npm - dotsec - Versions diffs - 0.1.1 → 0.4.0 - Mend

dotsec 0.1.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/esm/cli.js CHANGED Viewed

@@ -25,19 +25,15 @@ var __export = (target, all) => {
 import { hideBin } from "yargs/helpers";
 import yargs from "yargs/yargs";
-// src/commands/decryptSecCommand.ts
-var decryptSecCommand_exports = {};
-__export(decryptSecCommand_exports, {
+// src/commands/debugCommand.ts
+var debugCommand_exports = {};
+__export(debugCommand_exports, {
   builder: () => builder,
   command: () => command,
   desc: () => desc,
   handler: () => handler
 });
-import { KMSClient, DecryptCommand } from "@aws-sdk/client-kms";
-import { redBright } from "chalk";
-import { parse } from "dotenv";
-import fs from "node:fs";
-import path from "node:path";
+import { GetParametersByPathCommand } from "@aws-sdk/client-ssm";
 // src/commonCliOptions.ts
 var commonCliOptions = {
@@ -51,11 +47,30 @@ var commonCliOptions = {
   },
   awsKeyAlias: {
     string: true,
-    describe: "AWS KMS asymmetric key alias"
+    default: "alias/top-secret",
+    describe: "AWS KMS key alias"
+  },
+  awsKeyArn: {
+    string: true,
+    describe: "AWS KMS key id"
   },
   awsKey: {
     string: true,
-    describe: "AWS KMS asymmetric key arn"
+    describe: "AWS KMS key arn"
+  },
+  envFile: {
+    string: true,
+    describe: ".env file",
+    default: ".env"
+  },
+  secFile: {
+    string: true,
+    describe: ".sec file",
+    default: ".sec"
+  },
+  awsAssumeRoleArn: {
+    string: true,
+    describe: "arn or role to assume"
   },
   verbose: {
     boolean: true,
@@ -72,12 +87,23 @@ var commonCliOptions = {
 };
 // src/utils/getCredentialsProfileRegion.ts
-import { fromEnv, fromIni } from "@aws-sdk/credential-providers";
+import {
+  fromEnv,
+  fromIni,
+  fromTemporaryCredentials
+} from "@aws-sdk/credential-providers";
 import { loadSharedConfigFiles } from "@aws-sdk/shared-ini-file-loader";
 // src/utils/logger.ts
 import chalk from "chalk";
-var bold = (str) => chalk.yellowBright.bold(str);
+var _logger;
+var getLogger = () => {
+  if (!_logger) {
+    _logger = console;
+  }
+  return _logger;
+};
+var bold = (str) => chalk.greenBright.bold(str);
 var underline = (str) => chalk.cyanBright.bold(str);
 // src/utils/getCredentialsProfileRegion.ts
@@ -91,12 +117,25 @@ var getCredentialsProfileRegion = async ({
   let profileAndOrigin = void 0;
   let regionAndOrigin = void 0;
   if (argv.profile) {
-    profileAndOrigin = { value: argv.profile, origin: `command line option: ${bold(argv.profile)}` };
-    credentialsAndOrigin = { value: await fromIni({ profile: argv.profile })(), origin: `${bold(`[${argv.profile}]`)} in credentials file` };
+    profileAndOrigin = {
+      value: argv.profile,
+      origin: `command line option: ${bold(argv.profile)}`
+    };
+    credentialsAndOrigin = {
+      value: await fromIni({
+        profile: argv.profile
+      })(),
+      origin: `${bold(`[${argv.profile}]`)} in credentials file`
+    };
   } else if (env.AWS_PROFILE) {
-    profileAndOrigin = { value: env.AWS_PROFILE, origin: `env variable ${bold("AWS_PROFILE")}: ${underline(env.AWS_PROFILE)}` };
+    profileAndOrigin = {
+      value: env.AWS_PROFILE,
+      origin: `env variable ${bold("AWS_PROFILE")}: ${underline(env.AWS_PROFILE)}`
+    };
     credentialsAndOrigin = {
-      value: await fromIni({ profile: env.AWS_PROFILE })(),
+      value: await fromIni({
+        profile: env.AWS_PROFILE
+      })(),
       origin: `env variable ${underline("AWS_PROFILE")}: ${bold(env.AWS_PROFILE)}`
     };
   } else if (env.AWS_ACCESS_KEY_ID && env.AWS_SECRET_ACCESS_KEY) {
@@ -105,13 +144,27 @@ var getCredentialsProfileRegion = async ({
       origin: `env variables ${bold("AWS_ACCESS_KEY_ID")} and ${bold("AWS_SECRET_ACCESS_KEY")}`
     };
   } else if ((_a = sharedConfigFiles.credentialsFile) == null ? void 0 : _a.default) {
