@govuk-pay/cli 0.0.51 → 0.0.53

package/src/commands/secrets/providers/pass_repo.js

@@ -0,0 +1,65 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PassRepoProvider = void 0;
+const node_child_process_1 = __importDefault(require("node:child_process"));
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const providers_types_1 = require("./providers.types");
+const configs_1 = require("../../../util/configs");
+class PassRepoProvider extends providers_types_1.AbstractSecretProvider {
+    passRepoDirectory;
+    constructor(environment, secretSource) {
+        super(environment, secretSource);
+        this.passRepoDirectory = this.getPassDirectory();
+    }
+    async get(secretConfig) {
+        const passCommandResult = node_child_process_1.default.spawnSync('pass', [secretConfig.secretSourceValue], {
+            env: {
+                ...process.env,
+                PASSWORD_STORE_DIR: this.passRepoDirectory
+            },
+            // This sets stdin, to be inherited by the spawned process, this is neccessary so that
+            // the pass command can prompt the user for a PIN.
+            // However we need to capture the stdout and stderr (which pass writes the secret to) so we set
+            // that to be pipe which will store it in the results .output Buffer[], .stdout Buffer, and .stderr Buffer
+            stdio: [
+                'inherit', // stdin
+                'pipe', // stdout
+                'pipe' // stderr
+            ]
+        });
+        if (passCommandResult.status === null) {
+            if (passCommandResult.signal === null) {
+                console.error(`The pass command to load the secret ${secretConfig.secretSourceValue} failed due to an unknown reason. It's output follows:`);
+            }
+            else {
+                console.error(`The pass command to load the secret ${secretConfig.secretSourceValue} was terminated by signal ${passCommandResult.signal}. It's output follows`);
+            }
+            console.error(passCommandResult.output.map((buffer) => { return buffer === null ? '' : buffer.toString('utf-8'); }).join('\n'));
+            process.exit(1);
+        }
+        if (passCommandResult.status !== 0) {
+            const stdErrString = passCommandResult.output.map((buffer) => { return buffer === null ? '' : buffer.toString('utf-8'); }).join('\n');
+            if (stdErrString.includes('is not in the password store')) {
+                return undefined;
+            }
+            console.error(`The pass command to load the secret ${secretConfig.secretSourceValue} failed with exit code ${passCommandResult.status}. It's output follows:`);
+            console.error(stdErrString);
+            process.exit(1);
+        }
+        return passCommandResult.stdout.toString('utf-8').trim();
+    }
+    getPassDirectory() {
+        const worksspaceDir = (0, configs_1.workspaceEnvVar)();
+        const passRepoDirectory = node_path_1.default.resolve(node_path_1.default.join(worksspaceDir, this.secretSource));
+        const pathStat = node_fs_1.default.lstatSync(passRepoDirectory);
+        if (!pathStat.isDirectory()) {
+            throw new Error(`The pass repo directory specified ${passRepoDirectory} is not a directory`);
+        }
+        return passRepoDirectory;
+    }
+}
+exports.PassRepoProvider = PassRepoProvider;

package/src/commands/secrets/providers/providers.types.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AbstractSecretProvider = void 0;
+class AbstractSecretProvider {
+    environment;
+    secretSource;
+    constructor(environment, secretSource) {
+        this.environment = environment;
+        this.secretSource = secretSource;
+    }
+    async get(_secretConfig) {
+        throw new Error('Not implemented');
+    }
+    async set(_secretConfig, _secretValue) {
+        throw new Error('Not implemented');
+    }
+    async list(_serviceName) {
+        throw new Error('Not implemented');
+    }
+}
+exports.AbstractSecretProvider = AbstractSecretProvider;

