feat: add AWS Secrets Manager Integration

2025-07-13 01:00:39 +08:00 · 2025-05-29 12:42:05 +09:00
parent a17100e512
commit 1955157e9a
13 changed files with 608 additions and 3 deletions
--- a/docs/docs/installation/github.md
+++ b/docs/docs/installation/github.md
@ -203,6 +203,21 @@ For example: `GITHUB.WEBHOOK_SECRET` --> `GITHUB__WEBHOOK_SECRET`
 7. Go back to steps 8-9 of [Method 5](#run-as-a-github-app) with the function url as your Webhook URL.
    The Webhook URL would look like `https://<LAMBDA_FUNCTION_URL>/api/v1/github_webhooks`

+### Using AWS Secrets Manager (Recommended)
+
+For production Lambda deployments, use AWS Secrets Manager instead of environment variables:
+
+1. Create a secret in AWS Secrets Manager with your configuration
+2. Add IAM permissions for `secretsmanager:GetSecretValue`
+3. Set the secret ARN in your Lambda environment:
+
+```bash
+AWS_SECRETS_MANAGER__SECRET_ARN=arn:aws:secretsmanager:region:account:secret:name
+CONFIG__SECRET_PROVIDER=aws_secrets_manager
+```
+
+For detailed setup instructions, see [AWS Secrets Manager Integration](../usage-guide/aws_secrets_manager.md).
+
 ---

 ## AWS CodeCommit Setup
--- a/docs/docs/usage-guide/additional_configurations.md
+++ b/docs/docs/usage-guide/additional_configurations.md
@ -249,4 +249,15 @@ ignore_pr_authors = ["my-special-bot-user", ...]
 Where the `ignore_pr_authors` is a list of usernames that you want to ignore.

 !!! note
-    There is one specific case where bots will receive an automatic response - when they generated a PR with a _failed test_. In that case, the [`ci_feedback`](https://qodo-merge-docs.qodo.ai/tools/ci_feedback/) tool will be invoked.
+    There is one specific case where bots will receive an automatic response - when they generated a PR with a _failed test_. In that case, the [`ci_feedback`](https://qodo-merge-docs.qodo.ai/tools/ci_feedback/) tool will be invoked.
+
+## Secret Management
+
+For production deployments, consider using external secret management:
+
+- **AWS Secrets Manager**: Recommended for AWS Lambda deployments
+- **Google Cloud Storage**: For Google Cloud environments
+
+External secret providers automatically override environment variables at startup, providing enhanced security for sensitive information like API keys and webhook secrets.
+
+See [Configuration Options](configuration_options.md#secret-providers) for setup details.
--- a/docs/docs/usage-guide/aws_secrets_manager.md
+++ b/docs/docs/usage-guide/aws_secrets_manager.md
@ -0,0 +1,111 @@
+# AWS Secrets Manager Integration
+
+Securely manage sensitive information such as API keys and webhook secrets when running PR-Agent in AWS Lambda environments.
+
+## Overview
+
+AWS Secrets Manager integration allows you to:
+
+- Store sensitive configuration in AWS Secrets Manager instead of environment variables
+- Automatically retrieve and apply secrets at application startup
+- Improve security for Lambda deployments
+- Centrally manage secrets across multiple environments
+
+## Prerequisites
+
+- AWS Lambda deployment of PR-Agent
+- AWS Secrets Manager access permissions
+- Boto3 library (already included in PR-Agent dependencies)
+
+## Configuration
+
+### Step 1: Create Secret in AWS Secrets Manager
+
+Create a secret in AWS Secrets Manager with JSON format:
+
+```json
+{
+  "openai.key": "sk-...",
+  "github.webhook_secret": "your-webhook-secret",
+  "github.user_token": "ghp_...",
+  "gitlab.personal_access_token": "glpat-..."
+}
+```
+
+### Step 2: Configure PR-Agent
+
+Add the following to your configuration:
+
+```toml
+# configuration.toml
+[config]
+secret_provider = "aws_secrets_manager"
+
+# .secrets.toml or environment variables
+[aws_secrets_manager]
+secret_arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:pr-agent-secrets-AbCdEf"
+region_name = ""  # Optional: specific region (defaults to Lambda's region)
+```
+
+### Step 3: Set IAM Permissions
+
+Your Lambda execution role needs the following permissions:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": ["secretsmanager:GetSecretValue"],
+      "Resource": "arn:aws:secretsmanager:region:account:secret:pr-agent/*"
+    }
+  ]
+}
+```
+
+## Environment Variable Mapping
+
+Secrets Manager keys should use dot notation that maps to configuration sections:
+
+| Secret Key              | Configuration Section | Environment Variable     |
+| ----------------------- | --------------------- | ------------------------ |
+| `openai.key`            | `[openai]`            | `OPENAI__KEY`            |
+| `github.webhook_secret` | `[github]`            | `GITHUB__WEBHOOK_SECRET` |
+| `github.user_token`     | `[github]`            | `GITHUB__USER_TOKEN`     |
+
+## Fallback Behavior
+
+If AWS Secrets Manager is unavailable or misconfigured:
+
+- PR-Agent will fall back to environment variables
+- A debug log message will be recorded
+- No service interruption occurs
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Permission Denied**: Ensure Lambda execution role has `secretsmanager:GetSecretValue` permission
+2. **Secret Not Found**: Verify the secret ARN is correct and exists in the specified region
+3. **JSON Parse Error**: Ensure the secret value is valid JSON format
+4. **Connection Issues**: Check network connectivity and AWS region settings
+
+### Debug Logging
+
+Enable debug logging to troubleshoot:
+
+```toml
+[config]
+log_level = "DEBUG"
+```
+
+Check CloudWatch logs for warning/error messages related to AWS Secrets Manager access.
+
+## Security Best Practices
+
+1. Use least-privilege IAM policies
+2. Rotate secrets regularly
+3. Use separate secrets for different environments
+4. Monitor CloudTrail for secret access
+5. Enable secret versioning for rollback capability