npm - dotsec - Versions diffs - 0.1.1 → 0.4.0 - Mend

dotsec 0.1.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/cli.js CHANGED Viewed

@@ -24,11 +24,11 @@ var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
 };
-var __reExport = (target, module2, desc4) => {
+var __reExport = (target, module2, desc8) => {
   if (module2 && typeof module2 === "object" || typeof module2 === "function") {
     for (let key of __getOwnPropNames(module2))
       if (!__hasOwnProp.call(target, key) && key !== "default")
-        __defProp(target, key, { get: () => module2[key], enumerable: !(desc4 = __getOwnPropDesc(module2, key)) || desc4.enumerable });
+        __defProp(target, key, { get: () => module2[key], enumerable: !(desc8 = __getOwnPropDesc(module2, key)) || desc8.enumerable });
   }
   return target;
 };
@@ -40,19 +40,15 @@ var __toModule = (module2) => {
 var import_helpers = __toModule(require("yargs/helpers"));
 var import_yargs = __toModule(require("yargs/yargs"));
-// src/commands/decryptSecCommand.ts
-var decryptSecCommand_exports = {};
-__export(decryptSecCommand_exports, {
+// src/commands/debugCommand.ts
+var debugCommand_exports = {};
+__export(debugCommand_exports, {
   builder: () => builder,
   command: () => command,
   desc: () => desc,
   handler: () => handler
 });
-var import_client_kms = __toModule(require("@aws-sdk/client-kms"));
-var import_chalk2 = __toModule(require("chalk"));
-var import_dotenv = __toModule(require("dotenv"));
-var import_node_fs = __toModule(require("node:fs"));
-var import_node_path = __toModule(require("node:path"));
+var import_client_ssm2 = __toModule(require("@aws-sdk/client-ssm"));
 // src/commonCliOptions.ts
 var commonCliOptions = {
@@ -66,11 +62,30 @@ var commonCliOptions = {
   },
   awsKeyAlias: {
     string: true,
-    describe: "AWS KMS asymmetric key alias"
+    default: "alias/top-secret",
+    describe: "AWS KMS key alias"
+  },
+  awsKeyArn: {
+    string: true,
+    describe: "AWS KMS key id"
   },
   awsKey: {
     string: true,
-    describe: "AWS KMS asymmetric key arn"
+    describe: "AWS KMS key arn"
+  },
+  envFile: {
+    string: true,
+    describe: ".env file",
+    default: ".env"
+  },
+  secFile: {
+    string: true,
+    describe: ".sec file",
+    default: ".sec"
+  },
+  awsAssumeRoleArn: {
+    string: true,
+    describe: "arn or role to assume"
   },
   verbose: {
     boolean: true,
@@ -92,7 +107,14 @@ var import_shared_ini_file_loader = __toModule(require("@aws-sdk/shared-ini-file
 // src/utils/logger.ts
 var import_chalk = __toModule(require("chalk"));
-var bold = (str) => import_chalk.default.yellowBright.bold(str);
+var _logger;
+var getLogger = () => {
+  if (!_logger) {
+    _logger = console;
+  }
+  return _logger;
+};
+var bold = (str) => import_chalk.default.greenBright.bold(str);
 var underline = (str) => import_chalk.default.cyanBright.bold(str);
 // src/utils/getCredentialsProfileRegion.ts
@@ -106,12 +128,25 @@ var getCredentialsProfileRegion = async ({
   let profileAndOrigin = void 0;
   let regionAndOrigin = void 0;
   if (argv.profile) {
-    profileAndOrigin = { value: argv.profile, origin: `command line option: ${bold(argv.profile)}` };
-    credentialsAndOrigin = { value: await (0, import_credential_providers.fromIni)({ profile: argv.profile })(), origin: `${bold(`[${argv.profile}]`)} in credentials file` };
+    profileAndOrigin = {
+      value: argv.profile,
+      origin: `command line option: ${bold(argv.profile)}`
+    };
+    credentialsAndOrigin = {
+      value: await (0, import_credential_providers.fromIni)({
+        profile: argv.profile
+      })(),
+      origin: `${bold(`[${argv.profile}]`)} in credentials file`
+    };
   } else if (env.AWS_PROFILE) {
-    profileAndOrigin = { value: env.AWS_PROFILE, origin: `env variable ${bold("AWS_PROFILE")}: ${underline(env.AWS_PROFILE)}` };
+    profileAndOrigin = {
+      value: env.AWS_PROFILE,
+      origin: `env variable ${bold("AWS_PROFILE")}: ${underline(env.AWS_PROFILE)}`
+    };
     credentialsAndOrigin = {
-      value: await (0, import_credential_providers.fromIni)({ profile: env.AWS_PROFILE })(),
+      value: await (0, import_credential_providers.fromIni)({
+        profile: env.AWS_PROFILE
+      })(),