-    profileAndOrigin = { value: "default", origin: `${bold("[default]")} in credentials file` };
-    credentialsAndOrigin = { value: await fromIni({ profile: "default" })(), origin: `profile ${bold("[default]")}` };
+    profileAndOrigin = {
+      value: "default",
+      origin: `${bold("[default]")} in credentials file`
+    };
+    credentialsAndOrigin = {
+      value: await fromIni({
+        profile: "default"
+      })(),
+      origin: `profile ${bold("[default]")}`
+    };
   }
   if (argv.region) {
-    regionAndOrigin = { value: argv.region, origin: `command line option: ${bold(argv.region)}` };
+    regionAndOrigin = {
+      value: argv.region,
+      origin: `command line option: ${bold(argv.region)}`
+    };
   } else if (env.AWS_REGION) {
-    regionAndOrigin = { value: env.AWS_REGION, origin: `env variable ${bold("AWS_REGION")}: ${underline(env.AWS_REGION)}` };
+    regionAndOrigin = {
+      value: env.AWS_REGION,
+      origin: `env variable ${bold("AWS_REGION")}: ${underline(env.AWS_REGION)}`
+    };
   } else if (env.AWS_DEFAULT_REGION) {
     regionAndOrigin = {
       value: env.AWS_DEFAULT_REGION,
@@ -120,9 +173,27 @@ var getCredentialsProfileRegion = async ({
   } else if (profileAndOrigin) {
     const foundRegion = (_c = (_b = sharedConfigFiles == null ? void 0 : sharedConfigFiles.configFile) == null ? void 0 : _b[profileAndOrigin.value]) == null ? void 0 : _c.region;
     if (foundRegion) {
-      regionAndOrigin = { value: foundRegion, origin: `${bold(`[profile ${profileAndOrigin.value}]`)} in config file` };
+      regionAndOrigin = {
+        value: foundRegion,
+        origin: `${bold(`[profile ${profileAndOrigin.value}]`)} in config file`
+      };
     }
   }
+  if (argv.assumeRoleArn) {
+    console.log("assume this yo");
+    credentialsAndOrigin = {
+      value: await fromTemporaryCredentials({
+        masterCredentials: credentialsAndOrigin == null ? void 0 : credentialsAndOrigin.value,
+        params: {
+          RoleArn: argv.assumeRoleArn
+        },
+        clientConfig: {
+          region: regionAndOrigin == null ? void 0 : regionAndOrigin.value
+        }
+      })(),
+      origin: `assume role ${bold(`[${argv.assumeRoleArn}]`)}`
+    };
+  }
   return { credentialsAndOrigin, regionAndOrigin, profileAndOrigin };
 };
 var printVerboseCredentialsProfileRegion = ({
@@ -148,12 +219,20 @@ var handleCredentialsAndRegion = async ({
   argv,
   env
 }) => {
-  const { credentialsAndOrigin, regionAndOrigin } = await getCredentialsProfileRegion({
-    argv: { region: argv.awsRegion, profile: argv.awsProfile },
+  const { credentialsAndOrigin, regionAndOrigin, profileAndOrigin } = await getCredentialsProfileRegion({
+    argv: {
+      region: argv.awsRegion,
+      profile: argv.awsProfile,
+      assumeRoleArn: argv.awsAssumeRoleArn
+    },
     env: __spreadValues({}, env)
   });
   if (argv.verbose === true) {
-    console.log(printVerboseCredentialsProfileRegion({ credentialsAndOrigin, regionAndOrigin }));
+    console.log(printVerboseCredentialsProfileRegion({
+      credentialsAndOrigin,
+      regionAndOrigin,
+      profileAndOrigin
+    }));
   }
   if (!credentialsAndOrigin || !regionAndOrigin) {
     if (!credentialsAndOrigin) {
@@ -168,8 +247,67 @@ var handleCredentialsAndRegion = async ({
   return { credentialsAndOrigin, regionAndOrigin };
 };
+// src/utils/ssm.ts
+import { SSMClient } from "@aws-sdk/client-ssm";
+var getSSMClient = ({
+  configuration
+}) => {
+  const ssmClient = new SSMClient(configuration);
+  return ssmClient;
+};
+// src/commands/debugCommand.ts
+var command = "debug";
+var desc = "Debugs all the things";
+var builder = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose,
+  yes: __spreadValues({}, commonCliOptions.yes)
+};
+var handler = async (argv) => {
+  try {
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    const ssmClient = getSSMClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
+    });
