@govuk-pay/cli 0.0.51 → 0.0.53

package/src/commands/secrets/config/secrets/pay_low_pass/test.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TEST_CONFIG = void 0;
+exports.TEST_CONFIG = {
+    alb_and_s3_logging_pipeline: {
+        firehose_hec_token: 'splunk/firehose-hec-token'
+    },
+    codebuild: {
+        'docker-username': 'dockerhub/concourse-username',
+        'docker-access-token': 'dockerhub/concourse-access-token',
+        'github-access-token': 'alphagov-pay-ci-concourse/github.com-concourse-github-personal-access-token'
+    }
+};

package/src/commands/secrets/config/secrets/pay_low_pass.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PAY_LOW_PASS_CONFIG = void 0;
+const deploy_7_1 = require("./pay_low_pass/deploy-7");
+const deploy_1 = require("./pay_low_pass/deploy");
+const deploy_tooling_1 = require("./pay_low_pass/deploy-tooling");
+const dev_1 = require("./pay_low_pass/dev");
+const production_2_1 = require("./pay_low_pass/production-2");
+const production_1 = require("./pay_low_pass/production");
+const staging_2_1 = require("./pay_low_pass/staging-2");
+const staging_1 = require("./pay_low_pass/staging");
+const test_12_1 = require("./pay_low_pass/test-12");
+const test_1 = require("./pay_low_pass/test");
+const test_perf_1_1 = require("./pay_low_pass/test-perf-1");
+exports.PAY_LOW_PASS_CONFIG = {
+    deploy: deploy_1.DEPLOY_CONFIG,
+    'deploy-7': deploy_7_1.DEPLOY_7_CONFIG,
+    'deploy-tooling': deploy_tooling_1.DEPLOY_TOOLING_CONFIG,
+    dev: dev_1.DEV_CONFIG,
+    production: production_1.PRODUCTION_CONFIG,
+    'production-2': production_2_1.PRODUCTION_2_CONFIG,
+    staging: staging_1.STAGING_CONFIG,
+    'staging-2': staging_2_1.STAGING_2_CONFIG,
+    test: test_1.TEST_CONFIG,
+    'test-12': test_12_1.TEST_12_CONFIG,
+    'test-perf-1': test_perf_1_1.TEST_PERF_1_CONFIG
+};

package/src/commands/secrets/config/secrets/ssm.js

@@ -0,0 +1,4 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SSM_CONFIG = void 0;
+exports.SSM_CONFIG = {};

package/src/commands/secrets/config/secrets/value/deploy-tooling.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEPLOY_TOOLING_CONFIG = void 0;
+exports.DEPLOY_TOOLING_CONFIG = {
+    'pact-broker': {
+        DB_SUPPORT_USER_READONLY: 'pact_broker_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'pact_broker_support_readwrite',
+        DB_USER: 'pact_broker'
+    }
+};

package/src/commands/secrets/config/secrets/value/deploy.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEPLOY_CONFIG = void 0;
+exports.DEPLOY_CONFIG = {
+    'cd-pay-dev': {
+        pay_aws_deploy_account_id: '424875624006',
+        pay_aws_dev_account_id: '673337093959',
+        pay_aws_staging_account_id: '888564216586',
+        pay_aws_test_account_id: '223851549868'
+    },
+    'cd-pay-deploy': {
+        'internal-vulnerability-scan/jira-base-url': 'https://payments-platform.atlassian.net',
+        'pay-team-manual/github-username': 'alphagov-pay-ci-concourse',
+        pay_aws_deploy_account_id: '424875624006',
+        pay_aws_prod_account_id: '092359438320',
+        pay_aws_production_account_id: '092359438320',
+        pay_aws_staging_account_id: '888564216586',
+        pay_aws_test_account_id: '223851549868'
+    }
+};