       origin: `env variable ${underline("AWS_PROFILE")}: ${bold(env.AWS_PROFILE)}`
     };
   } else if (env.AWS_ACCESS_KEY_ID && env.AWS_SECRET_ACCESS_KEY) {
@@ -120,13 +155,27 @@ var getCredentialsProfileRegion = async ({
       origin: `env variables ${bold("AWS_ACCESS_KEY_ID")} and ${bold("AWS_SECRET_ACCESS_KEY")}`
     };
   } else if ((_a = sharedConfigFiles.credentialsFile) == null ? void 0 : _a.default) {
-    profileAndOrigin = { value: "default", origin: `${bold("[default]")} in credentials file` };
-    credentialsAndOrigin = { value: await (0, import_credential_providers.fromIni)({ profile: "default" })(), origin: `profile ${bold("[default]")}` };
+    profileAndOrigin = {
+      value: "default",
+      origin: `${bold("[default]")} in credentials file`
+    };
+    credentialsAndOrigin = {
+      value: await (0, import_credential_providers.fromIni)({
+        profile: "default"
+      })(),
+      origin: `profile ${bold("[default]")}`
+    };
   }
   if (argv.region) {
-    regionAndOrigin = { value: argv.region, origin: `command line option: ${bold(argv.region)}` };
+    regionAndOrigin = {
+      value: argv.region,
+      origin: `command line option: ${bold(argv.region)}`
+    };
   } else if (env.AWS_REGION) {
-    regionAndOrigin = { value: env.AWS_REGION, origin: `env variable ${bold("AWS_REGION")}: ${underline(env.AWS_REGION)}` };
+    regionAndOrigin = {
+      value: env.AWS_REGION,
+      origin: `env variable ${bold("AWS_REGION")}: ${underline(env.AWS_REGION)}`
+    };
   } else if (env.AWS_DEFAULT_REGION) {
     regionAndOrigin = {
       value: env.AWS_DEFAULT_REGION,
@@ -135,9 +184,27 @@ var getCredentialsProfileRegion = async ({
   } else if (profileAndOrigin) {
     const foundRegion = (_c = (_b = sharedConfigFiles == null ? void 0 : sharedConfigFiles.configFile) == null ? void 0 : _b[profileAndOrigin.value]) == null ? void 0 : _c.region;
     if (foundRegion) {
-      regionAndOrigin = { value: foundRegion, origin: `${bold(`[profile ${profileAndOrigin.value}]`)} in config file` };
+      regionAndOrigin = {
+        value: foundRegion,
+        origin: `${bold(`[profile ${profileAndOrigin.value}]`)} in config file`
+      };
     }
   }
+  if (argv.assumeRoleArn) {
+    console.log("assume this yo");
+    credentialsAndOrigin = {
+      value: await (0, import_credential_providers.fromTemporaryCredentials)({
+        masterCredentials: credentialsAndOrigin == null ? void 0 : credentialsAndOrigin.value,
+        params: {
+          RoleArn: argv.assumeRoleArn
+        },
+        clientConfig: {
+          region: regionAndOrigin == null ? void 0 : regionAndOrigin.value
+        }
+      })(),
+      origin: `assume role ${bold(`[${argv.assumeRoleArn}]`)}`
+    };
+  }
   return { credentialsAndOrigin, regionAndOrigin, profileAndOrigin };
 };
 var printVerboseCredentialsProfileRegion = ({
@@ -163,12 +230,20 @@ var handleCredentialsAndRegion = async ({
   argv,
   env
 }) => {
-  const { credentialsAndOrigin, regionAndOrigin } = await getCredentialsProfileRegion({
-    argv: { region: argv.awsRegion, profile: argv.awsProfile },
+  const { credentialsAndOrigin, regionAndOrigin, profileAndOrigin } = await getCredentialsProfileRegion({
+    argv: {
+      region: argv.awsRegion,
+      profile: argv.awsProfile,
+      assumeRoleArn: argv.awsAssumeRoleArn
+    },
     env: __spreadValues({}, env)
   });
   if (argv.verbose === true) {
-    console.log(printVerboseCredentialsProfileRegion({ credentialsAndOrigin, regionAndOrigin }));
+    console.log(printVerboseCredentialsProfileRegion({
+      credentialsAndOrigin,
+      regionAndOrigin,
+      profileAndOrigin
+    }));
   }
   if (!credentialsAndOrigin || !regionAndOrigin) {
     if (!credentialsAndOrigin) {
@@ -183,8 +258,67 @@ var handleCredentialsAndRegion = async ({
   return { credentialsAndOrigin, regionAndOrigin };
 };
+// src/utils/ssm.ts
+var import_client_ssm = __toModule(require("@aws-sdk/client-ssm"));
+var getSSMClient = ({
+  configuration
+}) => {
+  const ssmClient = new import_client_ssm.SSMClient(configuration);
+  return ssmClient;
+};
+// src/commands/debugCommand.ts
+var command = "debug";
+var desc = "Debugs all the things";
