear wrapped error including secret ID, region, and the AWS error. Log:
  
  info awsutils/secrets.go:90 Fetching secrets from AWS Secrets Manager {"secret_id":"thermos/no-such-secret-zen-test","region":"us-east-2"} fatal thermos/main.go:353 Failed to load secrets from AWS Secrets Manager {"error":"failed to fetch secret \"thermos/no-such-secret-zen-test\" from Secrets Manager: ... api error AccessDeniedException: User: arn:aws:iam::008971668139:user/thermos is not authorized..."}

Project

Deployment

Actions

Updated (UTC)

apollo

Ready

Preview, Comment

May 13, 2026 6:54am

Project

Deployment

Actions

Updated (UTC)

debby

Ignored

May 13, 2026 6:54am

Contributor

Contribution

Files

Zen

37%

Sarthak Agrawal

Files with missing lines	Patch %	Lines
apps/thermos/lib/awsutils/secrets.go	82.81%	9 Missing and 2 partials :warning:
apps/thermos/main.go	0.00%	7 Missing :warning:
apps/thermos/lib/env/env.go	0.00%	2 Missing :warning:

Flag	Coverage Δ
e2e-tests	`?`
self-hosted-tests	`5.64% <ø> (ø)`
thermos-service-isolation-tests	`65.62% <ø> (ø)`
thermos-unit-tests	`7.36% <72.60%> (+0.11%)`	:arrow_up:
unit-tests	`?`

Files with missing lines	Coverage Δ
apps/thermos/lib/env/env.go	`0.00% <0.00%> (ø)`
apps/thermos/main.go	`0.00% <0.00%> (ø)`
apps/thermos/lib/awsutils/secrets.go	`82.81% <82.81%> (ø)`

feat(thermos): bootstrap env from AWS Secrets Manager at startup

Description

Why

What changed

Design notes

Backward compatibility

How did I test this PR

Post-PR status update

🔍 Suggested Reviewers

Description

Why

What changed

Design notes

Backward compatibility

How did I test this PR

Post-PR status update

🔍 Suggested Reviewers

💡 Recommendation

Codecov Report

🧪 Test Results Summary (Self-Hosted Tests)