Infrastructure.Secrets

3.0.0

Infrastructure.Secrets.psm1

                                <#

.SYNOPSIS

    Shared PowerShell module for infrastructure secret management.

.DESCRIPTION

    Provides two groups of functions:

    Vault setup (one-time, per machine):

      Initialize-MicrosoftPowerShellSecretStoreVault - configures

      SecretStore, registers a local vault, and stores a JSON config

      secret. Calls Use-MicrosoftPowerShellSecretStoreProvider internally

      so module installation is not duplicated.

    Runtime read/write (provider-based):

      Get-InfrastructureSecret / Set-InfrastructureSecret - thin dispatch

      layer that routes to whichever provider was registered by a

      Use-*Provider call. Swapping secret backends requires only changing

      which Use-*Provider is called; no other code changes.

      Use-MicrosoftPowerShellSecretStoreProvider - registers the

      Microsoft.PowerShell.SecretStore backend (encrypted local file,

      DPAPI-scoped to the Windows user account on Windows).

    Each public function lives in its own file under Public\ and is

    dot-sourced below, so diffs stay focused on a single function per commit.

#>

Set-StrictMode -Version Latest

$ErrorActionPreference = 'Stop'

# Module-level provider state. Holds the hashtable registered by the most

# recent Use-*Provider call. $null until a provider is registered.

# Get-InfrastructureSecret and Set-InfrastructureSecret read this variable;

# Use-*Provider functions write it.

$Script:SecretProvider = $null

. "$PSScriptRoot\Private\Assert-SafeSecretIdentifier.ps1"

. "$PSScriptRoot\Private\Assert-SecretProviderValid.ps1"

. "$PSScriptRoot\Private\Assert-DispatchPreconditions.ps1"

. "$PSScriptRoot\Private\Register-SecretProvider.ps1"

. "$PSScriptRoot\Public\Initialize-MicrosoftPowerShellSecretStoreVault.ps1"

. "$PSScriptRoot\Public\Get-InfrastructureSecret.ps1"

. "$PSScriptRoot\Public\Set-InfrastructureSecret.ps1"

. "$PSScriptRoot\Public\Use-MicrosoftPowerShellSecretStoreProvider.ps1"

# Export-ModuleMember controls what is actually callable after Import-Module.

# It takes precedence over FunctionsToExport in the psd1 at runtime, so both

# must be kept in sync. FunctionsToExport serves a separate purpose: it is

# read by Get-Module -ListAvailable, Find-Module, and PSGallery for fast

# discovery without loading the module. The shared Module.Tests.ps1 in the

# run-unit-tests action enforces that every Public\*.ps1 file appears in both.

Export-ModuleMember -Function @(

    'Initialize-MicrosoftPowerShellSecretStoreVault'

    'Get-InfrastructureSecret'

    'Set-InfrastructureSecret'

    'Use-MicrosoftPowerShellSecretStoreProvider'

)