+var builder = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose,
+  yes: __spreadValues({}, commonCliOptions.yes)
+};
+var handler = async (argv) => {
+  try {
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    const ssmClient = getSSMClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
+    });
+    const getParametersByPathCommand = new import_client_ssm2.GetParametersByPathCommand({
+      Path: `arn:aws:ssm:eu-west-1:060014838622:parameter/dotsec/*`,
+      Recursive: true
+    });
+    const commandResult = await ssmClient.send(getParametersByPathCommand);
+    console.log(commandResult);
+  } catch (e) {
+    console.error(e);
+  }
+};
+// src/commands/decryptSecCommand.ts
+var decryptSecCommand_exports = {};
+__export(decryptSecCommand_exports, {
+  builder: () => builder2,
+  command: () => command2,
+  desc: () => desc2,
+  handler: () => handler2
+});
+var import_client_kms = __toModule(require("@aws-sdk/client-kms"));
+var import_chalk2 = __toModule(require("chalk"));
+var import_dotenv = __toModule(require("dotenv"));
+var import_node_fs = __toModule(require("node:fs"));
+var import_node_path = __toModule(require("node:path"));
 // src/utils/io.ts
 var import_promises = __toModule(require("fs/promises"));
+var import_prompts = __toModule(require("prompts"));
 var fileExists = async (source) => {
   try {
     await (0, import_promises.stat)(source);
@@ -193,30 +327,43 @@ var fileExists = async (source) => {
     return false;
   }
 };
+var promptOverwriteIfFileExists = async ({
+  filePath,
+  skip
+}) => {
+  let overwriteResponse;
+  if (await fileExists(filePath) && skip !== true) {
+    overwriteResponse = await (0, import_prompts.default)({
+      type: "confirm",
+      name: "overwrite",
+      message: () => {
+        return `Overwrite '${filePath}' ?`;
+      }
+    });
+  } else {
+    overwriteResponse = void 0;
+  }
+  return overwriteResponse;
+};
 // src/commands/decryptSecCommand.ts
-var command = "decrypt-sec";
-var desc = "Decrypts a dotsec file";
-var builder = {
-  "aws-profile": __spreadValues({}, commonCliOptions.awsProfile),
-  "aws-region": __spreadValues({}, commonCliOptions.awsRegion),
-  "aws-key-alias": { string: true, default: "alias/top-secret" },
-  "env-file": {
-    string: true,
-    describe: ".env file",
-    default: ".env"
-  },
-  "sec-file": {
-    string: true,
-    describe: ".sec file",
-    default: ".sec"
-  },
-  verbose: __spreadValues({}, commonCliOptions.verbose),
-  yes: __spreadValues({}, commonCliOptions.yes)
+var command2 = "decrypt-sec";
+var desc2 = "Decrypts a dotsec file";
+var builder2 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  "env-file": commonCliOptions.envFile,
+  "sec-file": commonCliOptions.secFile,
+  verbose: commonCliOptions.verbose
 };
-var handler = async (argv) => {
+var handler2 = async (argv) => {
   try {
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({ argv: __spreadValues({}, argv), env: __spreadValues({}, process.env) });
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
     const secSource = import_node_path.default.resolve(process.cwd(), argv.secFile);
     if (!await fileExists(secSource)) {
       console.error(`Could not open ${(0, import_chalk2.redBright)(secSource)}`);
@@ -235,7 +382,11 @@ var handler = async (argv) => {
       });
       const decryptionResult = await kmsClient.send(decryptCommand);
       if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
-        throw new Error(`No: ${JSON.stringify({ key, cipherText, decryptCommand })}`);
+        throw new Error(`No: ${JSON.stringify({
+          key,
+          cipherText,
+          decryptCommand
+        })}`);
       }
       const value = Buffer.from(decryptionResult.Plaintext).toString();
       return [key, value];
@@ -246,62 +397,203 @@ var handler = async (argv) => {
   }
 };
-// src/commands/defaultCommand.ts
-var defaultCommand_exports = {};
-__export(defaultCommand_exports, {
-  builder: () => builder2,
-  command: () => command2,
-  desc: () => desc2,
-  handler: () => handler2
+// src/commands/decryptSecretsJson.ts
+var decryptSecretsJson_exports = {};
+__export(decryptSecretsJson_exports, {
+  builder: () => builder3,
+  command: () => command3,
+  desc: () => desc3,
+  handler: () => handler3