+    const getParametersByPathCommand = new GetParametersByPathCommand({
+      Path: `arn:aws:ssm:eu-west-1:060014838622:parameter/dotsec/*`,
+      Recursive: true
+    });
+    const commandResult = await ssmClient.send(getParametersByPathCommand);
+    console.log(commandResult);
+  } catch (e) {
+    console.error(e);
+  }
+};
+// src/commands/decryptSecCommand.ts
+var decryptSecCommand_exports = {};
+__export(decryptSecCommand_exports, {
+  builder: () => builder2,
+  command: () => command2,
+  desc: () => desc2,
+  handler: () => handler2
+});
+import { KMSClient, DecryptCommand } from "@aws-sdk/client-kms";
+import { redBright } from "chalk";
+import { parse } from "dotenv";
+import fs from "node:fs";
+import path from "node:path";
 // src/utils/io.ts
 import { stat } from "fs/promises";
+import prompts from "prompts";
 var fileExists = async (source) => {
   try {
     await stat(source);
@@ -178,30 +316,43 @@ var fileExists = async (source) => {
     return false;
   }
 };
+var promptOverwriteIfFileExists = async ({
+  filePath,
+  skip
+}) => {
+  let overwriteResponse;
+  if (await fileExists(filePath) && skip !== true) {
+    overwriteResponse = await prompts({
+      type: "confirm",
+      name: "overwrite",
+      message: () => {
+        return `Overwrite '${filePath}' ?`;
+      }
+    });
+  } else {
+    overwriteResponse = void 0;
+  }
+  return overwriteResponse;
+};
 // src/commands/decryptSecCommand.ts
-var command = "decrypt-sec";
-var desc = "Decrypts a dotsec file";
-var builder = {
-  "aws-profile": __spreadValues({}, commonCliOptions.awsProfile),
-  "aws-region": __spreadValues({}, commonCliOptions.awsRegion),
-  "aws-key-alias": { string: true, default: "alias/top-secret" },
-  "env-file": {
-    string: true,
-    describe: ".env file",
-    default: ".env"
-  },
-  "sec-file": {
-    string: true,
-    describe: ".sec file",
-    default: ".sec"
-  },
-  verbose: __spreadValues({}, commonCliOptions.verbose),
-  yes: __spreadValues({}, commonCliOptions.yes)
+var command2 = "decrypt-sec";
+var desc2 = "Decrypts a dotsec file";
+var builder2 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  "env-file": commonCliOptions.envFile,
+  "sec-file": commonCliOptions.secFile,
+  verbose: commonCliOptions.verbose
 };
-var handler = async (argv) => {
+var handler2 = async (argv) => {
   try {
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({ argv: __spreadValues({}, argv), env: __spreadValues({}, process.env) });
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
     const secSource = path.resolve(process.cwd(), argv.secFile);
     if (!await fileExists(secSource)) {
       console.error(`Could not open ${redBright(secSource)}`);
@@ -220,7 +371,11 @@ var handler = async (argv) => {
       });
       const decryptionResult = await kmsClient.send(decryptCommand);
       if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
-        throw new Error(`No: ${JSON.stringify({ key, cipherText, decryptCommand })}`);
+        throw new Error(`No: ${JSON.stringify({
+          key,
+          cipherText,
+          decryptCommand
+        })}`);
       }
       const value = Buffer.from(decryptionResult.Plaintext).toString();
       return [key, value];
@@ -231,62 +386,203 @@ var handler = async (argv) => {
   }
 };
-// src/commands/defaultCommand.ts
-var defaultCommand_exports = {};
-__export(defaultCommand_exports, {
-  builder: () => builder2,
-  command: () => command2,
-  desc: () => desc2,
-  handler: () => handler2
+// src/commands/decryptSecretsJson.ts
+var decryptSecretsJson_exports = {};
+__export(decryptSecretsJson_exports, {
+  builder: () => builder3,
+  command: () => command3,
+  desc: () => desc3,
+  handler: () => handler3
 });
-import { KMSClient as KMSClient2, DecryptCommand as DecryptCommand2 } from "@aws-sdk/client-kms";
+import { DecryptCommand as DecryptCommand2, DescribeKeyCommand } from "@aws-sdk/client-kms";
 import { redBright as redBright2 } from "chalk";