package/src/commands/secrets/config/secrets/value/production-2.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PRODUCTION_2_CONFIG = void 0;
+exports.PRODUCTION_2_CONFIG = {
+    adminusers: {
+        DB_SUPPORT_USER_READONLY: 'adminusers_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'adminusers_support_readwrite',
+        DB_USER: 'adminusers1',
+        NOTIFY_SECRET: ''
+    },
+    connector: {
+        DB_SUPPORT_USER_READONLY: 'connector_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'connector_support_readwrite',
+        DB_USER: 'connector2',
+        NOTIFY_SECRET: ''
+    },
+    frontend: {
+        AB_TEST_THRESHOLD: '50'
+    },
+    ledger: {
+        DB_SUPPORT_USER_READONLY: 'ledger_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'ledger_support_readwrite',
+        DB_USER: 'ledger'
+    },
+    publicauth: {
+        DB_SUPPORT_USER_READONLY: 'publicauth_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'publicauth_support_readwrite',
+        DB_USER: 'publicauth1'
+    },
+    products: {
+        DB_SUPPORT_USER_READONLY: 'products_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'products_support_readwrite',
+        DB_USER: 'products'
+    },
+    toolbox: {
+        AUTH_GITHUB_ADMIN_TEAM_ID: '3320243',
+        AUTH_GITHUB_USER_SUPPORT_TEAM_ID: '3304532',
+        AUTH_GITHUB_VIEW_ONLY_TEAM_ID: '7196958'
+    },
+    webhooks: {
+        DB_SUPPORT_USER_READONLY: 'webhooks_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'webhooks_support_readwrite',
+        DB_USER: 'webhooks'
+    }
+};

package/src/commands/secrets/config/secrets/value/staging-2.js

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.STAGING_2_CONFIG = void 0;
+exports.STAGING_2_CONFIG = {
+    adminusers: {
+        DB_SUPPORT_USER_READONLY: 'adminusers_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'adminusers_support_readwrite',
+        DB_USER: 'adminusers1',
+        NOTIFY_SECRET: ''
+    },
+    connector: {
+        DB_SUPPORT_USER_READONLY: 'connector_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'connector_support_readwrite',
+        DB_USER: 'connector1',
+        NOTIFY_SECRET: ''
+    },
+    frontend: {
+        AB_TEST_THRESHOLD: '50',
+        GOOGLE_PAY_MERCHANT_ID: 'value-not-set',
+        GOOGLE_PAY_MERCHANT_ID_2: 'value-not-set'
+    },
+    ledger: {
+        DB_SUPPORT_USER_READONLY: 'ledger_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'ledger_support_readwrite',
+        DB_USER: 'ledger'
+    },
+    publicauth: {
+        DB_SUPPORT_USER_READONLY: 'publicauth_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'publicauth_support_readwrite',
+        DB_USER: 'publicauth1'
+    },
+    products: {
+        DB_SUPPORT_USER_READONLY: 'products_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'products_support_readwrite',
+        DB_USER: 'products'
+    },
+    toolbox: {
+        AUTH_GITHUB_ADMIN_TEAM_ID: '3304500',
+        AUTH_GITHUB_USER_SUPPORT_TEAM_ID: '3304500',
+        AUTH_GITHUB_VIEW_ONLY_TEAM_ID: '3304500'
+    },
+    webhooks: {
+        DB_SUPPORT_USER_READONLY: 'webhooks_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'webhooks_support_readwrite',
+        DB_USER: 'webhooks'
+    }
+};