package/src/commands/secrets/providers/ssm.js

@@ -0,0 +1,155 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SSMProvider = void 0;
+const client_ssm_1 = require("@aws-sdk/client-ssm");
+const providers_types_1 = require("./providers.types");
+const service_secrets_1 = require("../config/service_secrets");
+const CONCOURSE_SECRETS = [
+    'cd-pay-dev',
+    'cd-pay-deploy',
+    'cd-main'
+];
+const CONCOURSE_PARAMETER_NAME_PREFIX = '/pay-cd/concourse/pipelines/';
+const LOWERCASE_SECRET_NAMES_TO_SECRET_NAMES = service_secrets_1.SECRET_NAMES.reduce((result, secretName) => {
+    return { ...result, [secretName.toLowerCase()]: secretName };
+}, {});
+class SSMProvider extends providers_types_1.AbstractSecretProvider {
+    ssmClient;
+    constructor(env, secretSource) {
+        super(env, secretSource);
+        this.ssmClient = new client_ssm_1.SSMClient({ region: 'eu-west-1' });
+    }
+    async get(secretConfig) {
+        const ssmParameterName = ssmParameterNameForSecret(secretConfig);
+        const getParameterCommand = new client_ssm_1.GetParameterCommand({
+            Name: ssmParameterName,
+            WithDecryption: true
+        });
+        let response;
+        try {
+            response = await this.ssmClient.send(getParameterCommand);
+        }
+        catch (e) {
+            if (e instanceof client_ssm_1.ParameterNotFound) {
+                return undefined;
+            }
+            else if (e instanceof Error && e.name === 'CredentialsProviderError') {
+                console.error('AWS Could not load any credentials, perhaps you need to run this with aws-vault: `aws-vault exec <account> -- pay secrets ...`?');
+                process.exit(1);
+            }
+            console.error(`An error occured while trying to get the parameter ${ssmParameterName}.`);
+            throw e;
+        }
+        if (response.Parameter?.Value === undefined) {
+            let errorMessage = `When calling SSM to get the parameter ${ssmParameterName} there was no parameter or value returned, and no error raised! `;
+            if (response.$metadata.httpStatusCode === undefined) {
+                errorMessage += 'There was also no http status code in the response metadata!';
+            }
+            else {
+                errorMessage += `The last http status code of the request to get the parameter was ${response.$metadata.httpStatusCode}`;
+            }
+            throw new Error(errorMessage);
+        }
+        return response.Parameter.Value;
+    }
+    async set(secretConfig, value) {
+        const ssmParameterName = ssmParameterNameForSecret(secretConfig);
+        const putParameterCommand = new client_ssm_1.PutParameterCommand({
+            Name: ssmParameterName,
+            Type: 'SecureString',
+            Value: value,
+            Overwrite: true
+        });
+        try {
+            await this.ssmClient.send(putParameterCommand);
+        }
+        catch (e) {
+            if (e instanceof client_ssm_1.InvalidAllowedPatternException || e instanceof client_ssm_1.ParameterPatternMismatchException) {
+                console.error(`When trying to set secret ${secretConfig.name} in environment ${secretConfig.environment} for service ${secretConfig.service}`);
+                console.error(`AWS returned an error that the parameter ${ssmParameterName} is not a valid parameter name.`);
+                console.error('See https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-su-create.html#sysman-parameter-name-constraints for constraints on parameter names');
+                process.exit(1);
+            }
+            else if (e instanceof Error && e.name === 'CredentialsProviderError') {
+                console.error('AWS Could not load any credentials, perhaps you need to run this with aws-vault: `aws-vault exec <account> -- pay secrets ...`?');