-import { spawn } from "cross-spawn";
-import { parse as parse2 } from "dotenv";
+import flat from "flat";
 import fs2 from "node:fs";
 import path2 from "node:path";
-var command2 = "$0 <command>";
-var desc2 = "Decrypts a .sec file, injects the results into a separate process and runs a command";
-var builder2 = {
-  "aws-profile": __spreadValues({}, commonCliOptions.awsProfile),
-  "aws-region": __spreadValues({}, commonCliOptions.awsRegion),
-  "aws-key-alias": { string: true, default: "alias/top-secret" },
-  "sec-file": {
+// src/utils/kms.ts
+import { KMSClient as KMSClient2 } from "@aws-sdk/client-kms";
+var getKMSClient = ({
+  configuration
+}) => {
+  const kmsClient = new KMSClient2(configuration);
+  return kmsClient;
+};
+// src/commands/decryptSecretsJson.ts
+var command3 = "decrypt-secrets-json";
+var desc3 = "Derypts an encrypted file";
+var builder3 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "secrets-file": {
     string: true,
-    describe: ".sec file",
-    default: ".sec"
+    describe: "filename of json file writing secrets",
+    default: "secrets.json"
   },
-  verbose: __spreadValues({}, commonCliOptions.verbose),
-  yes: __spreadValues({}, commonCliOptions.yes),
-  command: { string: true, required: true }
+  "encrypted-secrets-file": {
+    string: true,
+    describe: "filename of json file for reading encrypted secrets",
+    default: "secrets.encrypted.json"
+  },
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose,
+  yes: __spreadValues({}, commonCliOptions.yes)
 };
-var handler2 = async (argv) => {
+var handler3 = async (argv) => {
+  const { info, error } = getLogger();
   try {
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({ argv: __spreadValues({}, argv), env: __spreadValues({}, process.env) });
-    const secSource = path2.resolve(process.cwd(), argv.secFile);
-    if (!await fileExists(secSource)) {
-      console.error(`Could not open ${redBright2(secSource)}`);
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    const encryptedSecretsPath = path2.resolve(process.cwd(), argv.encryptedSecretsFile);
+    if (!await fileExists(encryptedSecretsPath)) {
+      error(`Could not open ${redBright2(encryptedSecretsPath)}`);
       return;
     }
-    const parsedSec = parse2(fs2.readFileSync(secSource, { encoding: "utf8" }));
-    const kmsClient = new KMSClient2({
-      credentials: credentialsAndOrigin.value,
-      region: regionAndOrigin.value
+    const encryptedSecrets = JSON.parse(fs2.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
+    if (!encryptedSecrets.encryptedParameters) {
+      throw new Error(`Expected 'encryptedParameters' property, but got none`);
+    }
+    const flatEncryptedParameters = flat(encryptedSecrets.encryptedParameters, { delimiter: "/" });
+    const kmsClient = getKMSClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
     });
-    const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
+    if (argv.verbose) {
+      info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
+      const describeKeyCommand = new DescribeKeyCommand({
+        KeyId: argv.awsKeyAlias
+      });
+      const describeKeyResult = await kmsClient.send(describeKeyCommand);
+      console.log("describeKeyResult", { describeKeyResult });
+    }
+    const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
       const decryptCommand = new DecryptCommand2({
         KeyId: argv.awsKeyAlias,
-        CiphertextBlob: Buffer.from(cipherText, "base64"),
+        CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
         EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
       });
       const decryptionResult = await kmsClient.send(decryptCommand);
-      if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
-        throw new Error(`No: ${JSON.stringify({ key, cipherText, decryptCommand })}`);
+      if (!decryptionResult.Plaintext) {
+        throw new Error(`Something bad happened: ${JSON.stringify({