package/src/commands/secrets/config/secrets/value/test-12.js

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TEST_12_CONFIG = void 0;
+exports.TEST_12_CONFIG = {
+    adminusers: {
+        DB_SUPPORT_USER_READONLY: 'adminusers_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'adminusers_support_readwrite',
+        DB_USER: 'adminusers1',
+        NOTIFY_SECRET: ''
+    },
+    connector: {
+        DB_SUPPORT_USER_READONLY: 'connector_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'connector_support_readwrite',
+        DB_USER: 'connector2',
+        NOTIFY_SECRET: ''
+    },
+    frontend: {
+        AB_TEST_THRESHOLD: '50',
+        GOOGLE_PAY_MERCHANT_ID: 'value-not-set',
+        GOOGLE_PAY_MERCHANT_ID_2: 'value-not-set'
+    },
+    ledger: {
+        DB_SUPPORT_USER_READONLY: 'ledger_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'ledger_support_readwrite',
+        DB_USER: 'ledger'
+    },
+    products: {
+        DB_SUPPORT_USER_READONLY: 'products_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'products_support_readwrite',
+        DB_USER: 'products'
+    },
+    publicauth: {
+        DB_SUPPORT_USER_READONLY: 'publicauth_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'publicauth_support_readwrite',
+        DB_USER: 'publicauth1'
+    },
+    toolbox: {
+        AUTH_GITHUB_ADMIN_TEAM_ID: '3304536',
+        AUTH_GITHUB_USER_SUPPORT_TEAM_ID: '3304536',
+        AUTH_GITHUB_VIEW_ONLY_TEAM_ID: '3304536'
+    },
+    webhooks: {
+        DB_SUPPORT_USER_READONLY: 'webhooks_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'webhooks_support_readwrite',
+        DB_USER: 'webhooks'
+    }
+};

package/src/commands/secrets/config/secrets/value/test-perf-1.js

@@ -0,0 +1,49 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TEST_PERF_1_CONFIG = void 0;
+exports.TEST_PERF_1_CONFIG = {
+    adminusers: {
+        DB_SUPPORT_USER_READONLY: 'adminusers_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'adminusers_support_readwrite',
+        DB_USER: 'adminusers',
+        NOTIFY_SECRET: ''
+    },
+    connector: {
+        DB_SUPPORT_USER_READONLY: 'connector_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'connector_support_readwrite',
+        DB_USER: 'connector',
+        NOTIFY_SECRET: ''
+    },
+    frontend: {
+        AB_TEST_THRESHOLD: '50',
+        GOOGLE_PAY_MERCHANT_ID: 'value-not-set',
+        GOOGLE_PAY_MERCHANT_ID_2: 'value-not-set'
+    },
+    ledger: {
+        DB_SUPPORT_USER_READONLY: 'ledger_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'ledger_support_readwrite',
+        DB_USER: 'ledger'
+    },
+    publicauth: {
+        DB_SUPPORT_USER_READONLY: 'publicauth_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'publicauth_support_readwrite',
+        DB_USER: 'publicauth'
+    },
+    products: {
+        DB_SUPPORT_USER_READONLY: 'products_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'products_support_readwrite',
+        DB_USER: 'products'
+    },
+    toolbox: {
+        AUTH_GITHUB_ADMIN_TEAM_ID: '3304536',
+        AUTH_GITHUB_CLIENT_ID: '',
+        AUTH_GITHUB_CLIENT_SECRET: '',
+        AUTH_GITHUB_USER_SUPPORT_TEAM_ID: '3304536',
+        AUTH_GITHUB_VIEW_ONLY_TEAM_ID: '3304536'
+    },
+    webhooks: {
+        DB_SUPPORT_USER_READONLY: 'webhooks_support_readonly',
+        DB_SUPPORT_USER_READWRITE: 'webhooks_support_readwrite',
+        DB_USER: 'webhooks'
+    }
+};

package/src/commands/secrets/config/secrets/value.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VALUE_CONFIG = void 0;
+const deploy_1 = require("./value/deploy");
+const deploy_tooling_1 = require("./value/deploy-tooling");
+const production_2_1 = require("./value/production-2");
+const staging_2_1 = require("./value/staging-2");
+const test_12_1 = require("./value/test-12");
+const test_perf_1_1 = require("./value/test-perf-1");
+exports.VALUE_CONFIG = {
+    deploy: deploy_1.DEPLOY_CONFIG,
+    'deploy-tooling': deploy_tooling_1.DEPLOY_TOOLING_CONFIG,
+    'production-2': production_2_1.PRODUCTION_2_CONFIG,
+    'staging-2': staging_2_1.STAGING_2_CONFIG,
+    'test-12': test_12_1.TEST_12_CONFIG,
+    'test-perf-1': test_perf_1_1.TEST_PERF_1_CONFIG
+};

