@causa/workspace-google 0.1.0

package/LICENSE.md

@@ -0,0 +1,15 @@
+ISC License
+
+Copyright (c) 2023 Causa
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.

package/README.md

@@ -0,0 +1 @@
+# `@causa/workspace-google` module

package/dist/cli/google-firebase-storage.d.ts

@@ -0,0 +1,5 @@
+import { ParentCliCommandDefinition } from '@causa/cli';
+/**
+ * The parent `google firebaseStorage` command.
+ */
+export declare const firebaseStorageCommandDefinition: ParentCliCommandDefinition;

package/dist/cli/google-firebase-storage.js

@@ -0,0 +1,9 @@
+import { googleCommandDefinition } from './google.js';
+/**
+ * The parent `google firebaseStorage` command.
+ */
+export const firebaseStorageCommandDefinition = {
+    parent: googleCommandDefinition,
+    name: 'firebaseStorage',
+    description: 'Performs Firebase Storage-related operations.',
+};

package/dist/cli/google-firestore.d.ts

@@ -0,0 +1,5 @@
+import { ParentCliCommandDefinition } from '@causa/cli';
+/**
+ * The parent `google firestore` command.
+ */
+export declare const firestoreCommandDefinition: ParentCliCommandDefinition;

package/dist/cli/google-firestore.js

@@ -0,0 +1,9 @@
+import { googleCommandDefinition } from './google.js';
+/**
+ * The parent `google firestore` command.
+ */
+export const firestoreCommandDefinition = {
+    parent: googleCommandDefinition,
+    name: 'firestore',
+    description: 'Performs Firestore database-related operations.',
+};

package/dist/cli/google.d.ts

@@ -0,0 +1,5 @@
+import { ParentCliCommandDefinition } from '@causa/cli';
+/**
+ * The parent `google` command.
+ */
+export declare const googleCommandDefinition: ParentCliCommandDefinition;

package/dist/cli/google.js

@@ -0,0 +1,7 @@
+/**
+ * The parent `google` command.
+ */
+export const googleCommandDefinition = {
+    name: 'google',
+    description: 'Performs GCP-specific operations.',
+};

package/dist/cli/index.d.ts

@@ -0,0 +1,3 @@
+export { firebaseStorageCommandDefinition } from './google-firebase-storage.js';
+export { firestoreCommandDefinition } from './google-firestore.js';
+export { googleCommandDefinition } from './google.js';

package/dist/cli/index.js

@@ -0,0 +1,3 @@
+export { firebaseStorageCommandDefinition } from './google-firebase-storage.js';
+export { firestoreCommandDefinition } from './google-firestore.js';
+export { googleCommandDefinition } from './google.js';

