dotsec 0.1.1 → 0.2.0

package/dist/esm/cli.js

@@ -25,19 +25,15 @@ var __export = (target, all) => {
 import { hideBin } from "yargs/helpers";
 import yargs from "yargs/yargs";
 
-// src/commands/decryptSecCommand.ts
-var decryptSecCommand_exports = {};
-__export(decryptSecCommand_exports, {
+// src/commands/debugCommand.ts
+var debugCommand_exports = {};
+__export(debugCommand_exports, {
   builder: () => builder,
   command: () => command,
   desc: () => desc,
   handler: () => handler
 });
-import { KMSClient, DecryptCommand } from "@aws-sdk/client-kms";
-import { redBright } from "chalk";
-import { parse } from "dotenv";
-import fs from "node:fs";
-import path from "node:path";
+import { GetParametersByPathCommand } from "@aws-sdk/client-ssm";
 
 // src/commonCliOptions.ts
 var commonCliOptions = {
@@ -51,12 +47,27 @@ var commonCliOptions = {
   },
   awsKeyAlias: {
     string: true,
+    default: "alias/top-secret",
     describe: "AWS KMS asymmetric key alias"
   },
   awsKey: {
     string: true,
     describe: "AWS KMS asymmetric key arn"
   },
+  envFile: {
+    string: true,
+    describe: ".env file",
+    default: ".env"
+  },
+  secFile: {
+    string: true,
+    describe: ".sec file",
+    default: ".sec"
+  },
+  awsAssumeRoleArn: {
+    string: true,
+    describe: "arn or role to assume"
+  },
   verbose: {
     boolean: true,
     describe: "Be verbose"
@@ -72,12 +83,23 @@ var commonCliOptions = {
 };
 
 // src/utils/getCredentialsProfileRegion.ts
-import { fromEnv, fromIni } from "@aws-sdk/credential-providers";
+import {
+  fromEnv,
+  fromIni,
+  fromTemporaryCredentials
+} from "@aws-sdk/credential-providers";
 import { loadSharedConfigFiles } from "@aws-sdk/shared-ini-file-loader";
 
 // src/utils/logger.ts
 import chalk from "chalk";
-var bold = (str) => chalk.yellowBright.bold(str);
+var _logger;
+var getLogger = () => {
+  if (!_logger) {
+    _logger = console;
+  }
+  return _logger;
+};
+var bold = (str) => chalk.greenBright.bold(str);
 var underline = (str) => chalk.cyanBright.bold(str);
 
 // src/utils/getCredentialsProfileRegion.ts
@@ -91,12 +113,25 @@ var getCredentialsProfileRegion = async ({
   let profileAndOrigin = void 0;
   let regionAndOrigin = void 0;
   if (argv.profile) {
-    profileAndOrigin = { value: argv.profile, origin: `command line option: ${bold(argv.profile)}` };
-    credentialsAndOrigin = { value: await fromIni({ profile: argv.profile })(), origin: `${bold(`[${argv.profile}]`)} in credentials file` };
+    profileAndOrigin = {
+      value: argv.profile,
+      origin: `command line option: ${bold(argv.profile)}`
+    };
+    credentialsAndOrigin = {
+      value: await fromIni({
+        profile: argv.profile
+      })(),
+      origin: `${bold(`[${argv.profile}]`)} in credentials file`
+    };
   } else if (env.AWS_PROFILE) {
-    profileAndOrigin = { value: env.AWS_PROFILE, origin: `env variable ${bold("AWS_PROFILE")}: ${underline(env.AWS_PROFILE)}` };
+    profileAndOrigin = {
+      value: env.AWS_PROFILE,
+      origin: `env variable ${bold("AWS_PROFILE")}: ${underline(env.AWS_PROFILE)}`
+    };
     credentialsAndOrigin = {
-      value: await fromIni({ profile: env.AWS_PROFILE })(),
+      value: await fromIni({
+        profile: env.AWS_PROFILE
+      })(),
       origin: `env variable ${underline("AWS_PROFILE")}: ${bold(env.AWS_PROFILE)}`
     };
   } else if (env.AWS_ACCESS_KEY_ID && env.AWS_SECRET_ACCESS_KEY) {
@@ -105,13 +140,27 @@ var getCredentialsProfileRegion = async ({
       origin: `env variables ${bold("AWS_ACCESS_KEY_ID")} and ${bold("AWS_SECRET_ACCESS_KEY")}`
     };
   } else if ((_a = sharedConfigFiles.credentialsFile) == null ? void 0 : _a.default) {