 });
-var import_client_kms2 = __toModule(require("@aws-sdk/client-kms"));
+var import_client_kms3 = __toModule(require("@aws-sdk/client-kms"));
 var import_chalk3 = __toModule(require("chalk"));
-var import_cross_spawn = __toModule(require("cross-spawn"));
-var import_dotenv2 = __toModule(require("dotenv"));
+var import_flat = __toModule(require("flat"));
 var import_node_fs2 = __toModule(require("node:fs"));
 var import_node_path2 = __toModule(require("node:path"));
-var command2 = "$0 <command>";
-var desc2 = "Decrypts a .sec file, injects the results into a separate process and runs a command";
-var builder2 = {
-  "aws-profile": __spreadValues({}, commonCliOptions.awsProfile),
-  "aws-region": __spreadValues({}, commonCliOptions.awsRegion),
-  "aws-key-alias": { string: true, default: "alias/top-secret" },
-  "sec-file": {
+// src/utils/kms.ts
+var import_client_kms2 = __toModule(require("@aws-sdk/client-kms"));
+var getKMSClient = ({
+  configuration
+}) => {
+  const kmsClient = new import_client_kms2.KMSClient(configuration);
+  return kmsClient;
+};
+// src/commands/decryptSecretsJson.ts
+var command3 = "decrypt-secrets-json";
+var desc3 = "Derypts an encrypted file";
+var builder3 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "secrets-file": {
     string: true,
-    describe: ".sec file",
-    default: ".sec"
+    describe: "filename of json file writing secrets",
+    default: "secrets.json"
   },
-  verbose: __spreadValues({}, commonCliOptions.verbose),
-  yes: __spreadValues({}, commonCliOptions.yes),
-  command: { string: true, required: true }
+  "encrypted-secrets-file": {
+    string: true,
+    describe: "filename of json file for reading encrypted secrets",
+    default: "secrets.encrypted.json"
+  },
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose,
+  yes: __spreadValues({}, commonCliOptions.yes)
 };
-var handler2 = async (argv) => {
+var handler3 = async (argv) => {
+  const { info, error } = getLogger();
   try {
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({ argv: __spreadValues({}, argv), env: __spreadValues({}, process.env) });
-    const secSource = import_node_path2.default.resolve(process.cwd(), argv.secFile);
-    if (!await fileExists(secSource)) {
-      console.error(`Could not open ${(0, import_chalk3.redBright)(secSource)}`);
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    const encryptedSecretsPath = import_node_path2.default.resolve(process.cwd(), argv.encryptedSecretsFile);
+    if (!await fileExists(encryptedSecretsPath)) {
+      error(`Could not open ${(0, import_chalk3.redBright)(encryptedSecretsPath)}`);
       return;
     }
-    const parsedSec = (0, import_dotenv2.parse)(import_node_fs2.default.readFileSync(secSource, { encoding: "utf8" }));
-    const kmsClient = new import_client_kms2.KMSClient({
-      credentials: credentialsAndOrigin.value,
-      region: regionAndOrigin.value
+    const encryptedSecrets = JSON.parse(import_node_fs2.default.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
+    if (!encryptedSecrets.encryptedParameters) {
+      throw new Error(`Expected 'encryptedParameters' property, but got none`);
+    }
+    const flatEncryptedParameters = (0, import_flat.default)(encryptedSecrets.encryptedParameters, { delimiter: "/" });
+    const kmsClient = getKMSClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
     });
-    const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
-      const decryptCommand = new import_client_kms2.DecryptCommand({
+    if (argv.verbose) {
+      info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
+      const describeKeyCommand = new import_client_kms3.DescribeKeyCommand({
+        KeyId: argv.awsKeyAlias
+      });
+      const describeKeyResult = await kmsClient.send(describeKeyCommand);
+      console.log("describeKeyResult", { describeKeyResult });
+    }
+    const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
+      const decryptCommand = new import_client_kms3.DecryptCommand({
         KeyId: argv.awsKeyAlias,
-        CiphertextBlob: Buffer.from(cipherText, "base64"),
+        CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
         EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
       });