+                process.exit(1);
+            }
+            else {
+                console.error(`When trying to set secret ${secretConfig.name} in environment ${secretConfig.environment} for service ${secretConfig.service} AWS returned an unhandled (by us) excpetion, re-throwing error`);
+                throw e;
+            }
+        }
+        return true;
+    }
+    async list(serviceName) {
+        const filters = [
+            {
+                Key: 'Name',
+                Option: 'BeginsWith',
+                Values: [
+                    ssmParameterNamePrefix(this.environment, serviceName)
+                ]
+            }
+        ];
+        const paginator = (0, client_ssm_1.paginateDescribeParameters)({ client: this.ssmClient }, { ParameterFilters: filters });
+        const parameters = [];
+        for await (const page of paginator) {
+            if (page.Parameters === undefined) {
+                continue;
+            }
+            parameters.push(...page.Parameters);
+        }
+        const secretConfigs = [];
+        for (const parameter of parameters) {
+            if (parameter.Name === undefined) {
+                continue;
+            }
+            const secretConfig = this.ssmParameterNameToLowercaseSecret(parameter.Name, serviceName);
+            secretConfigs.push(secretConfig);
+        }
+        return secretConfigs;
+    }
+    ssmParameterNameToLowercaseSecret(parameterName, serviceName) {
+        if (parameterName.startsWith(CONCOURSE_PARAMETER_NAME_PREFIX)) {
+            return this.concourseParameterNameToLowercaseSecret(parameterName, serviceName);
+        }
+        const lowercaseSecretName = parameterName.substring(parameterName.indexOf('.') + 1);
+        return {
+            environment: this.environment,
+            name: lowercaseSecretName in LOWERCASE_SECRET_NAMES_TO_SECRET_NAMES ? LOWERCASE_SECRET_NAMES_TO_SECRET_NAMES[lowercaseSecretName] : lowercaseSecretName,
+            secretSourceValue: parameterName,
+            service: serviceName,
+            source: 'ssm'
+        };
+    }
+    concourseParameterNameToLowercaseSecret(parameterName, serviceName) {
+        const paramNameWithoutPrefix = parameterName.substring(CONCOURSE_PARAMETER_NAME_PREFIX.length);
+        const lowercaseSecretName = paramNameWithoutPrefix.substring(paramNameWithoutPrefix.indexOf('/') + 1);
+        return {
+            environment: this.environment,
+            name: lowercaseSecretName in LOWERCASE_SECRET_NAMES_TO_SECRET_NAMES ? LOWERCASE_SECRET_NAMES_TO_SECRET_NAMES[lowercaseSecretName] : lowercaseSecretName,
+            secretSourceValue: parameterName,
+            service: serviceName,
+            source: 'ssm'
+        };
+    }
+}
+exports.SSMProvider = SSMProvider;
+function ssmParameterNameForSecret(secretConfig) {
+    if (CONCOURSE_SECRETS.includes(secretConfig.service)) {
+        return concourseSecretName(secretConfig);
+    }
+    return `${secretConfig.environment}_${secretConfig.service}.${secretConfig.name}`.toLowerCase();
+}
+function concourseSecretName(secretConfig) {
+    // Service name is `cd-pay-dev` but the ssm name is only `pay-dev` so remove the cd-
+    const serviceName = secretConfig.service.substring(3);
+    return `${CONCOURSE_PARAMETER_NAME_PREFIX}${serviceName.toLowerCase()}/${secretConfig.name.toLowerCase()}`;
+}
+function ssmParameterNamePrefix(environment, serviceName) {
+    if (CONCOURSE_SECRETS.includes(serviceName)) {
+        // Service name is `cd-pay-dev` but the ssm name is only `pay-dev` so remove the cd-
+        return `${CONCOURSE_PARAMETER_NAME_PREFIX}${serviceName.toLowerCase().substring(3)}/`;
+    }
+    return `${environment}_${serviceName}.`;
+}