-    profileAndOrigin = { value: "default", origin: `${bold("[default]")} in credentials file` };
-    credentialsAndOrigin = { value: await fromIni({ profile: "default" })(), origin: `profile ${bold("[default]")}` };
+    profileAndOrigin = {
+      value: "default",
+      origin: `${bold("[default]")} in credentials file`
+    };
+    credentialsAndOrigin = {
+      value: await fromIni({
+        profile: "default"
+      })(),
+      origin: `profile ${bold("[default]")}`
+    };
   }
   if (argv.region) {
-    regionAndOrigin = { value: argv.region, origin: `command line option: ${bold(argv.region)}` };
+    regionAndOrigin = {
+      value: argv.region,
+      origin: `command line option: ${bold(argv.region)}`
+    };
   } else if (env.AWS_REGION) {
-    regionAndOrigin = { value: env.AWS_REGION, origin: `env variable ${bold("AWS_REGION")}: ${underline(env.AWS_REGION)}` };
+    regionAndOrigin = {
+      value: env.AWS_REGION,
+      origin: `env variable ${bold("AWS_REGION")}: ${underline(env.AWS_REGION)}`
+    };
   } else if (env.AWS_DEFAULT_REGION) {
     regionAndOrigin = {
       value: env.AWS_DEFAULT_REGION,
@@ -120,9 +169,27 @@ var getCredentialsProfileRegion = async ({
   } else if (profileAndOrigin) {
     const foundRegion = (_c = (_b = sharedConfigFiles == null ? void 0 : sharedConfigFiles.configFile) == null ? void 0 : _b[profileAndOrigin.value]) == null ? void 0 : _c.region;
     if (foundRegion) {
-      regionAndOrigin = { value: foundRegion, origin: `${bold(`[profile ${profileAndOrigin.value}]`)} in config file` };
+      regionAndOrigin = {
+        value: foundRegion,
+        origin: `${bold(`[profile ${profileAndOrigin.value}]`)} in config file`
+      };
     }
   }
+  if (argv.assumeRoleArn) {
+    console.log("assume this yo");
+    credentialsAndOrigin = {
+      value: await fromTemporaryCredentials({
+        masterCredentials: credentialsAndOrigin == null ? void 0 : credentialsAndOrigin.value,
+        params: {
+          RoleArn: argv.assumeRoleArn
+        },
+        clientConfig: {
+          region: regionAndOrigin == null ? void 0 : regionAndOrigin.value
+        }
+      })(),
+      origin: `assume role ${bold(`[${argv.assumeRoleArn}]`)}`
+    };
+  }
   return { credentialsAndOrigin, regionAndOrigin, profileAndOrigin };
 };
 var printVerboseCredentialsProfileRegion = ({
@@ -148,12 +215,20 @@ var handleCredentialsAndRegion = async ({
   argv,
   env
 }) => {
-  const { credentialsAndOrigin, regionAndOrigin } = await getCredentialsProfileRegion({
-    argv: { region: argv.awsRegion, profile: argv.awsProfile },
+  const { credentialsAndOrigin, regionAndOrigin, profileAndOrigin } = await getCredentialsProfileRegion({
+    argv: {
+      region: argv.awsRegion,
+      profile: argv.awsProfile,
+      assumeRoleArn: argv.awsAssumeRoleArn
+    },
     env: __spreadValues({}, env)
   });
   if (argv.verbose === true) {
-    console.log(printVerboseCredentialsProfileRegion({ credentialsAndOrigin, regionAndOrigin }));
+    console.log(printVerboseCredentialsProfileRegion({
+      credentialsAndOrigin,
+      regionAndOrigin,
+      profileAndOrigin
+    }));
   }
   if (!credentialsAndOrigin || !regionAndOrigin) {
     if (!credentialsAndOrigin) {
@@ -168,8 +243,67 @@ var handleCredentialsAndRegion = async ({
   return { credentialsAndOrigin, regionAndOrigin };
 };
 
+// src/utils/ssm.ts
+import { SSMClient } from "@aws-sdk/client-ssm";
+var getSSMClient = ({
+  configuration
+}) => {
+  const ssmClient = new SSMClient(configuration);
+  return ssmClient;
+};
+
+// src/commands/debugCommand.ts
+var command = "debug";
+var desc = "Debugs all the things";
+var builder = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose,
+  yes: __spreadValues({}, commonCliOptions.yes)
+};