package/dist/configurations/google.d.ts

@@ -0,0 +1,190 @@
+/**
+ * The schema for Google / GCP configuration.
+ */
+export type GoogleConfiguration = {
+    /**
+     * Configuration for everything Google / GCP-related.
+     */
+    google?: {
+        /**
+         * The ID of the default GCP project used when performing operations.
+         */
+        project?: string;
+        /**
+         * The ID of a local GCP project (which does not exist on GCP).
+         * This is for example used by emulators. It should usually start with `demo-` to be compatible with some emulators.
+         */
+        localProject?: string;
+        /**
+         * The list of GCP services on which the project depends.
+         * This is useful to automatically enable those services in the GCP project.
+         */
+        services?: string[];
+        /**
+         * Configuration for the `gcloud` command.
+         * This applies to Dockerized calls to `gcloud` using the official `gcloud` Docker image.
+         */
+        gcloud?: {
+            /**
+             * The version of the `gcloud` command.
+             */
+            version?: string;
+        };
+        /**
+         * Configuration for the Firebase project.
+         */
+        firebase?: {
+            /**
+             * An existing service account that can be used to sign Identity Platform custom token.
+             * Generating custom tokens by signing them using end-user credentials does not work with Identity Platform.
+             * A good choice is usually the service account automatically created by Firebase:
+             * `firebase-adminsdk-<random ID>@<GCP project>.iam.gserviceaccount.com`
+             * If this is not set and is needed by an operation, an attempt will be made to find this service account in the
+             * current `google.project`.
+             */
+            adminServiceAccount?: string;
+            /**
+             * The Firebase API key used by clients. Used to perform requests to Firebase as an end user.
+             * This can be found in the GCP or Firebase Console.
+             * If this is not set and is needed by an operation, an attempt will be made to find the key automatically using
+             * the API.
+             */
+            apiKey?: string;
+            /**
+             * The domain name for the project.
+             * If not set, this default to `<GCP project>.firebaseapp.com`.
+             */
+            authDomain?: string;
+        };
+        /**
+         * Configuration for Firebase tools (the CLI).
+         * This applies to Dockerized calls to the `firebase` CLI.
+         */
+        firebaseTools?: {
+            /**
+             * The version of the CLI to use.
+             */
+            version?: string;
+        };
+        /**
+         * Configuration for the Secret Manager service.
+         */
+        secretManager?: {
+            /**
+             * The ID of the default GCP project referenced when fetching secrets.
+             */
+            project?: string;
+        };
+        /**
+         * Configuration for the Firebase Storage service.
+         */
+        firebaseStorage?: {
+            /**
+             * Configuration for the emulator.
+             */
+            emulator?: {
+                /**
+                 * The name of the local Docker container running the emulator.
+                 */
+                containerName?: string;
+            };
+            /**
+             * A list of glob patterns to find files in the workspace defining Firebase Storage security rules.
+             */
+            securityRuleFiles?: string[];
+            /**
+             * The file path, relative to the workspace root, where the merged security rules file is written.
+             */
+            securityRuleFile?: string;
+        };
+        /**
+         * Configuration for the Identity Platform (formerly Firebase Auth) service.
+         */
+        identityPlatform?: {
+            /**
+             * Configuration for the emulator.
+             */
+            emulator?: {
+                /**
+                 * The name of the local Docker container running the emulator.
+                 */
+                containerName?: string;
+            };
+        };
+        /**
+         * Configuration for the Firestore service.
+         */
+        firestore?: {
+            /**
+             * Configuration for the emulator.
+             */
+            emulator?: {
+                /**
+                 * The name of the local Docker container running the emulator.
+                 */
+                containerName?: string;
+            };
+            /**
+             * A list of glob patterns to find files in the workspace defining Firestore security rules.
+             */
+            securityRuleFiles?: string[];
+            /**
+             * The file path, relative to the workspace root, where the merged security rules file is written.
+             */
+            securityRuleFile?: string;
+        };
+        /**
+         * Configuration for the Pub/Sub service.
+         */
+        pubSub?: {
+            /**
+             * Configuration for the emulator.
+             */
+            emulator?: {
+                /**
+                 * The name of the local Docker container running the emulator.
+                 */
+                containerName?: string;
+            };
+        };
+        /**
+         * Configuration for the Spanner service.
+         */
+        spanner?: {
+            /**
+             * Configuration for the emulator.
+             */
+            emulator?: {
+                /**
+                 * The name of the local Docker container running the emulator.
+                 */
+                containerName?: string;
+                /**
+                 * The version of the Spanner emulator Docker image to use.
+                 */
+                version?: string;
+                /**
+                 * The name of the Spanner instance that will automatically be created in the emulator.
+                 */
+                instanceName?: string;
+            };
+            /**
+             * Defines how DDLs are found for the Spanner databases in the workspace.
+             */
+            ddls?: {
+                /**
+                 * The format string using groups from the regular expression used to make the database names.
+                 */
+                format?: string;
+                /**
+                 * A list of glob patterns used to find SQL files containing DDL statements for the Spanner databases.
+                 */
+                globs?: string[];
+                /**
+                 * The regular expression used to extract groups from the SQL file paths.
+                 */
+                regularExpression?: string;
+            };
+        };
+    };
+};

package/dist/configurations/google.js

@@ -0,0 +1 @@
+export {};

package/dist/configurations/index.d.ts

@@ -0,0 +1 @@
+export { GoogleConfiguration } from './google.js';

package/dist/configurations/index.js

@@ -0,0 +1 @@
+export {};

package/dist/firebase/index.d.ts

@@ -0,0 +1 @@
+export { mergeFirebaseRulesFiles } from './rules.js';

package/dist/firebase/index.js

@@ -0,0 +1 @@
+export { mergeFirebaseRulesFiles } from './rules.js';