package/src/commands/secrets/providers/value.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ValueProvider = void 0;
+const providers_types_1 = require("../providers/providers.types");
+class ValueProvider extends providers_types_1.AbstractSecretProvider {
+    async get(secretConfig) {
+        return secretConfig.secretSourceValue;
+    }
+}
+exports.ValueProvider = ValueProvider;

package/src/commands/secrets/subcommands/audit.js

@@ -4,27 +4,59 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.handler = exports.builder = exports.desc = exports.command = void 0;
-const node_child_process_1 = require("node:child_process");
-const preflight_js_1 = __importDefault(require("../utils/preflight.js"));
-exports.command = 'audit <service> <env..>';
-exports.desc = 'Audits secrets for <service> for the given <envs..>';
+const cli_table3_1 = __importDefault(require("cli-table3"));
+const config_types_1 = require("../config/config.types");
+const service_secrets_js_1 = require("../config/service_secrets.js");
+const ssm_1 = require("../providers/ssm");
+const configs_1 = require("../../../util/configs");
+const standardContent_js_1 = require("../../../core/standardContent.js");
+exports.command = 'audit <service> <env>';
+exports.desc = 'Check whether the configured secrets for <service> in <env> are provisioned. Also lists secrets which are provisioned but which we do not have config for. Note: Does not check the value of the secret, only existance';
 const builder = (yargs) => {
     return yargs
         .positional('service', {
         type: 'string',
-        description: 'The service (e.g. connector) to audit the secret for'
+        description: 'The service (e.g. connector) to audit the secret for',
+        choices: config_types_1.SERVICE_NAMES
     })
         .positional('env', {
         type: 'string',
-        description: 'The environment (e.g. test-12) to audit the secret for'
+        description: 'The environment (e.g. test-12) to audit the secret for',
+        choices: config_types_1.ENVIRONMENT_NAMES
     });
 };
 exports.builder = builder;
 exports.handler = auditHandler;
 async function auditHandler(argv) {
     const service = argv.service;
-    const envs = argv.env;
-    const preflightInfo = (0, preflight_js_1.default)();
-    (0, node_child_process_1.spawnSync)(preflightInfo.rbenvCommand, ['exec', 'bundle', 'exec', 'bin/pay', 'secrets', 'audit', service, ...envs], { shell: true, stdio: 'inherit', cwd: preflightInfo.pathToLegacyRubyCli });
+    const env = argv.env;
+    await (0, standardContent_js_1.showHeader)();
+    await (0, configs_1.checkAwsCredentials)((0, configs_1.payEnvironmentToAWSAccountName)(env));
+    const secretsToAudit = service_secrets_js_1.SERVICE_SECRETS[service].sort();
+    const ssmProvider = new ssm_1.SSMProvider(env, 'ssm');
+    const secretsInSSM = await ssmProvider.list(service);
+    const checkedSecretsInSSM = new Map();
+    for (const secretInSSM of secretsInSSM) {
+        checkedSecretsInSSM.set(secretInSSM.name, secretInSSM);
+    }
+    const table = new cli_table3_1.default({
+        head: [`Secrets for ${service}`, env]
+    });
+    for (const secretToAudit of secretsToAudit) {
+        if (checkedSecretsInSSM.has(secretToAudit)) {
+            table.push([secretToAudit, '✅']);
+            checkedSecretsInSSM.delete(secretToAudit);
+        }
+        else {
+            table.push([secretToAudit, '❌']);
+        }
+    }
+    if (checkedSecretsInSSM.size > 0) {
+        table.push([
+            'Provisioned Secrets which are not configured in pay secrets',
+            Array.from(checkedSecretsInSSM.keys()).sort().join('\n')
+        ]);
+    }
+    console.log(table.toString());
 }
 exports.default = auditHandler;