+var handler = async (argv) => {
+  try {
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    const ssmClient = getSSMClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
+    });
+    const getParametersByPathCommand = new GetParametersByPathCommand({
+      Path: `arn:aws:ssm:eu-west-1:060014838622:parameter/dotsec/*`,
+      Recursive: true
+    });
+    const commandResult = await ssmClient.send(getParametersByPathCommand);
+    console.log(commandResult);
+  } catch (e) {
+    console.error(e);
+  }
+};
+
+// src/commands/decryptSecCommand.ts
+var decryptSecCommand_exports = {};
+__export(decryptSecCommand_exports, {
+  builder: () => builder2,
+  command: () => command2,
+  desc: () => desc2,
+  handler: () => handler2
+});
+import { KMSClient, DecryptCommand } from "@aws-sdk/client-kms";
+import { redBright } from "chalk";
+import { parse } from "dotenv";
+import fs from "node:fs";
+import path from "node:path";
+
 // src/utils/io.ts
 import { stat } from "fs/promises";
+import prompts from "prompts";
 var fileExists = async (source) => {
   try {
     await stat(source);
@@ -178,30 +312,43 @@ var fileExists = async (source) => {
     return false;
   }
 };
+var promptOverwriteIfFileExists = async ({
+  filePath,
+  skip
+}) => {
+  let overwriteResponse;
+  if (await fileExists(filePath) && skip !== true) {
+    overwriteResponse = await prompts({
+      type: "confirm",
+      name: "overwrite",
+      message: () => {
+        return `Overwrite '${filePath}' ?`;
+      }
+    });
+  } else {
+    overwriteResponse = void 0;
+  }
+  return overwriteResponse;
+};
 
 // src/commands/decryptSecCommand.ts
-var command = "decrypt-sec";
-var desc = "Decrypts a dotsec file";
-var builder = {
-  "aws-profile": __spreadValues({}, commonCliOptions.awsProfile),
-  "aws-region": __spreadValues({}, commonCliOptions.awsRegion),
-  "aws-key-alias": { string: true, default: "alias/top-secret" },
-  "env-file": {
-    string: true,
-    describe: ".env file",
-    default: ".env"
-  },
-  "sec-file": {
-    string: true,
-    describe: ".sec file",
-    default: ".sec"
-  },
-  verbose: __spreadValues({}, commonCliOptions.verbose),
-  yes: __spreadValues({}, commonCliOptions.yes)
+var command2 = "decrypt-sec";
+var desc2 = "Decrypts a dotsec file";
+var builder2 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  "env-file": commonCliOptions.envFile,
+  "sec-file": commonCliOptions.secFile,
+  verbose: commonCliOptions.verbose
 };
-var handler = async (argv) => {
+var handler2 = async (argv) => {
   try {
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({ argv: __spreadValues({}, argv), env: __spreadValues({}, process.env) });
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
     const secSource = path.resolve(process.cwd(), argv.secFile);
     if (!await fileExists(secSource)) {
       console.error(`Could not open ${redBright(secSource)}`);
@@ -220,7 +367,11 @@ var handler = async (argv) => {
       });
       const decryptionResult = await kmsClient.send(decryptCommand);
       if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
-        throw new Error(`No: ${JSON.stringify({ key, cipherText, decryptCommand })}`);
+        throw new Error(`No: ${JSON.stringify({
+          key,
+          cipherText,
+          decryptCommand
+        })}`);
       }
       const value = Buffer.from(decryptionResult.Plaintext).toString();
       return [key, value];
@@ -231,57 +382,177 @@ var handler = async (argv) => {
   }
 };
 
-// src/commands/defaultCommand.ts
-var defaultCommand_exports = {};
-__export(defaultCommand_exports, {
-  builder: () => builder2,
-  command: () => command2,
-  desc: () => desc2,
-  handler: () => handler2
+// src/commands/decryptSecretsJson.ts