+          key: parameterName,
+          cipherText: encryptedParameter,
+          decryptCommand
+        })}`);
+      }
+      if (argv.verbose) {
+        info(`Encrypting key ${bold(parameterName)} ${underline("ok")}`);
       }
       const value = Buffer.from(decryptionResult.Plaintext).toString();
-      return [key, value];
-    }));
-    const env = Object.fromEntries(envEntries);
+      return [parameterName, value];
+    })));
+    const parameters = flat.unflatten(flatParameters, { delimiter: "/" });
+    const secrets = {
+      config: encryptedSecrets.config,
+      parameters
+    };
+    const secretsPath = path2.resolve(process.cwd(), argv.secretsFile);
+    const overwriteResponse = await promptOverwriteIfFileExists({
+      filePath: secretsPath,
+      skip: argv.yes
+    });
+    if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
+      fs2.writeFileSync(secretsPath, JSON.stringify(secrets, null, 4));
+    }
+  } catch (e) {
+    error(e);
+  }
+};
+// src/commands/defaultCommand.ts
+var defaultCommand_exports = {};
+__export(defaultCommand_exports, {
+  builder: () => builder4,
+  command: () => command4,
+  desc: () => desc4,
+  handler: () => handler4
+});
+import fs3 from "node:fs";
+import path3 from "node:path";
+import { KMSClient as KMSClient3, DecryptCommand as DecryptCommand3 } from "@aws-sdk/client-kms";
+import { redBright as redBright3 } from "chalk";
+import { spawn } from "cross-spawn";
+import { parse as parse2 } from "dotenv";
+var command4 = "$0 <command>";
+var desc4 = "Decrypts a .sec file, injects the results into a separate process and runs a command";
+var builder4 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "sec-file": commonCliOptions.secFile,
+  "env-file": commonCliOptions.envFile,
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose,
+  command: { string: true, required: true }
+};
+var handleSec = async ({
+  secFile,
+  credentialsAndOrigin,
+  regionAndOrigin,
+  awsKeyAlias
+}) => {
+  const secSource = path3.resolve(process.cwd(), secFile);
+  if (!await fileExists(secSource)) {
+    console.error(`Could not open ${redBright3(secSource)}`);
+    return;
+  }
+  const parsedSec = parse2(fs3.readFileSync(secSource, { encoding: "utf8" }));
+  const kmsClient = new KMSClient3({
+    credentials: credentialsAndOrigin.value,
+    region: regionAndOrigin.value
+  });
+  const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
+    const decryptCommand = new DecryptCommand3({
+      KeyId: awsKeyAlias,
+      CiphertextBlob: Buffer.from(cipherText, "base64"),
+      EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
+    });
+    const decryptionResult = await kmsClient.send(decryptCommand);
+    if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
+      throw new Error(`No: ${JSON.stringify({
+        key,
+        cipherText,
+        decryptCommand
+      })}`);
+    }
+    const value = Buffer.from(decryptionResult.Plaintext).toString();
+    return [key, value];
+  }));
+  const env = Object.fromEntries(envEntries);
+  return env;
+};
+var handler4 = async (argv) => {
+  try {
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    if (argv.verbose) {
+      console.log({ credentialsAndOrigin, regionAndOrigin });
+    }
+    let env;
+    if (argv.envFile) {
+      console.log("OK");
+      env = parse2(fs3.readFileSync(argv.envFile, { encoding: "utf8" }));
+    } else if (argv.secFile) {
+      env = await handleSec({
+        secFile: argv.secFile,
+        credentialsAndOrigin,
+        regionAndOrigin,
+        awsKeyAlias: argv.awsKeyAlias
+      });
+    }
     const userCommandArgs = process.argv.slice(process.argv.indexOf(argv.command) + 1);
     if (argv.command) {
       spawn(argv.command, [...userCommandArgs], {
@@ -303,48 +599,55 @@ var handler2 = async (argv) => {
 // src/commands/encryptEnvCommand.ts
 var encryptEnvCommand_exports = {};