package/src/commands/secrets/subcommands/fetch.js

@@ -1,26 +1,30 @@
 "use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.handler = exports.builder = exports.desc = exports.command = void 0;
-const node_child_process_1 = require("node:child_process");
-const preflight_js_1 = __importDefault(require("../utils/preflight.js"));
+const config_types_1 = require("../config/config.types");
+const service_secrets_1 = require("../config/service_secrets");
+const secrets_1 = require("../config/secrets");
+const configs_1 = require("../../../util/configs");
+const factory_1 = require("../providers/factory");
+const standardContent_1 = require("../../../core/standardContent");
 exports.command = 'fetch <env> <service> <secret_name> [--use-ssm]';
 exports.desc = 'Fetches a <named secret> for <service> for <env>, if use-ssm is set then get the secret from ssm';
 const builder = (yargs) => {
     return yargs
         .positional('env', {
         type: 'string',
-        description: 'The environment (e.g. test-12) to fetch the secret for'
+        description: 'The environment (e.g. test-12) to fetch the secret for',
+        choices: config_types_1.ENVIRONMENT_NAMES
     })
         .positional('service', {
         type: 'string',
-        description: 'The service (e.g. connector) to fetch the secret for'
+        description: 'The service (e.g. connector) to fetch the secret for',
+        choices: config_types_1.SERVICE_NAMES
     })
         .positional('secret_name', {
         type: 'string',
-        description: 'The name of the secret to get'
+        description: 'The name of the secret to get',
+        choices: service_secrets_1.SECRET_NAMES
     })
         .option('use-ssm', {
         type: 'boolean',
@@ -31,17 +35,34 @@ const builder = (yargs) => {
 exports.builder = builder;
 exports.handler = fetchHandler;
 async function fetchHandler(argv) {
-    const service = argv.service;
     const env = argv.env;
+    const service = argv.service;
     const secretName = argv.secret_name;
     const useSSM = argv.useSsm;
-    const preflightInfo = (0, preflight_js_1.default)();
-    const rbenvArgs = ['exec', 'bundle', 'exec', 'bin/pay', 'secrets', 'fetch', env, service, secretName];
+    // Printing the header to stdout so you can use this command piped to another process
+    // and the other process will only recevie the printed secret. E.g | pbcopy to copy the secret
+    // to your copy paste buffer without the header etc
+    await (0, standardContent_1.showHeaderStdErr)();
+    const secretConfig = (0, secrets_1.getSecretConfig)(env, service, secretName);
     if (useSSM) {
-        rbenvArgs.push('--use-ssm');
+        secretConfig.source = 'ssm';
+    }
+    if (secretConfig.source === 'ssm') {
+        await (0, configs_1.checkAwsCredentials)((0, configs_1.payEnvironmentToAWSAccountName)(env));
+    }
+    const secretProvider = (0, factory_1.providerFor)(secretConfig);
+    const secretValue = await secretProvider.get(secretConfig);
+    if (secretValue === undefined) {
+        console.error(`The secret ${secretName} was not found in ${secretConfig.source}`);
+        process.exit(1);
+    }
+    if (!process.stdout.isTTY) {
+        // If stdout of the process isn't connected to a terminal (e.g. if it's piped to another process, like pbcopy for instance)
+        // Print to stderr a message to make it clear to the user the value is being hidden from display, but has been printed to stdout
+        process.stderr.write('HIDDEN - Actual Value written to stdout');
     }
-    (0, node_child_process_1.spawnSync)(preflightInfo.rbenvCommand, rbenvArgs, { shell: true, stdio: 'inherit', cwd: preflightInfo.pathToLegacyRubyCli });
-    // The fetch command doesn't output a newline which is really annoying, so add one
-    console.log();
+    process.stdout.write(secretValue);
+    // Since the secret is written with no trailing newline we should print one (to stderr) to improve the UX
+    console.warn();
 }
 exports.default = fetchHandler;