       const decryptionResult = await kmsClient.send(decryptCommand);
-      if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
-        throw new Error(`No: ${JSON.stringify({ key, cipherText, decryptCommand })}`);
+      if (!decryptionResult.Plaintext) {
+        throw new Error(`Something bad happened: ${JSON.stringify({
+          key: parameterName,
+          cipherText: encryptedParameter,
+          decryptCommand
+        })}`);
+      }
+      if (argv.verbose) {
+        info(`Encrypting key ${bold(parameterName)} ${underline("ok")}`);
       }
       const value = Buffer.from(decryptionResult.Plaintext).toString();
-      return [key, value];
-    }));
-    const env = Object.fromEntries(envEntries);
+      return [parameterName, value];
+    })));
+    const parameters = import_flat.default.unflatten(flatParameters, { delimiter: "/" });
+    const secrets = {
+      config: encryptedSecrets.config,
+      parameters
+    };
+    const secretsPath = import_node_path2.default.resolve(process.cwd(), argv.secretsFile);
+    const overwriteResponse = await promptOverwriteIfFileExists({
+      filePath: secretsPath,
+      skip: argv.yes
+    });
+    if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
+      import_node_fs2.default.writeFileSync(secretsPath, JSON.stringify(secrets, null, 4));
+    }
+  } catch (e) {
+    error(e);
+  }
+};
+// src/commands/defaultCommand.ts
+var defaultCommand_exports = {};
+__export(defaultCommand_exports, {
+  builder: () => builder4,
+  command: () => command4,
+  desc: () => desc4,
+  handler: () => handler4
+});
+var import_node_fs3 = __toModule(require("node:fs"));
+var import_node_path3 = __toModule(require("node:path"));
+var import_client_kms4 = __toModule(require("@aws-sdk/client-kms"));
+var import_chalk4 = __toModule(require("chalk"));
+var import_cross_spawn = __toModule(require("cross-spawn"));
+var import_dotenv2 = __toModule(require("dotenv"));
+var command4 = "$0 <command>";
+var desc4 = "Decrypts a .sec file, injects the results into a separate process and runs a command";
+var builder4 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "sec-file": commonCliOptions.secFile,
+  "env-file": commonCliOptions.envFile,
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose,
+  command: { string: true, required: true }
+};
+var handleSec = async ({
+  secFile,
+  credentialsAndOrigin,
+  regionAndOrigin,
+  awsKeyAlias
+}) => {
+  const secSource = import_node_path3.default.resolve(process.cwd(), secFile);
+  if (!await fileExists(secSource)) {
+    console.error(`Could not open ${(0, import_chalk4.redBright)(secSource)}`);
+    return;
+  }
+  const parsedSec = (0, import_dotenv2.parse)(import_node_fs3.default.readFileSync(secSource, { encoding: "utf8" }));
+  const kmsClient = new import_client_kms4.KMSClient({
+    credentials: credentialsAndOrigin.value,
+    region: regionAndOrigin.value
+  });
+  const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
+    const decryptCommand = new import_client_kms4.DecryptCommand({
+      KeyId: awsKeyAlias,
+      CiphertextBlob: Buffer.from(cipherText, "base64"),
+      EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
+    });
+    const decryptionResult = await kmsClient.send(decryptCommand);
+    if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
+      throw new Error(`No: ${JSON.stringify({
+        key,
+        cipherText,
+        decryptCommand
+      })}`);
+    }
+    const value = Buffer.from(decryptionResult.Plaintext).toString();
+    return [key, value];
+  }));
+  const env = Object.fromEntries(envEntries);
+  return env;
+};
+var handler4 = async (argv) => {
+  try {
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    if (argv.verbose) {
+      console.log({ credentialsAndOrigin, regionAndOrigin });
+    }
+    let env;
+    if (argv.envFile) {
+      console.log("OK");
+      env = (0, import_dotenv2.parse)(import_node_fs3.default.readFileSync(argv.envFile, { encoding: "utf8" }));
+    } else if (argv.secFile) {
+      env = await handleSec({
+        secFile: argv.secFile,
+        credentialsAndOrigin,
+        regionAndOrigin,
+        awsKeyAlias: argv.awsKeyAlias
+      });
+    }