package/dist/firebase/rules.d.ts

@@ -0,0 +1,11 @@
+import { WorkspaceContext } from '@causa/workspace';
+/**
+ * Merges all the Firebase security rules files in the repository into a single file.
+ *
+ * @param displayableType The type for Firebase security rules, which can be displayed in log messages.
+ * @param globs The list of patterns used to find rule files from the root of the workspace.
+ * @param template The template that takes the merged rules and wraps them to produce the final rules definition.
+ * @param rulesFilePath The destination path where the rules will be written, relative to the workspace root.
+ * @param context The {@link WorkspaceContext} to use.
+ */
+export declare function mergeFirebaseRulesFiles(displayableType: string, globs: string[], template: (rules: string) => string, rulesFilePath: string, context: WorkspaceContext): Promise<string>;

package/dist/firebase/rules.js

@@ -0,0 +1,55 @@
+import { mkdir, readFile, writeFile } from 'fs/promises';
+import { globby } from 'globby';
+import { dirname, join } from 'path';
+/**
+ * The indent for Firebase security rules once merged in the global file.
+ */
+const DOCUMENTS_RULES_INDENT = '    ';
+/**
+ * Merges the given input Firebase security rules files into a single rules definition.
+ *
+ * @param rootPath The absolute path from which `ruleFiles` should be resolved.
+ * @param rulesFiles The list of (relative) file paths to the rules.
+ * @param template The template function producing the final rules file.
+ * @returns The merged rules.
+ */
+async function mergeRules(rootPath, rulesFiles, template) {
+    const rules = await Promise.all(rulesFiles.map(async (filePath) => {
+        const path = join(rootPath, filePath);
+        const content = await readFile(path);
+        const rules = content
+            .toString()
+            .replaceAll('\n', `\n${DOCUMENTS_RULES_INDENT}`);
+        return `${DOCUMENTS_RULES_INDENT}// ${filePath}\n${DOCUMENTS_RULES_INDENT}${rules}`;
+    }));
+    const mergedDocumentsRules = rules
+        .join('\n')
+        .replaceAll(/\s+\n/g, '\n\n')
+        .trimEnd();
+    return template(mergedDocumentsRules);
+}
+/**
+ * Merges all the Firebase security rules files in the repository into a single file.
+ *
+ * @param displayableType The type for Firebase security rules, which can be displayed in log messages.
+ * @param globs The list of patterns used to find rule files from the root of the workspace.
+ * @param template The template that takes the merged rules and wraps them to produce the final rules definition.
+ * @param rulesFilePath The destination path where the rules will be written, relative to the workspace root.
+ * @param context The {@link WorkspaceContext} to use.
+ */
+export async function mergeFirebaseRulesFiles(displayableType, globs, template, rulesFilePath, context) {
+    context.logger.info(`🛂 Looking for ${displayableType} rules files.`);
+    const rootPath = context.rootPath;
+    rulesFilePath = join(rootPath, rulesFilePath);
+    const files = await globby(globs, { cwd: rootPath, gitignore: true });
+    files.sort();
+    context.logger.debug(`🛂 Found the following rules files: ${files
+        .map((f) => `'${f}'`)
+        .join(', ')}.`);
+    context.logger.info(`🛂 Merging ${files.length} ${displayableType} rules files.`);
+    const mergedRules = await mergeRules(rootPath, files, template);
+    context.logger.debug(`🛂 Writing merged ${displayableType} rules to '${rulesFilePath}'.`);
+    await mkdir(dirname(rulesFilePath), { recursive: true });
+    await writeFile(rulesFilePath, mergedRules);
+    return rulesFilePath;
+}