package/src/commands/secrets/subcommands/provision.js

@@ -4,19 +4,36 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.handler = exports.builder = exports.desc = exports.command = void 0;
-const node_child_process_1 = require("node:child_process");
-const preflight_js_1 = __importDefault(require("../utils/preflight.js"));
-exports.command = 'provision <service> <env>';
+const cli_table3_1 = __importDefault(require("cli-table3"));
+const promises_1 = __importDefault(require("node:readline/promises"));
+const config_types_1 = require("../config/config.types");
+const secrets_1 = require("../config/secrets");
+const configs_1 = require("../../../util/configs");
+const factory_1 = require("../providers/factory");
+const standardContent_js_1 = require("../../../core/standardContent.js");
+exports.command = 'provision <service> <env> [--redact] [--dry-run]';
 exports.desc = 'Provisions secrets from config for <service> in <env>';
 const builder = (yargs) => {
     return yargs
         .positional('service', {
         type: 'string',
-        description: 'The service (e.g. connector) to provision secrets for'
+        description: 'The service (e.g. connector) to provision secrets for',
+        choices: config_types_1.SERVICE_NAMES
     })
         .positional('env', {
         type: 'string',
-        description: 'The environment (e.g. test-12) to provision the secrets in'
+        description: 'The environment (e.g. test-12) to provision the secrets in',
+        choices: config_types_1.ENVIRONMENT_NAMES
+    })
+        .option('redact', {
+        type: 'boolean',
+        default: false,
+        description: 'During a dry-run redact all printed secret values except for an empty string (which makes it suitable to paste into a PR)'
+    })
+        .option('dry-run', {
+        type: 'boolean',
+        default: false,
+        description: 'Perform a dry run, will not set any secrets, but will show all changes'
     });
 };
 exports.builder = builder;
@@ -24,7 +41,82 @@ exports.handler = provisionHandler;
 async function provisionHandler(argv) {
     const service = argv.service;
     const env = argv.env;
-    const preflightInfo = (0, preflight_js_1.default)();
-    (0, node_child_process_1.spawnSync)(preflightInfo.rbenvCommand, ['exec', 'bundle', 'exec', 'bin/pay', 'secrets', 'provision', service, env], { shell: true, stdio: 'inherit', cwd: preflightInfo.pathToLegacyRubyCli });
+    const redact = argv.redact;
+    const dryRun = argv.dryRun;
+    await (0, standardContent_js_1.showHeader)();
+    if (redact && !dryRun) {
+        console.error('The --redact option is only valid with the --dry-run option also specified');
+        process.exit(1);
+    }
+    await (0, configs_1.checkAwsCredentials)((0, configs_1.payEnvironmentToAWSAccountName)(env));
+    const rl = promises_1.default.createInterface({ input: process.stdin, output: process.stdout });
+    const secretsToProvision = [];
+    for (const sourceSecret of (0, secrets_1.configuredSecretsForServiceInEnv)(env, service)) {
+        secretsToProvision.push({
+            source: sourceSecret,
+            destination: {
+                ...sourceSecret,
+                source: 'ssm' // Currently all secrets are provisioned to ssm, but that could change in the future
+            }
+        });
+    }
+    for (const secretToProvision of secretsToProvision) {
+        const sourceProvider = (0, factory_1.providerFor)(secretToProvision.source);
+        const destinationProvider = (0, factory_1.providerFor)(secretToProvision.destination);
+        const sourceValue = await sourceProvider.get(secretToProvision.source);
+        if (sourceValue === undefined) {
+            console.error(`Secret ${secretToProvision.source.name} does not exist in ${secretToProvision.source.source}`);
+            process.exit(1);
+        }
+        const destinationValue = await destinationProvider.get(secretToProvision.destination);
+        if (sourceValue === destinationValue) {
+            console.log(`✅ Provisioning ${secretToProvision.source.name} in ${secretToProvision.destination.source} in environment ${secretToProvision.source.environment} for ${secretToProvision.source.service} would apply no change`);
+            continue;
+        }
+        if (destinationValue === undefined) {
+            console.log(`❓ Secret ${secretToProvision.source.name} does not exist in ${secretToProvision.destination.source} in environment ${secretToProvision.source.environment} for ${secretToProvision.source.service}, provision?`);
+        }
+        else {
+            console.log(`❓ Update ${secretToProvision.source.name} in ${secretToProvision.destination.source} in environment ${secretToProvision.source.environment} for ${secretToProvision.source.service}?`);
+        }
+        const table = new cli_table3_1.default({
+            head: ['Old value', 'New Value']
+        });
+        table.push([
+            secretForDisplay(destinationValue, redact),
+            secretForDisplay(sourceValue, redact)
+        ]);
+        console.log(table.toString());
+        if (dryRun) {
+            console.log('Dry run only....not provisioning');
+            continue;
+        }
+        const confirmResponse = await rl.question('    Type "yes" exactly > ');
+        if (confirmResponse.trim() !== 'yes') {
+            console.log('User rejected confirmation, secret NOT provisioned');
+            continue;
+        }
+        if (await destinationProvider.set(secretToProvision.destination, sourceValue)) {
+            console.log('✅ Secret successfully provisioned');
+        }
+        else {
+            console.error('❌ Saving the secret failed for an unknown reason');
+        }
+    }
+    console.log('\nProvision finished');
+    rl.close();
 }
 exports.default = provisionHandler;
+function secretForDisplay(secretValue, redact) {
+    if (secretValue === undefined) {
+        return '👻 NOT CURRENTLY SET 👻';
+    }
+    // Purposefully not redacting if the secret is an empty string
+    if (secretValue.trim() === '') {
+        return '"" (❗EMPTY STRING❗)';
+    }
+    if (redact) {
+        return '🤫 REDACTED 🤫';
+    }
+    return secretValue;
+}