     const userCommandArgs = process.argv.slice(process.argv.indexOf(argv.command) + 1);
     if (argv.command) {
       (0, import_cross_spawn.spawn)(argv.command, [...userCommandArgs], {
@@ -318,67 +610,289 @@ var handler2 = async (argv) => {
 // src/commands/encryptEnvCommand.ts
 var encryptEnvCommand_exports = {};
 __export(encryptEnvCommand_exports, {
-  builder: () => builder3,
-  command: () => command3,
-  desc: () => desc3,
-  handler: () => handler3
+  builder: () => builder5,
+  command: () => command5,
+  desc: () => desc5,
+  handler: () => handler5
 });
-var import_client_kms3 = __toModule(require("@aws-sdk/client-kms"));
-var import_chalk4 = __toModule(require("chalk"));
+var import_client_kms5 = __toModule(require("@aws-sdk/client-kms"));
+var import_chalk5 = __toModule(require("chalk"));
 var import_dotenv3 = __toModule(require("dotenv"));
-var import_node_fs3 = __toModule(require("node:fs"));
-var import_node_path3 = __toModule(require("node:path"));
-var command3 = "encrypt-env";
-var desc3 = "Encrypts a dotenv file";
-var builder3 = {
-  "aws-profile": __spreadValues({}, commonCliOptions.awsProfile),
-  "aws-region": __spreadValues({}, commonCliOptions.awsRegion),
-  "aws-key-alias": { string: true, default: "alias/top-secret" },
-  "env-file": {
-    string: true,
-    describe: ".env file",
-    default: ".env"
-  },
-  "sec-file": {
-    string: true,
-    describe: ".sec file",
-    default: ".sec"
-  },
-  verbose: __spreadValues({}, commonCliOptions.verbose),
-  yes: __spreadValues({}, commonCliOptions.yes)
+var import_node_fs4 = __toModule(require("node:fs"));
+var import_node_path4 = __toModule(require("node:path"));
+var command5 = "encrypt-env";
+var desc5 = "Encrypts a dotenv file";
+var builder5 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "env-file": commonCliOptions.envFile,
+  "sec-file": commonCliOptions.secFile,
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose
 };
-var handler3 = async (argv) => {
+var handler5 = async (argv) => {
+  const { info, error } = getLogger();
   try {
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({ argv: __spreadValues({}, argv), env: __spreadValues({}, process.env) });
-    const envSource = import_node_path3.default.resolve(process.cwd(), argv.envFile);
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    const envSource = import_node_path4.default.resolve(process.cwd(), argv.envFile);
     if (!await fileExists(envSource)) {
-      console.error(`Could not open ${(0, import_chalk4.redBright)(envSource)}`);
+      error(`Could not open ${(0, import_chalk5.redBright)(envSource)}`);
       return;
     }
-    const parsedEnv = (0, import_dotenv3.parse)(import_node_fs3.default.readFileSync(envSource, { encoding: "utf8" }));
-    const kmsClient = new import_client_kms3.KMSClient({
-      credentials: credentialsAndOrigin.value,
-      region: regionAndOrigin.value
+    const parsedEnv = (0, import_dotenv3.parse)(import_node_fs4.default.readFileSync(envSource, { encoding: "utf8" }));
+    const kmsClient = getKMSClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
     });
+    if (argv.verbose) {
+      info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
+      const describeKeyCommand = new import_client_kms5.DescribeKeyCommand({
+        KeyId: argv.awsKeyAlias
+      });
+      const describeKeyResult = await kmsClient.send(describeKeyCommand);
+      console.log("describeKeyResult", { describeKeyResult });
+    }
     const sec = (await Promise.all(Object.entries(parsedEnv).map(async ([key, value]) => {
-      const encryptCommand = new import_client_kms3.EncryptCommand({
+      const encryptCommand = new import_client_kms5.EncryptCommand({
         KeyId: argv.awsKeyAlias,
         Plaintext: Buffer.from(value),
         EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
       });
       const encryptionResult = await kmsClient.send(encryptCommand);
       if (!encryptionResult.CiphertextBlob) {
-        throw new Error(`No: ${JSON.stringify({ key, value, encryptCommand })}`);
+        throw new Error(`Something bad happened: ${JSON.stringify({
+          key,
+          value,
+          encryptCommand
+        })}`);
+      }
+      if (argv.verbose) {
+        info(`Encrypting key ${bold(key)} ${underline("ok")}`);