package/dist/functions/google-firebase-storage-merge-rules.d.ts

@@ -0,0 +1,31 @@
+import { WorkspaceContext, WorkspaceFunction } from '@causa/workspace';
+import { InfrastructureProcessor } from '@causa/workspace-core';
+import { GoogleConfiguration } from '../configurations/index.js';
+/**
+ * The return value of {@link GoogleFirebaseStorageMergeRules}.
+ */
+type GoogleFirebaseStorageMergeRulesResult = {
+    /**
+     * A configuration with `google.firebaseStorage.securityRuleFile` set to the path to the merged rules file.
+     */
+    configuration: GoogleConfiguration;
+    /**
+     * The path to the merged rules file.
+     */
+    securityRuleFile: string;
+};
+/**
+ * A function that merges all the Firebase Storage security rules found in the workspace into a single file, which can
+ * be used for the emulator and as the configuration of the Firebase Storage service.
+ * The `google.firebaseStorage.securityRuleFiles` configuration can be used to pass a list of glob patterns to find
+ * security rule files in the workspace.
+ * The `google.firebaseStorage.securityRuleFile` configuration can be used to specify the output location of the merged
+ * rules file.
+ * Returns a configuration with `google.firebaseStorage.securityRuleFile` set, such that the function can be used as a
+ * processor.
+ */
+export declare class GoogleFirebaseStorageMergeRules extends WorkspaceFunction<Promise<GoogleFirebaseStorageMergeRulesResult>> implements InfrastructureProcessor {
+    _call(context: WorkspaceContext): Promise<GoogleFirebaseStorageMergeRulesResult>;
+    _supports(): boolean;
+}
+export {};

package/dist/functions/google-firebase-storage-merge-rules.js

@@ -0,0 +1,58 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { CliCommand } from '@causa/cli';
+import { WorkspaceFunction } from '@causa/workspace';
+import { firebaseStorageCommandDefinition } from '../cli/index.js';
+import { mergeFirebaseRulesFiles } from '../firebase/index.js';
+/**
+ * The default location where the security rules file for Firebase Storage will be written.
+ */
+const DEFAULT_FIREBASE_STORAGE_SECURITY_RULE_FILE = 'storage.rules';
+/**
+ * A function that merges all the Firebase Storage security rules found in the workspace into a single file, which can
+ * be used for the emulator and as the configuration of the Firebase Storage service.
+ * The `google.firebaseStorage.securityRuleFiles` configuration can be used to pass a list of glob patterns to find
+ * security rule files in the workspace.
+ * The `google.firebaseStorage.securityRuleFile` configuration can be used to specify the output location of the merged
+ * rules file.
+ * Returns a configuration with `google.firebaseStorage.securityRuleFile` set, such that the function can be used as a
+ * processor.
+ */
+let GoogleFirebaseStorageMergeRules = class GoogleFirebaseStorageMergeRules extends WorkspaceFunction {
+    async _call(context) {
+        const googleConf = context.asConfiguration();
+        let securityRuleFile = googleConf.get('google.firebaseStorage.securityRuleFile') ??
+            DEFAULT_FIREBASE_STORAGE_SECURITY_RULE_FILE;
+        const globs = googleConf.get('google.firebaseStorage.securityRuleFiles') ?? [];
+        securityRuleFile = await mergeFirebaseRulesFiles('Firebase Storage', globs, (rules) => `rules_version = '2';
+
+service firebase.storage {
+  match /b/{bucket}/o {
+${rules}
+  }
+}
+`, securityRuleFile, context);
+        return {
+            configuration: { google: { firebaseStorage: { securityRuleFile } } },
+            securityRuleFile,
+        };
+    }
+    _supports() {
+        return true;
+    }
+};
+GoogleFirebaseStorageMergeRules = __decorate([
+    CliCommand({
+        parent: firebaseStorageCommandDefinition,
+        name: 'mergeRules',
+        description: `Merge Firebase Storage security rules into a single file.
+Input files are looked for in the workspace using the globs defined in google.firebaseStorage.securityRulesFiles.`,
+        summary: 'Merge Firebase Storage security rules into a single file.',
+        outputFn: ({ securityRuleFile }) => console.log(securityRuleFile),
+    })
+], GoogleFirebaseStorageMergeRules);
+export { GoogleFirebaseStorageMergeRules };