 __export(encryptEnvCommand_exports, {
-  builder: () => builder3,
-  command: () => command3,
-  desc: () => desc3,
-  handler: () => handler3
+  builder: () => builder5,
+  command: () => command5,
+  desc: () => desc5,
+  handler: () => handler5
 });
-import { KMSClient as KMSClient3, EncryptCommand } from "@aws-sdk/client-kms";
-import { redBright as redBright3 } from "chalk";
+import { DescribeKeyCommand as DescribeKeyCommand2, EncryptCommand } from "@aws-sdk/client-kms";
+import { redBright as redBright4 } from "chalk";
 import { parse as parse3 } from "dotenv";
-import fs3 from "node:fs";
-import path3 from "node:path";
-var command3 = "encrypt-env";
-var desc3 = "Encrypts a dotenv file";
-var builder3 = {
-  "aws-profile": __spreadValues({}, commonCliOptions.awsProfile),
-  "aws-region": __spreadValues({}, commonCliOptions.awsRegion),
-  "aws-key-alias": { string: true, default: "alias/top-secret" },
-  "env-file": {
-    string: true,
-    describe: ".env file",
-    default: ".env"
-  },
-  "sec-file": {
-    string: true,
-    describe: ".sec file",
-    default: ".sec"
-  },
-  verbose: __spreadValues({}, commonCliOptions.verbose),
-  yes: __spreadValues({}, commonCliOptions.yes)
+import fs4 from "node:fs";
+import path4 from "node:path";
+var command5 = "encrypt-env";
+var desc5 = "Encrypts a dotenv file";
+var builder5 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "env-file": commonCliOptions.envFile,
+  "sec-file": commonCliOptions.secFile,
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose
 };
-var handler3 = async (argv) => {
+var handler5 = async (argv) => {
+  const { info, error } = getLogger();
   try {
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({ argv: __spreadValues({}, argv), env: __spreadValues({}, process.env) });
-    const envSource = path3.resolve(process.cwd(), argv.envFile);
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    const envSource = path4.resolve(process.cwd(), argv.envFile);
     if (!await fileExists(envSource)) {
-      console.error(`Could not open ${redBright3(envSource)}`);
+      error(`Could not open ${redBright4(envSource)}`);
       return;
     }
-    const parsedEnv = parse3(fs3.readFileSync(envSource, { encoding: "utf8" }));
-    const kmsClient = new KMSClient3({
-      credentials: credentialsAndOrigin.value,
-      region: regionAndOrigin.value
+    const parsedEnv = parse3(fs4.readFileSync(envSource, { encoding: "utf8" }));
+    const kmsClient = getKMSClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
     });
+    if (argv.verbose) {
+      info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
+      const describeKeyCommand = new DescribeKeyCommand2({
+        KeyId: argv.awsKeyAlias
+      });
+      const describeKeyResult = await kmsClient.send(describeKeyCommand);
+      console.log("describeKeyResult", { describeKeyResult });
+    }
     const sec = (await Promise.all(Object.entries(parsedEnv).map(async ([key, value]) => {
       const encryptCommand = new EncryptCommand({
         KeyId: argv.awsKeyAlias,
@@ -353,17 +656,232 @@ var handler3 = async (argv) => {
       });
       const encryptionResult = await kmsClient.send(encryptCommand);
       if (!encryptionResult.CiphertextBlob) {
-        throw new Error(`No: ${JSON.stringify({ key, value, encryptCommand })}`);
+        throw new Error(`Something bad happened: ${JSON.stringify({
+          key,
+          value,
+          encryptCommand
+        })}`);
+      }
+      if (argv.verbose) {
+        info(`Encrypting key ${bold(key)} ${underline("ok")}`);
       }
       const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
       return `${key}="${cipherText}"`;
     }))).join("\n");
-    fs3.writeFileSync(path3.resolve(process.cwd(), argv.secFile), sec);
+    fs4.writeFileSync(path4.resolve(process.cwd(), argv.secFile), sec);
   } catch (e) {
-    console.error(e);
+    error(e);
+  }
+};
+// src/commands/encryptSecretsJson.ts