package/src/commands/secrets/config/secrets.js

@@ -0,0 +1,83 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getSecretConfig = exports.configuredSecretsForServiceInEnv = exports.SECRET_SOURCE_PRECEDENCE = exports.SECRETS = void 0;
+const pay_low_pass_1 = require("./secrets/pay_low_pass");
+const config_types_1 = require("./config.types");
+const service_secrets_1 = require("./service_secrets");
+const ssm_1 = require("./secrets/ssm");
+const value_1 = require("./secrets/value");
+exports.SECRETS = {
+    ssm: ssm_1.SSM_CONFIG,
+    'pay-low-pass': pay_low_pass_1.PAY_LOW_PASS_CONFIG,
+    value: value_1.VALUE_CONFIG
+};
+/* This precedence will define the order which secrets should be loaded
+ * The earlier in the array the higher precendence. This allows easy
+ * overridding using a value temporarily while developing or testing
+ */
+exports.SECRET_SOURCE_PRECEDENCE = [
+    'value',
+    'pay-low-pass',
+    'ssm'
+];
+if (exports.SECRET_SOURCE_PRECEDENCE.length !== Object.keys(exports.SECRETS).length) {
+    console.error(`There are a different number of secrets sources in ${__filename} than there are sources contained in the SECRET_SOURCE_PRECEDENCE list`);
+    process.exit(1);
+}
+for (const secretSource of config_types_1.SECRET_SOURCES) {
+    if (!exports.SECRET_SOURCE_PRECEDENCE.includes(secretSource)) {
+        console.error(`The secret source ${secretSource} is not configured in the SECRET_SOURCE_PRECEDENCE in ${__filename}`);
+        process.exit(1);
+    }
+}
+function configuredSecretsForServiceInEnv(env, service) {
+    const serviceSecrets = service_secrets_1.SERVICE_SECRETS[service];
+    return serviceSecrets.map((secretName) => {
+        return getSecretConfig(env, service, secretName);
+    });
+}
+exports.configuredSecretsForServiceInEnv = configuredSecretsForServiceInEnv;
+function getSecretConfig(env, service, secretName) {
+    if (!service_secrets_1.SERVICE_SECRETS[service].includes(secretName)) {
+        console.error(`The secret ${secretName} is not configured for the service ${service} in service_secrets.ts`);
+        process.exit(1);
+    }
+    const providersWithValidConfigs = [];
+    for (const [secretSource, environmentConfig] of Object.entries(exports.SECRETS)) {
+        if (environmentConfig[env]?.[service]?.[secretName] !== undefined) {
+            providersWithValidConfigs.push(secretSource);
+        }
+    }
+    if (providersWithValidConfigs.length === 0) {
+        console.error(`The secret ${secretName} was not found for the environment ${env} in any secret source within secrets.ts`);
+        process.exit(1);
+    }
+    if (providersWithValidConfigs.length > 1) {
+        console.warn(`The secret ${secretName} is configured in multiple secrets sources for the environment ${env} in secrets.ts. It was found for ${providersWithValidConfigs.join(',')}`);
+        console.warn(`Continuing and selecting the secret from providers with this precendence (earlier is higher precendence): ${exports.SECRET_SOURCE_PRECEDENCE.join(',')}`);
+    }
+    const selectedSource = highestPrecedenceSecretSourceOf(providersWithValidConfigs);
+    if (selectedSource === undefined) {
+        throw new Error(`Resolution of source provider for secret ${secretName} for ${service} in ${env} failed in an unexpected way`);
+    }
+    const secretSourceValue = exports.SECRETS[selectedSource]?.[env]?.[service]?.[secretName];
+    if (secretSourceValue === undefined) {
+        throw new Error(`After a secret secret ${secretName} was determined to exist in ${selectedSource} for ${service} in ${env} it failed to be loaded.`);
+    }
+    return {
+        environment: env,
+        name: secretName,
+        secretSourceValue,
+        service,
+        source: selectedSource
+    };
+}
+exports.getSecretConfig = getSecretConfig;
+function highestPrecedenceSecretSourceOf(sources) {
+    for (const source of exports.SECRET_SOURCE_PRECEDENCE) {
+        if (sources.includes(source)) {
+            return source;
+        }
+    }
+    return undefined;
+}