package/dist/functions/google-firestore-merge-rules.d.ts

@@ -0,0 +1,31 @@
+import { WorkspaceContext, WorkspaceFunction } from '@causa/workspace';
+import { InfrastructureProcessor } from '@causa/workspace-core';
+import { GoogleConfiguration } from '../configurations/index.js';
+/**
+ * The return value of {@link GoogleFirestoreMergeRules}.
+ */
+type GoogleFirestoreMergeRulesResult = {
+    /**
+     * A configuration with `google.firestore.securityRuleFile` set to the path to the merged rules file.
+     */
+    configuration: GoogleConfiguration;
+    /**
+     * The path to the merged rules file.
+     */
+    securityRuleFile: string;
+};
+/**
+ * A function that merges all the Firestore security rules found in the workspace into a single file, which can be used
+ * for the emulator and as the configuration of the Firestore service.
+ * The `google.firestore.securityRuleFiles` configuration can be used to pass a list of glob patterns to find security
+ * rule files in the workspace.
+ * The `google.firestore.securityRuleFile` configuration can be used to specify the output location of the merged rules
+ * file.
+ * Returns a configuration with `google.firestore.securityRuleFile` set, such that the function can be used as a
+ * processor.
+ */
+export declare class GoogleFirestoreMergeRules extends WorkspaceFunction<Promise<GoogleFirestoreMergeRulesResult>> implements InfrastructureProcessor {
+    _call(context: WorkspaceContext): Promise<GoogleFirestoreMergeRulesResult>;
+    _supports(): boolean;
+}
+export {};

package/dist/functions/google-firestore-merge-rules.js

@@ -0,0 +1,58 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { CliCommand } from '@causa/cli';
+import { WorkspaceFunction } from '@causa/workspace';
+import { firestoreCommandDefinition } from '../cli/index.js';
+import { mergeFirebaseRulesFiles } from '../firebase/index.js';
+/**
+ * The default location where the security rules file for Firestore will be written.
+ */
+const DEFAULT_FIRESTORE_SECURITY_RULE_FILE = 'firestore.rules';
+/**
+ * A function that merges all the Firestore security rules found in the workspace into a single file, which can be used
+ * for the emulator and as the configuration of the Firestore service.
+ * The `google.firestore.securityRuleFiles` configuration can be used to pass a list of glob patterns to find security
+ * rule files in the workspace.
+ * The `google.firestore.securityRuleFile` configuration can be used to specify the output location of the merged rules
+ * file.
+ * Returns a configuration with `google.firestore.securityRuleFile` set, such that the function can be used as a
+ * processor.
+ */
+let GoogleFirestoreMergeRules = class GoogleFirestoreMergeRules extends WorkspaceFunction {
+    async _call(context) {
+        const googleConf = context.asConfiguration();
+        let securityRuleFile = googleConf.get('google.firestore.securityRuleFile') ??
+            DEFAULT_FIRESTORE_SECURITY_RULE_FILE;
+        const globs = googleConf.get('google.firestore.securityRuleFiles') ?? [];
+        securityRuleFile = await mergeFirebaseRulesFiles('Firestore', globs, (rules) => `rules_version = '2';
+
+service cloud.firestore {
+  match /databases/{database}/documents {
+${rules}
+  }
+}
+`, securityRuleFile, context);
+        return {
+            configuration: { google: { firestore: { securityRuleFile } } },
+            securityRuleFile,
+        };
+    }
+    _supports() {
+        return true;
+    }
+};
+GoogleFirestoreMergeRules = __decorate([
+    CliCommand({
+        parent: firestoreCommandDefinition,
+        name: 'mergeRules',
+        description: `Merge Firestore security rules into a single file.
+Input files are looked for in the workspace using the globs defined in google.firestore.securityRulesFiles.`,
+        summary: 'Merge Firestore security rules into a single file.',
+        outputFn: ({ securityRuleFile }) => console.log(securityRuleFile),
+    })
+], GoogleFirestoreMergeRules);
+export { GoogleFirestoreMergeRules };

package/dist/functions/google-services-enable.d.ts

@@ -0,0 +1,27 @@
+import { WorkspaceContext, WorkspaceFunction } from '@causa/workspace';
+import { InfrastructureProcessor } from '@causa/workspace-core';
+import { GoogleConfiguration } from '../configurations/index.js';
+/**
+ * The return value of {@link GoogleServicesEnable}.
+ */
+type GoogleServicesEnableResult = {
+    /**
+     * The configuration that should be merged into the workspace configuration.
+     * In case `google.services` was already set, this will be an empty object to avoid duplicates due to the merging
+     * strategy.
+     */
+    configuration: GoogleConfiguration;
+    /**
+     * The list of services that were enabled.
+     */
+    services: string[];
+};
+/**
+ * Enables GCP services defined in `google.services` for the GCP project defined in `google.project`.
+ */
+export declare class GoogleServicesEnable extends WorkspaceFunction<Promise<GoogleServicesEnableResult>> implements InfrastructureProcessor {
+    readonly tearDown?: boolean;
+    _call(context: WorkspaceContext): Promise<GoogleServicesEnableResult>;
+    _supports(): boolean;
+}
+export {};