+var encryptSecretsJson_exports = {};
+__export(encryptSecretsJson_exports, {
+  builder: () => builder6,
+  command: () => command6,
+  desc: () => desc6,
+  handler: () => handler6
+});
+import fs5 from "node:fs";
+import path5 from "node:path";
+import { DescribeKeyCommand as DescribeKeyCommand3, EncryptCommand as EncryptCommand2 } from "@aws-sdk/client-kms";
+import { redBright as redBright5 } from "chalk";
+import flat2 from "flat";
+var command6 = "encrypt-secrets-json";
+var desc6 = "Encrypts an unencrypted file";
+var builder6 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "secrets-file": {
+    string: true,
+    describe: "filename of json file reading secrets",
+    default: "secrets.json"
+  },
+  "encrypted-secrets-file": {
+    string: true,
+    describe: "filename of json file for writing encrypted secrets",
+    default: "secrets.encrypted.json"
+  },
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose,
+  yes: __spreadValues({}, commonCliOptions.yes)
+};
+var handler6 = async (argv) => {
+  const { info, error } = getLogger();
+  try {
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    const secretsPath = path5.resolve(process.cwd(), argv.secretsFile);
+    if (!await fileExists(secretsPath)) {
+      error(`Could not open ${redBright5(secretsPath)}`);
+      return;
+    }
+    const secrets = JSON.parse(fs5.readFileSync(secretsPath, { encoding: "utf8" }));
+    if (!secrets.parameters) {
+      throw new Error(`Expected 'parameters' property, but got none`);
+    }
+    const flatParameters = flat2(secrets.parameters, { delimiter: "/" });
+    if (argv.verbose) {
+      console.log(flatParameters);
+    }
+    const kmsClient = getKMSClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
+    });
+    if (argv.verbose) {
+      info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
+      const describeKeyCommand = new DescribeKeyCommand3({
+        KeyId: argv.awsKeyAlias
+      });
+      const describeKeyResult = await kmsClient.send(describeKeyCommand);
+      console.log("describeKeyResult", { describeKeyResult });
+    }
+    const encryptedFlatParameters = Object.fromEntries(await Promise.all(Object.entries(flatParameters).map(async ([parameterName, parameter]) => {
+      const encryptCommand = new EncryptCommand2({
+        KeyId: argv.awsKeyAlias,
+        Plaintext: Buffer.from(parameter),
+        EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
+      });
+      const encryptionResult = await kmsClient.send(encryptCommand);
+      if (!encryptionResult.CiphertextBlob) {
+        throw new Error(`Something bad happened: ${JSON.stringify({
+          key: parameterName,
+          value: parameter,
+          encryptCommand
+        })}`);
+      }
+      if (argv.verbose) {
+        info(`Encrypting key ${bold(parameterName)} ${underline("ok")}`);
+      }
+      const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
+      return [parameterName, cipherText];
+    })));
+    const encryptedParameters = flat2.unflatten(encryptedFlatParameters, { delimiter: "/" });
+    const encryptedSecrets = {
+      config: secrets.config,
+      encryptedParameters
+    };
+    const encryptedSecretsPath = path5.resolve(process.cwd(), argv.encryptedSecretsFile);
+    const overwriteResponse = await promptOverwriteIfFileExists({
+      filePath: encryptedSecretsPath,
+      skip: argv.yes
+    });
+    if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
+      fs5.writeFileSync(encryptedSecretsPath, JSON.stringify(encryptedSecrets, null, 4));
+    }
+  } catch (e) {
+    error(e);
+  }
+};
+// src/commands/offloadToSSMCommand.ts
+var offloadToSSMCommand_exports = {};
+__export(offloadToSSMCommand_exports, {
+  builder: () => builder7,
+  command: () => command7,
+  desc: () => desc7,
+  handler: () => handler7
+});
+import { DecryptCommand as DecryptCommand4, DescribeKeyCommand as DescribeKeyCommand4 } from "@aws-sdk/client-kms";