       }
       const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
       return `${key}="${cipherText}"`;
     }))).join("\n");
-    import_node_fs3.default.writeFileSync(import_node_path3.default.resolve(process.cwd(), argv.secFile), sec);
+    import_node_fs4.default.writeFileSync(import_node_path4.default.resolve(process.cwd(), argv.secFile), sec);
   } catch (e) {
-    console.error(e);
+    error(e);
+  }
+};
+// src/commands/encryptSecretsJson.ts
+var encryptSecretsJson_exports = {};
+__export(encryptSecretsJson_exports, {
+  builder: () => builder6,
+  command: () => command6,
+  desc: () => desc6,
+  handler: () => handler6
+});
+var import_node_fs5 = __toModule(require("node:fs"));
+var import_node_path5 = __toModule(require("node:path"));
+var import_client_kms6 = __toModule(require("@aws-sdk/client-kms"));
+var import_chalk6 = __toModule(require("chalk"));
+var import_flat2 = __toModule(require("flat"));
+var command6 = "encrypt-secrets-json";
+var desc6 = "Encrypts an unencrypted file";
+var builder6 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "secrets-file": {
+    string: true,
+    describe: "filename of json file reading secrets",
+    default: "secrets.json"
+  },
+  "encrypted-secrets-file": {
+    string: true,
+    describe: "filename of json file for writing encrypted secrets",
+    default: "secrets.encrypted.json"
+  },
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose,
+  yes: __spreadValues({}, commonCliOptions.yes)
+};
+var handler6 = async (argv) => {
+  const { info, error } = getLogger();
+  try {
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    const secretsPath = import_node_path5.default.resolve(process.cwd(), argv.secretsFile);
+    if (!await fileExists(secretsPath)) {
+      error(`Could not open ${(0, import_chalk6.redBright)(secretsPath)}`);
+      return;
+    }
+    const secrets = JSON.parse(import_node_fs5.default.readFileSync(secretsPath, { encoding: "utf8" }));
+    if (!secrets.parameters) {
+      throw new Error(`Expected 'parameters' property, but got none`);
+    }
+    const flatParameters = (0, import_flat2.default)(secrets.parameters, { delimiter: "/" });
+    if (argv.verbose) {
+      console.log(flatParameters);
+    }
+    const kmsClient = getKMSClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
+    });
+    if (argv.verbose) {
+      info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
+      const describeKeyCommand = new import_client_kms6.DescribeKeyCommand({
+        KeyId: argv.awsKeyAlias
+      });
+      const describeKeyResult = await kmsClient.send(describeKeyCommand);
+      console.log("describeKeyResult", { describeKeyResult });
+    }
+    const encryptedFlatParameters = Object.fromEntries(await Promise.all(Object.entries(flatParameters).map(async ([parameterName, parameter]) => {
+      const encryptCommand = new import_client_kms6.EncryptCommand({
+        KeyId: argv.awsKeyAlias,
+        Plaintext: Buffer.from(parameter),
+        EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
+      });
+      const encryptionResult = await kmsClient.send(encryptCommand);
+      if (!encryptionResult.CiphertextBlob) {
+        throw new Error(`Something bad happened: ${JSON.stringify({
+          key: parameterName,
+          value: parameter,
+          encryptCommand
+        })}`);
+      }
+      if (argv.verbose) {
+        info(`Encrypting key ${bold(parameterName)} ${underline("ok")}`);
+      }
+      const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
+      return [parameterName, cipherText];
+    })));
+    const encryptedParameters = import_flat2.default.unflatten(encryptedFlatParameters, { delimiter: "/" });
+    const encryptedSecrets = {
+      config: secrets.config,
+      encryptedParameters
+    };
+    const encryptedSecretsPath = import_node_path5.default.resolve(process.cwd(), argv.encryptedSecretsFile);
+    const overwriteResponse = await promptOverwriteIfFileExists({
+      filePath: encryptedSecretsPath,
+      skip: argv.yes
+    });
+    if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
+      import_node_fs5.default.writeFileSync(encryptedSecretsPath, JSON.stringify(encryptedSecrets, null, 4));