package/dist/functions/google-services-enable.js

@@ -0,0 +1,75 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { CliCommand } from '@causa/cli';
+import { WorkspaceFunction } from '@causa/workspace';
+import { AllowMissing } from '@causa/workspace/validation';
+import { ServiceUsageClient } from '@google-cloud/service-usage';
+import { IsBoolean } from 'class-validator';
+import { googleCommandDefinition } from '../cli/index.js';
+/**
+ * The maximum number of GCP services that can be enabled at the same time.
+ */
+const MAX_SERVICE_BATCH = 20;
+/**
+ * Enables GCP services defined in `google.services` for the GCP project defined in `google.project`.
+ */
+let GoogleServicesEnable = class GoogleServicesEnable extends WorkspaceFunction {
+    tearDown;
+    async _call(context) {
+        if (this.tearDown) {
+            return { configuration: {}, services: [] };
+        }
+        const googleConf = context.asConfiguration();
+        const gcpProject = googleConf.getOrThrow('google.project');
+        const services = googleConf.get('google.services');
+        if (!services) {
+            // Although not very useful, this ensures the services configuration is set after the processor has run.
+            return { configuration: { google: { services: [] } }, services: [] };
+        }
+        // There is little chance the client would be reused, so it is not cached or exposed as a service.
+        const serviceUsageClient = new ServiceUsageClient();
+        const servicesToEnable = [...services];
+        const parent = `projects/${gcpProject}`;
+        while (servicesToEnable.length > 0) {
+            const serviceIds = servicesToEnable.splice(0, MAX_SERVICE_BATCH);
+            context.logger.info(`➕ Enabling GCP service(s) ${serviceIds
+                .map((s) => `'${s}'`)
+                .join(', ')} in project '${gcpProject}'.`);
+            const [operation] = await serviceUsageClient.batchEnableServices({
+                parent,
+                serviceIds,
+            });
+            await operation.promise();
+        }
+        // If `google.services` was already set, returning it would duplicate the list due to the configuration merging
+        // strategy (concatenating arrays).
+        return { configuration: {}, services };
+    }
+    _supports() {
+        return true;
+    }
+};
+__decorate([
+    IsBoolean(),
+    AllowMissing(),
+    __metadata("design:type", Boolean)
+], GoogleServicesEnable.prototype, "tearDown", void 0);
+GoogleServicesEnable = __decorate([
+    CliCommand({
+        parent: googleCommandDefinition,
+        name: 'enableServices',
+        description: `Enables the GCP services used by the current project.
+Required GCP services should be defined in the 'google.services' configuration.
+They will be enabled in the 'google.project' GCP project.`,
+        summary: 'Enables the GCP services used by the current project.',
+        outputFn: ({ services }) => console.log(services.join('\n')),
+    })
+], GoogleServicesEnable);
+export { GoogleServicesEnable };

package/dist/functions/index.d.ts

@@ -0,0 +1,2 @@
+import { ModuleRegistrationContext } from '@causa/workspace';
+export declare function registerFunctions(context: ModuleRegistrationContext): void;

package/dist/functions/index.js

@@ -0,0 +1,7 @@
+import { GoogleFirebaseStorageMergeRules } from './google-firebase-storage-merge-rules.js';
+import { GoogleFirestoreMergeRules } from './google-firestore-merge-rules.js';
+import { GoogleServicesEnable } from './google-services-enable.js';
+import { SecretFetchForGoogleSecretManager } from './secret-fetch-secret-manager.js';
+export function registerFunctions(context) {
+    context.registerFunctionImplementations(GoogleFirebaseStorageMergeRules, GoogleFirestoreMergeRules, GoogleServicesEnable, SecretFetchForGoogleSecretManager);
+}