+var decryptSecretsJson_exports = {};
+__export(decryptSecretsJson_exports, {
+  builder: () => builder3,
+  command: () => command3,
+  desc: () => desc3,
+  handler: () => handler3
 });
-import { KMSClient as KMSClient2, DecryptCommand as DecryptCommand2 } from "@aws-sdk/client-kms";
+import { DecryptCommand as DecryptCommand2, DescribeKeyCommand } from "@aws-sdk/client-kms";
 import { redBright as redBright2 } from "chalk";
-import { spawn } from "cross-spawn";
-import { parse as parse2 } from "dotenv";
+import flat from "flat";
 import fs2 from "node:fs";
 import path2 from "node:path";
-var command2 = "$0 <command>";
-var desc2 = "Decrypts a .sec file, injects the results into a separate process and runs a command";
-var builder2 = {
-  "aws-profile": __spreadValues({}, commonCliOptions.awsProfile),
-  "aws-region": __spreadValues({}, commonCliOptions.awsRegion),
-  "aws-key-alias": { string: true, default: "alias/top-secret" },
-  "sec-file": {
+
+// src/utils/kms.ts
+import { KMSClient as KMSClient2 } from "@aws-sdk/client-kms";
+var getKMSClient = ({
+  configuration
+}) => {
+  const kmsClient = new KMSClient2(configuration);
+  return kmsClient;
+};
+
+// src/commands/decryptSecretsJson.ts
+var command3 = "decrypt-secrets-json";
+var desc3 = "Derypts an encrypted file";
+var builder3 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "secrets-file": {
     string: true,
-    describe: ".sec file",
-    default: ".sec"
+    describe: "filename of json file writing secrets",
+    default: "secrets.json"
   },
-  verbose: __spreadValues({}, commonCliOptions.verbose),
-  yes: __spreadValues({}, commonCliOptions.yes),
+  "encrypted-secrets-file": {
+    string: true,
+    describe: "filename of json file for reading encrypted secrets",
+    default: "secrets.encrypted.json"
+  },
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose,
+  yes: __spreadValues({}, commonCliOptions.yes)
+};
+var handler3 = async (argv) => {
+  const { info, error } = getLogger();
+  try {
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    const encryptedSecretsPath = path2.resolve(process.cwd(), argv.encryptedSecretsFile);
+    if (!await fileExists(encryptedSecretsPath)) {
+      error(`Could not open ${redBright2(encryptedSecretsPath)}`);
+      return;
+    }
+    const encryptedSecrets = JSON.parse(fs2.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
+    if (!encryptedSecrets.encryptedParameters) {
+      throw new Error(`Expected 'encryptedParameters' property, but got none`);
+    }
+    const flatEncryptedParameters = flat(encryptedSecrets.encryptedParameters, { delimiter: "/" });
+    const kmsClient = getKMSClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
+    });
+    if (argv.verbose) {
+      info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
+      const describeKeyCommand = new DescribeKeyCommand({
+        KeyId: argv.awsKeyAlias
+      });
+      const describeKeyResult = await kmsClient.send(describeKeyCommand);
+      console.log("describeKeyResult", { describeKeyResult });
+    }
+    const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
+      const decryptCommand = new DecryptCommand2({
+        KeyId: argv.awsKeyAlias,
+        CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
+        EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
+      });
+      const decryptionResult = await kmsClient.send(decryptCommand);
+      if (!decryptionResult.Plaintext) {
+        throw new Error(`Something bad happened: ${JSON.stringify({
+          key: parameterName,
+          cipherText: encryptedParameter,
+          decryptCommand
+        })}`);
+      }
+      if (argv.verbose) {
+        info(`Encrypting key ${bold(parameterName)} ${underline("ok")}`);