+import { PutParameterCommand } from "@aws-sdk/client-ssm";
+import { redBright as redBright6 } from "chalk";
+import flat3 from "flat";
+import fs6 from "node:fs";
+import path6 from "node:path";
+var command7 = "offload-secrets-json-to-ssm";
+var desc7 = "Sends decrypted values of secrets.encrypted.json file to SSM parameter store";
+var builder7 = {
+  "aws-profile": commonCliOptions.awsProfile,
+  "aws-region": commonCliOptions.awsRegion,
+  "aws-key-alias": commonCliOptions.awsKeyAlias,
+  "encrypted-secrets-file": {
+    string: true,
+    describe: "filename of json file for reading encrypted secrets",
+    default: "secrets.encrypted.json"
+  },
+  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
+  verbose: commonCliOptions.verbose,
+  yes: __spreadValues({}, commonCliOptions.yes)
+};
+var handler7 = async (argv) => {
+  const { info, error } = getLogger();
+  try {
+    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
+      argv: __spreadValues({}, argv),
+      env: __spreadValues({}, process.env)
+    });
+    const encryptedSecretsPath = path6.resolve(process.cwd(), argv.encryptedSecretsFile);
+    if (!await fileExists(encryptedSecretsPath)) {
+      error(`Could not open ${redBright6(encryptedSecretsPath)}`);
+      return;
+    }
+    const encryptedSecrets = JSON.parse(fs6.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
+    if (!encryptedSecrets.encryptedParameters) {
+      throw new Error(`Expected 'encryptedParameters' property, but got none`);
+    }
+    const flatEncryptedParameters = flat3(encryptedSecrets.encryptedParameters, { delimiter: "/" });
+    const kmsClient = getKMSClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
+    });
+    if (argv.verbose) {
+      info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
+      const describeKeyCommand = new DescribeKeyCommand4({
+        KeyId: argv.awsKeyAlias
+      });
+      const describeKeyResult = await kmsClient.send(describeKeyCommand);
+      console.log("describeKeyResult", { describeKeyResult });
+    }
+    const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
+      const decryptCommand = new DecryptCommand4({
+        KeyId: argv.awsKeyAlias,
+        CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
+        EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
+      });
+      const decryptionResult = await kmsClient.send(decryptCommand);
+      if (!decryptionResult.Plaintext) {
+        throw new Error(`Something bad happened: ${JSON.stringify({
+          key: parameterName,
+          cipherText: encryptedParameter,
+          decryptCommand
+        })}`);
+      }
+      if (argv.verbose) {
+        info(`Encrypting key ${bold(parameterName)} ${underline("ok")}`);
+      }
+      const value = Buffer.from(decryptionResult.Plaintext).toString();
+      return [parameterName, value];
+    })));
+    const ssmClient = getSSMClient({
+      configuration: {
+        credentials: credentialsAndOrigin.value,
+        region: regionAndOrigin.value
+      },
+      verbose: argv.verbose
+    });
+    await Promise.all(Object.entries(flatParameters).map(([parameterName, value]) => {
+      const putParameterCommand = new PutParameterCommand({
+        Name: `/${parameterName}`,
+        Value: value,
+        Type: "String",
+        Overwrite: true
+      });
+      return ssmClient.send(putParameterCommand);
+    }));
+  } catch (e) {
+    error(e);
   }
 };
 // src/cli.ts
-void yargs(hideBin(process.argv)).command(defaultCommand_exports).command(encryptEnvCommand_exports).command(decryptSecCommand_exports).parse();
+void yargs(hideBin(process.argv)).command(defaultCommand_exports).command(offloadToSSMCommand_exports).command(debugCommand_exports).command(encryptEnvCommand_exports).command(decryptSecCommand_exports).command(encryptSecretsJson_exports).command(decryptSecretsJson_exports).parse();
 //# sourceMappingURL=cli.js.map