package/dist/functions/secret-fetch-secret-manager.d.ts

@@ -0,0 +1,33 @@
+import { SecretFetch, WorkspaceContext } from '@causa/workspace';
+/**
+ * An error thrown when the default GCP project is needed to look up a secret but it has not been defined.
+ */
+export declare class UndefinedDefaultGcpProjectError extends Error {
+    constructor();
+}
+/**
+ * An error thrown when the value returned by the Google Secret Manager client cannot be read as a string.
+ */
+export declare class UnexpectedSecretValueError extends Error {
+    constructor();
+}
+/**
+ * Implements {@link SecretFetch} for secrets using the Google Secret Manager backend (`google.secretManager`).
+ *
+ * ```yaml
+ * secrets:
+ *   simpleSecret:
+ *     id: simple-secret
+ *   secretWithProject:
+ *     id: projects/gcp-project/secrets/my-secret
+ *   secretWithVersion:
+ *     id: projects/gcp-project/secrets/my-secret/versions/12
+ * ```
+ *
+ * If not specified, the GCP project ID will be obtained from `google.secretManager.project`, or will fallback to
+ * `google.project`.
+ */
+export declare class SecretFetchForGoogleSecretManager extends SecretFetch {
+    _call(context: WorkspaceContext): Promise<string>;
+    _supports(): boolean;
+}

package/dist/functions/secret-fetch-secret-manager.js

@@ -0,0 +1,68 @@
+import { InvalidSecretDefinitionError, SecretFetch, } from '@causa/workspace';
+import { GoogleSecretManagerService } from '../services/index.js';
+/**
+ * The regular expression used to match the (Secret Manager) secret ID/name, and possibly its version and project.
+ * [projects/<projectId>/secrets]<secretName>[/versions/<version>]
+ */
+const SECRET_ID_REGEX = /^(?:projects\/(?<projectId>[\w-]+)\/secrets\/)?(?<secretName>[\w-]+)(?:\/versions\/(?<version>(\d+|latest)))?$/;
+/**
+ * An error thrown when the default GCP project is needed to look up a secret but it has not been defined.
+ */
+export class UndefinedDefaultGcpProjectError extends Error {
+    constructor() {
+        super('The default GCP project for the Google Secret Manager could not be found in the configuration.');
+    }
+}
+/**
+ * An error thrown when the value returned by the Google Secret Manager client cannot be read as a string.
+ */
+export class UnexpectedSecretValueError extends Error {
+    constructor() {
+        super('The secret value from the Google Secret Manager could not be parsed.');
+    }
+}
+/**
+ * Implements {@link SecretFetch} for secrets using the Google Secret Manager backend (`google.secretManager`).
+ *
+ * ```yaml
+ * secrets:
+ *   simpleSecret:
+ *     id: simple-secret
+ *   secretWithProject:
+ *     id: projects/gcp-project/secrets/my-secret
+ *   secretWithVersion:
+ *     id: projects/gcp-project/secrets/my-secret/versions/12
+ * ```
+ *
+ * If not specified, the GCP project ID will be obtained from `google.secretManager.project`, or will fallback to
+ * `google.project`.
+ */
+export class SecretFetchForGoogleSecretManager extends SecretFetch {
+    async _call(context) {
+        const id = this.configuration.id;
+        if (!id) {
+            throw new InvalidSecretDefinitionError(`Missing 'id' field that should reference the secret.`);
+        }
+        const match = id.match(SECRET_ID_REGEX);
+        const secretName = match?.groups?.secretName;
+        if (!secretName) {
+            throw new InvalidSecretDefinitionError(`Failed to parse secret reference '${id}'.`);
+        }
+        const { client, defaultProject } = context.service(GoogleSecretManagerService);
+        const project = match?.groups?.projectId ?? defaultProject;
+        const version = match?.groups?.version ?? 'latest';
+        if (!project) {
+            throw new UndefinedDefaultGcpProjectError();
+        }
+        const name = client.secretVersionPath(project, secretName, version);
+        const [value] = await client.accessSecretVersion({ name });
+        const bufferData = value.payload?.data;
+        if (!bufferData || typeof bufferData !== 'object') {
+            throw new UnexpectedSecretValueError();
+        }
+        return bufferData.toString();
+    }
+    _supports() {
+        return this.backend === 'google.secretManager';
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,5 @@
+import { ModuleRegistrationFunction } from '@causa/workspace';
+export * from './configurations/index.js';
+export * from './services/index.js';
+declare const registerModule: ModuleRegistrationFunction;
+export default registerModule;