+      }
+      const value = Buffer.from(decryptionResult.Plaintext).toString();
+      return [parameterName, value];
+    })));
+    const parameters = flat.unflatten(flatParameters, { delimiter: "/" });
+    const secrets = {
+      config: encryptedSecrets.config,
+      parameters
+    };
+    const secretsPath = path2.resolve(process.cwd(), argv.secretsFile);
+    const overwriteResponse = await promptOverwriteIfFileExists({
+      filePath: secretsPath,
+      skip: argv.yes
+    });
+    if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
+      fs2.writeFileSync(secretsPath, JSON.stringify(secrets, null, 4));
+    }
+  } catch (e) {
+    error(e);
+  }
+};
+
+// src/commands/defaultCommand.ts
+var defaultCommand_exports = {};
+__export(defaultCommand_exports, {
+  builder: () => builder4,
+  command: () => command4,
+  desc: () => desc4,
+  handler: () => handler4
+});
+import { KMSClient as KMSClient3, DecryptCommand as DecryptCommand3 } from "@aws-sdk/client-kms";
+import { redBright as redBright3 } from "chalk";
+import { spawn } from "cross-spawn";
+import { parse as parse2 } from "dotenv";
+import fs3 from "node:fs";
+import path3 from "node:path";
+var command4 = "$0 <command>";
+var desc4 = "Decrypts a .sec file, injects the results into a separate process and runs a command";
+var builder4 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "sec-file": commonCliOptions.secFile,
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose,
   command: { string: true, required: true }
 };
-var handler2 = async (argv) => {
+var handler4 = async (argv) => {
   try {
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({ argv: __spreadValues({}, argv), env: __spreadValues({}, process.env) });
-    const secSource = path2.resolve(process.cwd(), argv.secFile);
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    if (argv.verbose) {
+      console.log({ credentialsAndOrigin, regionAndOrigin });
+    }
+    const secSource = path3.resolve(process.cwd(), argv.secFile);
     if (!await fileExists(secSource)) {
-      console.error(`Could not open ${redBright2(secSource)}`);
+      console.error(`Could not open ${redBright3(secSource)}`);
       return;
     }
-    const parsedSec = parse2(fs2.readFileSync(secSource, { encoding: "utf8" }));
-    const kmsClient = new KMSClient2({
+    const parsedSec = parse2(fs3.readFileSync(secSource, { encoding: "utf8" }));
+    const kmsClient = new KMSClient3({
       credentials: credentialsAndOrigin.value,
       region: regionAndOrigin.value
     });
     const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
-      const decryptCommand = new DecryptCommand2({
+      const decryptCommand = new DecryptCommand3({
         KeyId: argv.awsKeyAlias,
         CiphertextBlob: Buffer.from(cipherText, "base64"),
         EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
       });
       const decryptionResult = await kmsClient.send(decryptCommand);
       if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
-        throw new Error(`No: ${JSON.stringify({ key, cipherText, decryptCommand })}`);
+        throw new Error(`No: ${JSON.stringify({
+          key,
+          cipherText,
+          decryptCommand
+        })}`);
       }
       const value = Buffer.from(decryptionResult.Plaintext).toString();
       return [key, value];
@@ -303,48 +574,55 @@ var handler2 = async (argv) => {
 // src/commands/encryptEnvCommand.ts
 var encryptEnvCommand_exports = {};
 __export(encryptEnvCommand_exports, {
-  builder: () => builder3,
-  command: () => command3,
-  desc: () => desc3,
-  handler: () => handler3
+  builder: () => builder5,
+  command: () => command5,
+  desc: () => desc5,
+  handler: () => handler5
 });