package/src/commands/secrets/config/service_secrets.js

@@ -0,0 +1,238 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SECRET_NAMES = exports.SERVICE_SECRETS = void 0;
+exports.SERVICE_SECRETS = {
+    adminusers: [
+        'DB_PASSWORD',
+        'DB_SUPPORT_PASSWORD_READONLY',
+        'DB_SUPPORT_PASSWORD_READWRITE',
+        'DB_SUPPORT_USER_READONLY',
+        'DB_SUPPORT_USER_READWRITE',
+        'DB_USER',
+        'NOTIFY_API_KEY',
+        'NOTIFY_SECRET',
+        'SENTRY_DSN'
+    ],
+    alb_and_s3_logging_pipeline: [
+        'firehose_hec_token'
+    ],
+    'amazon-managed-prometheus': [
+        'pager_duty_cloudwatch_integration_url_24_7_p1',
+        'pager_duty_cloudwatch_integration_url_in_hours_only'
+    ],
+    cardid: [
+        'SENTRY_DSN'
+    ],
+    'cd-main': [
+        'docker-access-token',
+        'docker-email',
+        'docker-password',
+        'docker-username',
+        'slack-notification-secret'
+    ],
+    'cd-pay-deploy': [
+        'docker-access-token',
+        'docker-email',
+        'docker-password',
+        'docker-username',
+        'end-to-end/docker-access-token',
+        'end-to-end/docker-email',
+        'end-to-end/docker-password',
+        'end-to-end/docker-username',
+        'github-access-token',
+        'grafana-annotations-password',
+        'internal-vulnerability-scan/jira-api-token',
+        'internal-vulnerability-scan/jira-api-username',
+        'internal-vulnerability-scan/jira-base-url',
+        'pact-broker-password',
+        'pact-broker-username',
+        'pact-broker/pact-broker-password',
+        'pact-broker/pact-broker-username',
+        'pay_aws_deploy_account_id',
+        'pay_aws_prod_account_id',
+        'pay_aws_production_account_id',
+        'pay_aws_staging_account_id',
+        'pay_aws_test_account_id',
+        'slack-notification-secret'
+    ],
+    'cd-pay-dev': [
+        'docker-access-token',
+        'docker-email',
+        'docker-password',
+        'docker-username',
+        'github-access-token',
+        'grafana-annotations-password',
+        'pact-broker-password',
+        'pact-broker-username',
+        'pay-js-commons/github-access-token',
+        'pay_aws_deploy_account_id',
+        'pay_aws_dev_account_id',
+        'pay_aws_staging_account_id',
+        'pay_aws_test_account_id',
+        'pr-ci/github-access-token',
+        'slack-notification-secret',
+        'smartpay-expected-password',
+        'smartpay-expected-user',
+        'worldpay-expected-password',
+        'worldpay-expected-user'
+    ],
+    codebuild: [
+        'docker-access-token',
+        'docker-username',
+        'github-access-token'
+    ],
+    connector: [
+        'DB_PASSWORD',
+        'DB_SUPPORT_PASSWORD_READONLY',
+        'DB_SUPPORT_PASSWORD_READWRITE',
+        'DB_SUPPORT_USER_READONLY',
+        'DB_SUPPORT_USER_READWRITE',
+        'DB_USER',
+        'GDS_CONNECTOR_STRIPE_AUTH_LIVE_TOKEN',
+        'GDS_CONNECTOR_STRIPE_AUTH_TOKEN',
+        'GDS_CONNECTOR_STRIPE_CONNECT_APPLICATION_WEBHOOK_LIVE_SIGN_SECRET',
+        'GDS_CONNECTOR_STRIPE_CONNECT_APPLICATION_WEBHOOK_TEST_SIGN_SECRET',
+        'GDS_CONNECTOR_STRIPE_WEBHOOK_LIVE_SIGN_SECRET',
+        'GDS_CONNECTOR_STRIPE_WEBHOOK_SIGN_SECRET',
+        'NOTIFY_API_KEY',
+        'NOTIFY_SECRET',
+        'SANDBOX_AUTH_TOKEN',
+        'SENTRY_DSN',
+        'WORLDPAY_APPLE_PAY_PAYMENT_PROCESSING_CERTIFICATE',
+        'WORLDPAY_APPLE_PAY_PAYMENT_PROCESSING_CERTIFICATE_SECONDARY',
+        'WORLDPAY_APPLE_PAY_PAYMENT_PROCESSING_PRIVATE_KEY',
+        'WORLDPAY_APPLE_PAY_PAYMENT_PROCESSING_PRIVATE_KEY_SECONDARY'
+    ],
+    deploy: [
+        'PAGER_DUTY_CLOUDWATCH_INTEGRATION_URL',
+        'PAGER_DUTY_CLOUDWATCH_INTEGRATION_URL_STAGING'
+    ],
+    frontend: [
+        'AB_TEST_THRESHOLD',
+        'GOOGLE_PAY_MERCHANT_ID',
+        'GOOGLE_PAY_MERCHANT_ID_2',
+        'SENTRY_CSP_REPORT_URI',
+        'SENTRY_DSN',