package/dist/index.js

@@ -0,0 +1,7 @@
+import { registerFunctions } from './functions/index.js';
+export * from './configurations/index.js';
+export * from './services/index.js';
+const registerModule = async (context) => {
+    registerFunctions(context);
+};
+export default registerModule;

package/dist/services/index.d.ts

@@ -0,0 +1 @@
+export { GoogleSecretManagerService } from './secret-manager.js';

package/dist/services/index.js

@@ -0,0 +1 @@
+export { GoogleSecretManagerService } from './secret-manager.js';

package/dist/services/secret-manager.d.ts

@@ -0,0 +1,17 @@
+import { WorkspaceContext } from '@causa/workspace';
+import { SecretManagerServiceClient } from '@google-cloud/secret-manager';
+/**
+ * A service exposing a client to the Google Secret Manager.
+ */
+export declare class GoogleSecretManagerService {
+    /**
+     * The default project to use when fetching secrets.
+     * Can be `undefined`, in which case the project should be set in the secret itself.
+     */
+    readonly defaultProject: string | undefined;
+    /**
+     * The client to the Google Secret Manager.
+     */
+    readonly client: SecretManagerServiceClient;
+    constructor(context: WorkspaceContext);
+}

package/dist/services/secret-manager.js

@@ -0,0 +1,21 @@
+import { SecretManagerServiceClient } from '@google-cloud/secret-manager';
+/**
+ * A service exposing a client to the Google Secret Manager.
+ */
+export class GoogleSecretManagerService {
+    /**
+     * The default project to use when fetching secrets.
+     * Can be `undefined`, in which case the project should be set in the secret itself.
+     */
+    defaultProject;
+    /**
+     * The client to the Google Secret Manager.
+     */
+    client;
+    constructor(context) {
+        this.defaultProject =
+            context.get('google.secretManager.project') ??
+                context.get('google.project');
+        this.client = new SecretManagerServiceClient();
+    }
+}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@causa/workspace-google",
+  "version": "0.1.0",
+  "description": "The Causa workspace module providing many functionalities related to GCP and its services.",
+  "repository": "github:causa-io/workspace-module-google",
+  "license": "ISC",
+  "type": "module",
+  "engines": {
+    "node": ">=16"
+  },
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": "./dist/index.js"
+  },
+  "files": [
+    "dist/",
+    "LICENSE.md",
+    "package.json",
+    "README.md"
+  ],
+  "scripts": {
+    "prebuild": "rimraf ./dist",
+    "build": "tsc -p tsconfig.build.json",
+    "format": "prettier --write \"src/**/*.ts\"",
+    "lint": "eslint \"src/**/*.ts\"",
+    "test": "NODE_OPTIONS=\"--experimental-vm-modules --no-warnings=ExperimentalWarning\" jest",
+    "test:cov": "npm run test -- --coverage"
+  },
+  "dependencies": {
+    "@causa/cli": ">= 0.2.1 < 1.0.0",
+    "@causa/workspace": ">= 0.5.0 < 1.0.0",
+    "@causa/workspace-core": ">= 0.2.0 < 1.0.0",
+    "@google-cloud/secret-manager": "^4.2.2",
+    "@google-cloud/service-usage": "^2.2.2",
+    "class-validator": "^0.14.0",
+    "globby": "^13.1.4"
+  },
+  "devDependencies": {
+    "@tsconfig/node18": "^2.0.1",
+    "@types/jest": "^29.5.1",
+    "eslint": "^8.40.0",
+    "eslint-config-prettier": "^8.8.0",
+    "eslint-plugin-prettier": "^4.2.1",
+    "jest": "^29.5.0",
+    "jest-extended": "^3.2.4",
+    "rimraf": "^5.0.1",
+    "ts-jest": "^29.1.0",
+    "ts-node": "^10.9.1",
+    "typescript": "^5.0.4"
+  }
+}