+    }
+  } catch (e) {
+    error(e);
+  }
+};
+// src/commands/offloadToSSMCommand.ts
+var offloadToSSMCommand_exports = {};
+__export(offloadToSSMCommand_exports, {
+  builder: () => builder7,
+  command: () => command7,
+  desc: () => desc7,
+  handler: () => handler7
+});
+var import_client_kms7 = __toModule(require("@aws-sdk/client-kms"));
+var import_client_ssm3 = __toModule(require("@aws-sdk/client-ssm"));
+var import_chalk7 = __toModule(require("chalk"));
+var import_flat3 = __toModule(require("flat"));
+var import_node_fs6 = __toModule(require("node:fs"));
+var import_node_path6 = __toModule(require("node:path"));
+var command7 = "offload-secrets-json-to-ssm";
+var desc7 = "Sends decrypted values of secrets.encrypted.json file to SSM parameter store";
+var builder7 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "encrypted-secrets-file": {
+    string: true,
+    describe: "filename of json file for reading encrypted secrets",
+    default: "secrets.encrypted.json"
+  },
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose,
+  yes: __spreadValues({}, commonCliOptions.yes)
+};
+var handler7 = async (argv) => {
+  const { info, error } = getLogger();
+  try {
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    const encryptedSecretsPath = import_node_path6.default.resolve(process.cwd(), argv.encryptedSecretsFile);
+    if (!await fileExists(encryptedSecretsPath)) {
+      error(`Could not open ${(0, import_chalk7.redBright)(encryptedSecretsPath)}`);
+      return;
+    }
+    const encryptedSecrets = JSON.parse(import_node_fs6.default.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
+    if (!encryptedSecrets.encryptedParameters) {
+      throw new Error(`Expected 'encryptedParameters' property, but got none`);
+    }
+    const flatEncryptedParameters = (0, import_flat3.default)(encryptedSecrets.encryptedParameters, { delimiter: "/" });
+    const kmsClient = getKMSClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
+    });
+    if (argv.verbose) {
+      info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
+      const describeKeyCommand = new import_client_kms7.DescribeKeyCommand({
+        KeyId: argv.awsKeyAlias
+      });
+      const describeKeyResult = await kmsClient.send(describeKeyCommand);
+      console.log("describeKeyResult", { describeKeyResult });
+    }
+    const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
+      const decryptCommand = new import_client_kms7.DecryptCommand({
+        KeyId: argv.awsKeyAlias,
+        CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
+        EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
+      });
+      const decryptionResult = await kmsClient.send(decryptCommand);
+      if (!decryptionResult.Plaintext) {
+        throw new Error(`Something bad happened: ${JSON.stringify({
+          key: parameterName,
+          cipherText: encryptedParameter,
+          decryptCommand
+        })}`);
+      }
+      if (argv.verbose) {
+        info(`Encrypting key ${bold(parameterName)} ${underline("ok")}`);
+      }
+      const value = Buffer.from(decryptionResult.Plaintext).toString();
+      return [parameterName, value];
+    })));
+    const ssmClient = getSSMClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
+    });
+    await Promise.all(Object.entries(flatParameters).map(([parameterName, value]) => {
+      const putParameterCommand = new import_client_ssm3.PutParameterCommand({
+        Name: `/${parameterName}`,
+        Value: value,
+        Type: "String",
+        Overwrite: true
+      });
+      return ssmClient.send(putParameterCommand);
+    }));
+  } catch (e) {
+    error(e);
   }
 };
 // src/cli.ts
-void (0, import_yargs.default)((0, import_helpers.hideBin)(process.argv)).command(defaultCommand_exports).command(encryptEnvCommand_exports).command(decryptSecCommand_exports).parse();
+void (0, import_yargs.default)((0, import_helpers.hideBin)(process.argv)).command(defaultCommand_exports).command(offloadToSSMCommand_exports).command(debugCommand_exports).command(encryptEnvCommand_exports).command(decryptSecCommand_exports).command(encryptSecretsJson_exports).command(decryptSecretsJson_exports).parse();
 //# sourceMappingURL=cli.js.map