+        'SESSION_ENCRYPTION_KEY',
+        'SESSION_ENCRYPTION_KEY_2',
+        'STRIPE_APPLE_PAY_MERCHANT_ID',
+        'STRIPE_APPLE_PAY_MERCHANT_ID_CERTIFICATE',
+        'STRIPE_APPLE_PAY_MERCHANT_ID_CERTIFICATE_KEY',
+        'STRIPE_LIVE_PUBLISHABLE_API_KEY',
+        'STRIPE_TEST_PUBLISHABLE_API_KEY',
+        'WORLDPAY_APPLE_PAY_MERCHANT_ID',
+        'WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE',
+        'WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE_KEY'
+    ],
+    ledger: [
+        'DB_PASSWORD',
+        'DB_SUPPORT_PASSWORD_READONLY',
+        'DB_SUPPORT_PASSWORD_READWRITE',
+        'DB_SUPPORT_USER_READONLY',
+        'DB_SUPPORT_USER_READWRITE',
+        'DB_USER',
+        'SENTRY_DSN'
+    ],
+    network: [
+        'PAGER_DUTY_CLOUDWATCH_ALB_INTEGRATION_URL'
+    ],
+    'pact-broker': [
+        'DB_PASSWORD',
+        'DB_SUPPORT_PASSWORD_READONLY',
+        'DB_SUPPORT_PASSWORD_READWRITE',
+        'DB_SUPPORT_USER_READONLY',
+        'DB_SUPPORT_USER_READWRITE',
+        'DB_USER',
+        'master_db_password',
+        'master_db_user'
+    ],
+    'pact-broker-auth': [
+        'pact-broker-basic-auth-password',
+        'pact-broker-basic-auth-username'
+    ],
+    'product-page': [
+        'pager_duty_cloudwatch_integration_url'
+    ],
+    products: [
+        'DB_PASSWORD',
+        'DB_SUPPORT_PASSWORD_READONLY',
+        'DB_SUPPORT_PASSWORD_READWRITE',
+        'DB_SUPPORT_USER_READONLY',
+        'DB_SUPPORT_USER_READWRITE',
+        'DB_USER',
+        'SENTRY_DSN'
+    ],
+    'products-ui': [
+        'GOOGLE_RECAPTCHA_ENTERPRISE_PROJECT_ID',
+        'GOOGLE_RECAPTCHA_SECRET_KEY',
+        'GOOGLE_RECAPTCHA_SITE_KEY',
+        'SENTRY_DSN',
+        'SESSION_ENCRYPTION_KEY'
+    ],
+    publicapi: [
+        'SENTRY_DSN'
+        /*
+          These secrets are used by the app, but having them set to an empty string tries to overwrite working secrets with
+          the words 'Password Store'. They are not in pay-low-pass, so for now to stop them being overwritten I'm commenting them out
+          'TOKEN_API_HMAC_SECRET',
+        */
+    ],
+    publicauth: [
+        'DB_PASSWORD',
+        'DB_SUPPORT_PASSWORD_READONLY',
+        'DB_SUPPORT_PASSWORD_READWRITE',
+        'DB_SUPPORT_USER_READONLY',
+        'DB_SUPPORT_USER_READWRITE',
+        'DB_USER',
+        'SENTRY_DSN'
+        /*
+          These secrets are used by the app, but having them set to an empty string tries to overwrite working secrets with
+          the words 'Password Store'. They are not in pay-low-pass, so for now to stop them being overwritten I'm commenting them out
+          'TOKEN_API_HMAC_SECRET',
+          'TOKEN_DB_BCRYPT_SALT',
+        */
+    ],
+    selfservice: [
+        'SENTRY_DSN',
+        'SESSION_ENCRYPTION_KEY',
+        'STRIPE_ACCOUNT_API_KEY',
+        'ZENDESK_API_KEY',
+        'ZENDESK_USER'
+    ],
+    stubs: [
+        'smartpay-expected-password',
+        'smartpay-expected-user',
+        'worldpay-expected-password',
+        'worldpay-expected-user'
+    ],
+    toolbox: [
+        'AUTH_GITHUB_ADMIN_TEAM_ID',
+        'AUTH_GITHUB_CLIENT_ID',
+        'AUTH_GITHUB_CLIENT_SECRET',
+        'AUTH_GITHUB_USER_SUPPORT_TEAM_ID',
+        'AUTH_GITHUB_VIEW_ONLY_TEAM_ID',
+        'SENTRY_DSN',
+        'STRIPE_ACCOUNT_API_KEY',
+        'STRIPE_ACCOUNT_TEST_API_KEY',
+        'ZENDESK_API_KEY',
+        'ZENDESK_USER'
+    ],
+    webhooks: [
+        'DB_PASSWORD',
+        'DB_SUPPORT_PASSWORD_READONLY',
+        'DB_SUPPORT_PASSWORD_READWRITE',
+        'DB_SUPPORT_USER_READONLY',
+        'DB_SUPPORT_USER_READWRITE',
+        'DB_USER',
+        'SENTRY_DSN'
+    ],
+    webhooks_intrusion_monitoring: [
+        'pager_duty_cloudwatch_integration_url'
+    ],
+    worldpay_secure_file_gateway: [
+        'passphrase',
+        'private-key',
+        'public-key'
+    ]
+};
+exports.SECRET_NAMES = Object.values(exports.SERVICE_SECRETS).flat();