-import { KMSClient as KMSClient3, EncryptCommand } from "@aws-sdk/client-kms";
-import { redBright as redBright3 } from "chalk";
+import { DescribeKeyCommand as DescribeKeyCommand2, EncryptCommand } from "@aws-sdk/client-kms";
+import { redBright as redBright4 } from "chalk";
 import { parse as parse3 } from "dotenv";
-import fs3 from "node:fs";
-import path3 from "node:path";
-var command3 = "encrypt-env";
-var desc3 = "Encrypts a dotenv file";
-var builder3 = {
-  "aws-profile": __spreadValues({}, commonCliOptions.awsProfile),
-  "aws-region": __spreadValues({}, commonCliOptions.awsRegion),
-  "aws-key-alias": { string: true, default: "alias/top-secret" },
-  "env-file": {
-    string: true,
-    describe: ".env file",
-    default: ".env"
-  },
-  "sec-file": {
-    string: true,
-    describe: ".sec file",
-    default: ".sec"
-  },
-  verbose: __spreadValues({}, commonCliOptions.verbose),
-  yes: __spreadValues({}, commonCliOptions.yes)
+import fs4 from "node:fs";
+import path4 from "node:path";
+var command5 = "encrypt-env";
+var desc5 = "Encrypts a dotenv file";
+var builder5 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "env-file": commonCliOptions.envFile,
+  "sec-file": commonCliOptions.secFile,
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose
 };
-var handler3 = async (argv) => {
+var handler5 = async (argv) => {
+  const { info, error } = getLogger();
   try {
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({ argv: __spreadValues({}, argv), env: __spreadValues({}, process.env) });
-    const envSource = path3.resolve(process.cwd(), argv.envFile);
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    const envSource = path4.resolve(process.cwd(), argv.envFile);
     if (!await fileExists(envSource)) {
-      console.error(`Could not open ${redBright3(envSource)}`);
+      error(`Could not open ${redBright4(envSource)}`);
       return;
     }
-    const parsedEnv = parse3(fs3.readFileSync(envSource, { encoding: "utf8" }));
-    const kmsClient = new KMSClient3({
-      credentials: credentialsAndOrigin.value,
-      region: regionAndOrigin.value
+    const parsedEnv = parse3(fs4.readFileSync(envSource, { encoding: "utf8" }));
+    const kmsClient = getKMSClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
     });
+    if (argv.verbose) {
+      info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
+      const describeKeyCommand = new DescribeKeyCommand2({
+        KeyId: argv.awsKeyAlias
+      });
+      const describeKeyResult = await kmsClient.send(describeKeyCommand);
+      console.log("describeKeyResult", { describeKeyResult });
+    }
     const sec = (await Promise.all(Object.entries(parsedEnv).map(async ([key, value]) => {
       const encryptCommand = new EncryptCommand({
         KeyId: argv.awsKeyAlias,
@@ -353,17 +631,232 @@ var handler3 = async (argv) => {
       });
       const encryptionResult = await kmsClient.send(encryptCommand);
       if (!encryptionResult.CiphertextBlob) {
-        throw new Error(`No: ${JSON.stringify({ key, value, encryptCommand })}`);
+        throw new Error(`Something bad happened: ${JSON.stringify({
+          key,
+          value,
+          encryptCommand
+        })}`);
+      }
+      if (argv.verbose) {
+        info(`Encrypting key ${bold(key)} ${underline("ok")}`);
       }
       const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
       return `${key}="${cipherText}"`;
     }))).join("\n");
-    fs3.writeFileSync(path3.resolve(process.cwd(), argv.secFile), sec);
+    fs4.writeFileSync(path4.resolve(process.cwd(), argv.secFile), sec);
   } catch (e) {
-    console.error(e);
+    error(e);
+  }
+};
+
+// src/commands/encryptSecretsJson.ts
+var encryptSecretsJson_exports = {};