package/src/commands/secrets.js

@@ -2,7 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.builder = exports.desc = exports.command = void 0;
 exports.command = 'secrets';
-exports.desc = 'Provision secrets (uses the legacy ruby CLI)';
+exports.desc = 'Provision secrets';
 const builder = (yargs) => {
     return yargs
         .commandDir('secrets/subcommands')

package/src/core/commandRouter.js

@@ -18,6 +18,7 @@ async function runCommand() {
         .strict()
         .help()
         .wrap(yargsInstance.terminalWidth())
+        .completion('completion', 'Generate shell (bash/zsh only) auto-completion script. Put the script at the end of your .bashrc or .zshrc')
         .parse();
 }
 exports.default = runCommand;

package/src/core/standardContent.js

@@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.showHeader = void 0;
+exports.showHeaderStdErr = exports.showHeader = void 0;
 const fsp = __importStar(require("fs/promises"));
 const path = __importStar(require("path"));
 const constants_js_1 = require("./constants.js");
@@ -31,3 +31,7 @@ async function showHeader() {
     console.log(await fsp.readFile(path.join(constants_js_1.rootDir, 'resources/header.txt'), 'utf8'));
 }
 exports.showHeader = showHeader;
+async function showHeaderStdErr() {
+    console.warn(await fsp.readFile(path.join(constants_js_1.rootDir, 'resources/header.txt'), 'utf8'));
+}
+exports.showHeaderStdErr = showHeaderStdErr;

package/src/util/configs.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.checkAwsCredentials = exports.workspaceEnvVar = exports.ensureConfigDirectory = exports.PAY_CLI_CONFIG_PATH = void 0;
+exports.payEnvironmentToAWSAccountName = exports.checkAwsCredentials = exports.workspaceEnvVar = exports.ensureConfigDirectory = exports.PAY_CLI_CONFIG_PATH = void 0;
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_os_1 = require("node:os");
 const node_path_1 = __importDefault(require("node:path"));
@@ -106,3 +106,9 @@ async function checkAwsCredentialsAreForAccount(accountName) {
         process.exit(1);
     }
 }
+/* This function will turn a Pay environment name into an AWS account name
+ */
+function payEnvironmentToAWSAccountName(environmentName) {
+    return environmentName.split('-')[0];
+}
+exports.payEnvironmentToAWSAccountName = payEnvironmentToAWSAccountName;

package/src/commands/secrets/subcommands/copy.js

@@ -1,35 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.handler = exports.builder = exports.desc = exports.command = void 0;
-const node_child_process_1 = require("node:child_process");
-const preflight_js_1 = __importDefault(require("../utils/preflight.js"));
-exports.command = 'copy <service> <src_env> <dest_env>';
-exports.desc = 'Copies secrets for <service> from <src_env> to <dest_env>';
-const builder = (yargs) => {
-    return yargs
-        .positional('service', {
-        type: 'string',
-        description: 'The service (e.g. connector) to copy the secrets for'
-    })
-        .positional('src_env', {
-        type: 'string',
-        description: 'The environment (e.g. test-12) to copy the secrets from'
-    })
-        .positional('dest_env', {
-        type: 'string',
-        description: 'The environment (e.g. test-perf-1) to copy the secrets to'
-    });
-};
-exports.builder = builder;
-exports.handler = copyHandler;
-async function copyHandler(argv) {
-    const service = argv.service;
-    const srcEnv = argv.src_env;
-    const destEnv = argv.dest_env;
-    const preflightInfo = (0, preflight_js_1.default)();
-    (0, node_child_process_1.spawnSync)(preflightInfo.rbenvCommand, ['exec', 'bundle', 'exec', 'bin/pay', 'secrets', 'copy', service, srcEnv, destEnv], { shell: true, stdio: 'inherit', cwd: preflightInfo.pathToLegacyRubyCli });
-}
-exports.default = copyHandler;