package/src/commands/secrets/providers/factory.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.providerFor = void 0;
+const pass_repo_1 = require("./pass_repo");
+const ssm_1 = require("./ssm");
+const value_1 = require("./value");
+const providers = {
+    ssm: {},
+    'pay-low-pass': {},
+    value: {}
+};
+function providerFor(secretConfig) {
+    let memoisedProvider = providers[secretConfig.source][secretConfig.environment];
+    if (memoisedProvider === undefined) {
+        switch (secretConfig.source) {
+            case 'pay-low-pass': {
+                memoisedProvider = new pass_repo_1.PassRepoProvider(secretConfig.environment, secretConfig.source);
+                break;
+            }
+            case 'value': {
+                memoisedProvider = new value_1.ValueProvider(secretConfig.environment, secretConfig.source);
+                break;
+            }
+            case 'ssm': {
+                memoisedProvider = new ssm_1.SSMProvider(secretConfig.environment, secretConfig.source);
+                break;
+            }
+        }
+        providers[secretConfig.source][secretConfig.environment] = memoisedProvider;
+    }
+    if (memoisedProvider === undefined) {
+        throw new Error(`Failed to retrieve, or create a provider for the secret ${secretConfig.secretSourceValue} in ${secretConfig.environment} from the ${secretConfig.source} provider`);
+    }
+    return memoisedProvider;
+}
+exports.providerFor = providerFor;