+__export(encryptSecretsJson_exports, {
+  builder: () => builder6,
+  command: () => command6,
+  desc: () => desc6,
+  handler: () => handler6
+});
+import { DescribeKeyCommand as DescribeKeyCommand3, EncryptCommand as EncryptCommand2 } from "@aws-sdk/client-kms";
+import { redBright as redBright5 } from "chalk";
+import flat2 from "flat";
+import fs5 from "node:fs";
+import path5 from "node:path";
+var command6 = "encrypt-secrets-json";
+var desc6 = "Encrypts an unencrypted file";
+var builder6 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "secrets-file": {
+    string: true,
+    describe: "filename of json file reading secrets",
+    default: "secrets.json"
+  },
+  "encrypted-secrets-file": {
+    string: true,
+    describe: "filename of json file for writing encrypted secrets",
+    default: "secrets.encrypted.json"
+  },
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose,
+  yes: __spreadValues({}, commonCliOptions.yes)
+};
+var handler6 = async (argv) => {
+  const { info, error } = getLogger();
+  try {
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    const secretsPath = path5.resolve(process.cwd(), argv.secretsFile);
+    if (!await fileExists(secretsPath)) {
+      error(`Could not open ${redBright5(secretsPath)}`);
+      return;
+    }
+    const secrets = JSON.parse(fs5.readFileSync(secretsPath, { encoding: "utf8" }));
+    if (!secrets.parameters) {
+      throw new Error(`Expected 'parameters' property, but got none`);
+    }
+    const flatParameters = flat2(secrets.parameters, { delimiter: "/" });
+    if (argv.verbose) {
+      console.log(flatParameters);
+    }
+    const kmsClient = getKMSClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
+    });
+    if (argv.verbose) {
+      info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
+      const describeKeyCommand = new DescribeKeyCommand3({
+        KeyId: argv.awsKeyAlias
+      });
+      const describeKeyResult = await kmsClient.send(describeKeyCommand);
+      console.log("describeKeyResult", { describeKeyResult });
+    }
+    const encryptedFlatParameters = Object.fromEntries(await Promise.all(Object.entries(flatParameters).map(async ([parameterName, parameter]) => {
+      const encryptCommand = new EncryptCommand2({
+        KeyId: argv.awsKeyAlias,
+        Plaintext: Buffer.from(parameter),
+        EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
+      });
+      const encryptionResult = await kmsClient.send(encryptCommand);
+      if (!encryptionResult.CiphertextBlob) {
+        throw new Error(`Something bad happened: ${JSON.stringify({
+          key: parameterName,
+          value: parameter,
+          encryptCommand
+        })}`);
+      }
+      if (argv.verbose) {
+        info(`Encrypting key ${bold(parameterName)} ${underline("ok")}`);
+      }
+      const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
+      return [parameterName, cipherText];
+    })));
+    const encryptedParameters = flat2.unflatten(encryptedFlatParameters, { delimiter: "/" });
+    const encryptedSecrets = {
+      config: secrets.config,
+      encryptedParameters
+    };
+    const encryptedSecretsPath = path5.resolve(process.cwd(), argv.encryptedSecretsFile);
+    const overwriteResponse = await promptOverwriteIfFileExists({
+      filePath: encryptedSecretsPath,
+      skip: argv.yes
+    });
+    if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
+      fs5.writeFileSync(encryptedSecretsPath, JSON.stringify(encryptedSecrets, null, 4));
+    }
+  } catch (e) {
+    error(e);
+  }
+};
+
+// src/commands/offloadToSSMCommand.ts
+var offloadToSSMCommand_exports = {};
+__export(offloadToSSMCommand_exports, {
+  builder: () => builder7,
+  command: () => command7,
+  desc: () => desc7,
+  handler: () => handler7
+});
+import { DecryptCommand as DecryptCommand4, DescribeKeyCommand as DescribeKeyCommand4 } from "@aws-sdk/client-kms";
+import { PutParameterCommand } from "@aws-sdk/client-ssm";
+import { redBright as redBright6 } from "chalk";
+import flat3 from "flat";
+import fs6 from "node:fs";
+import path6 from "node:path";
+var command7 = "offload-secrets-json-to-ssm";
+var desc7 = "Sends decrypted values of secrets.encrypted.json file to SSM parameter store";
+var builder7 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "encrypted-secrets-file": {
+    string: true,
+    describe: "filename of json file for reading encrypted secrets",
+    default: "secrets.encrypted.json"
+  },
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose,
+  yes: __spreadValues({}, commonCliOptions.yes)
+};
+var handler7 = async (argv) => {
+  const { info, error } = getLogger();
+  try {
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    const encryptedSecretsPath = path6.resolve(process.cwd(), argv.encryptedSecretsFile);
+    if (!await fileExists(encryptedSecretsPath)) {
+      error(`Could not open ${redBright6(encryptedSecretsPath)}`);
+      return;
+    }
+    const encryptedSecrets = JSON.parse(fs6.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
+    if (!encryptedSecrets.encryptedParameters) {
+      throw new Error(`Expected 'encryptedParameters' property, but got none`);
+    }
+    const flatEncryptedParameters = flat3(encryptedSecrets.encryptedParameters, { delimiter: "/" });
+    const kmsClient = getKMSClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
+    });
+    if (argv.verbose) {
+      info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
+      const describeKeyCommand = new DescribeKeyCommand4({
+        KeyId: argv.awsKeyAlias
+      });
+      const describeKeyResult = await kmsClient.send(describeKeyCommand);
+      console.log("describeKeyResult", { describeKeyResult });
+    }
+    const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
+      const decryptCommand = new DecryptCommand4({
+        KeyId: argv.awsKeyAlias,
+        CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
+        EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
+      });
+      const decryptionResult = await kmsClient.send(decryptCommand);
+      if (!decryptionResult.Plaintext) {
+        throw new Error(`Something bad happened: ${JSON.stringify({
+          key: parameterName,
+          cipherText: encryptedParameter,
+          decryptCommand
+        })}`);
+      }
+      if (argv.verbose) {
+        info(`Encrypting key ${bold(parameterName)} ${underline("ok")}`);
+      }
+      const value = Buffer.from(decryptionResult.Plaintext).toString();
+      return [parameterName, value];
+    })));
+    const ssmClient = getSSMClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
+    });
+    await Promise.all(Object.entries(flatParameters).map(([parameterName, value]) => {
+      const putParameterCommand = new PutParameterCommand({
+        Name: `/${parameterName}`,
+        Value: value,
+        Type: "String",
+        Overwrite: true
+      });
+      return ssmClient.send(putParameterCommand);
+    }));
+  } catch (e) {
+    error(e);
   }
 };
 
 // src/cli.ts
-void yargs(hideBin(process.argv)).command(defaultCommand_exports).command(encryptEnvCommand_exports).command(decryptSecCommand_exports).parse();
+void yargs(hideBin(process.argv)).command(defaultCommand_exports).command(offloadToSSMCommand_exports).command(debugCommand_exports).command(encryptEnvCommand_exports).command(decryptSecCommand_exports).command(encryptSecretsJson_exports).command(decryptSecretsJson_exports).parse();
 //# sourceMappingURL=cli.js.map