env-secrets 0.3.2 → 0.4.0

package/dist/index.js

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
 "use strict";
+/* istanbul ignore file */
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
@@ -19,24 +20,34 @@ const node_fs_1 = require("node:fs");
 const debug_1 = __importDefault(require("debug"));
 const version_1 = require("./version");
 const secretsmanager_1 = require("./vaults/secretsmanager");
+const secretsmanager_admin_1 = require("./vaults/secretsmanager-admin");
+const helpers_1 = require("./cli/helpers");
 const utils_1 = require("./vaults/utils");
 const debug = (0, debug_1.default)('env-secrets');
 const program = new commander_1.Command();
+const exitWithError = (error) => {
+    // eslint-disable-next-line no-console
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exit(1);
+};
 // main program
 program
     .name('env-secrets')
     .description('pull secrets from vaults and inject them into the running environment')
     .version(version_1.LIB_VERSION);
 // aws secretsmanager
-program
+const awsCommand = program
     .command('aws')
     .description('get secrets from AWS secrets manager')
     .addArgument(new commander_1.Argument('[program...]', 'program to run'))
-    .requiredOption('-s, --secret <secret>', 'secret to get')
+    .option('-s, --secret <secret>', 'secret to get')
     .option('-p, --profile <profile>', 'profile to use')
     .option('-r, --region <region>', 'region to use')
     .option('-o, --output <file>', 'output secrets to file instead of environment variables')
     .action((program, options) => __awaiter(void 0, void 0, void 0, function* () {
+    if (!options.secret) {
+        exitWithError(new Error('Missing required option --secret for this command.'));
+    }
     const secrets = yield (0, secretsmanager_1.secretsmanager)(options);
     debug(secrets);
     if (options.output) {
@@ -72,4 +83,212 @@ program
         }
     }
 }));
+const secretCommand = awsCommand
+    .command('secret')
+    .description('manage AWS secrets');
+secretCommand
+    .command('create')
+    .description('create a secret in AWS Secrets Manager')
+    .requiredOption('-n, --name <name>', 'secret name')
+    .option('-v, --value <value>', 'secret value')
+    .option('--value-stdin', 'read secret value from stdin')
+    .option('-d, --description <description>', 'secret description')
+    .option('-k, --kms-key-id <kmsKeyId>', 'kms key id')
+    .option('-t, --tag <tag...>', 'tag in key=value format')
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const globalOptions = command.optsWithGlobals();
+        const output = (_a = options.output) !== null && _a !== void 0 ? _a : (typeof globalOptions.output === 'string'
+            ? globalOptions.output
+            : 'table');
+        const value = yield (0, helpers_1.resolveSecretValue)(options.value, options.valueStdin);
+        if (!value) {
+            throw new Error('Secret value is required. Provide --value or --value-stdin.');
+        }
+        const result = yield (0, secretsmanager_admin_1.createSecret)({
+            name: options.name,
+            value,
+            description: options.description,
+            kmsKeyId: options.kmsKeyId,
+            tags: options.tag,
+            profile,
+            region
+        });
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'name', label: 'Name' },
+            { key: 'arn', label: 'ARN' },
+            { key: 'versionId', label: 'VersionId' }
+        ], [result]);
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
+secretCommand
+    .command('update')
+    .description('update secret value or metadata')
+    .requiredOption('-n, --name <name>', 'secret name')
+    .option('-v, --value <value>', 'new secret value')
+    .option('--value-stdin', 'read secret value from stdin')
+    .option('-d, --description <description>', 'secret description')
+    .option('-k, --kms-key-id <kmsKeyId>', 'kms key id')
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    var _b;
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const globalOptions = command.optsWithGlobals();
+        const output = (_b = options.output) !== null && _b !== void 0 ? _b : (typeof globalOptions.output === 'string'
+            ? globalOptions.output
+            : 'table');
+        const value = yield (0, helpers_1.resolveSecretValue)(options.value, options.valueStdin);
+        if (!value && !options.description && !options.kmsKeyId) {
+            throw new Error('Nothing to update. Provide --value/--value-stdin, --description, or --kms-key-id.');
+        }
+        const result = yield (0, secretsmanager_admin_1.updateSecret)({
+            name: options.name,
+            value,
+            description: options.description,
+            kmsKeyId: options.kmsKeyId,
+            profile,
+            region
+        });
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'name', label: 'Name' },
+            { key: 'arn', label: 'ARN' },
+            { key: 'versionId', label: 'VersionId' }
+        ], [result]);
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
+secretCommand
+    .command('list')
+    .description('list secrets in AWS Secrets Manager')
+    .option('--prefix <prefix>', 'filter secrets by name prefix')
+    .option('-t, --tag <tag...>', 'filter tags in key=value format')
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    var _c;
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const globalOptions = command.optsWithGlobals();
+        const output = (_c = options.output) !== null && _c !== void 0 ? _c : (typeof globalOptions.output === 'string'
+            ? globalOptions.output
+            : 'table');
+        const result = yield (0, secretsmanager_admin_1.listSecrets)({
+            prefix: options.prefix,
+            tags: options.tag,
+            profile,
+            region
+        });
+        const rows = result.map((secret) => ({
+            name: secret.name,
+            description: secret.description,
+            lastChangedDate: secret.lastChangedDate
+        }));
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'name', label: 'Name' },
+            { key: 'description', label: 'Description' },
+            { key: 'lastChangedDate', label: 'LastChanged' }
+        ], rows);
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
+secretCommand
+    .command('get')
+    .description('get secret metadata and version information')
+    .requiredOption('-n, --name <name>', 'secret name')
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    var _d;
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const globalOptions = command.optsWithGlobals();
+        const output = (_d = options.output) !== null && _d !== void 0 ? _d : (typeof globalOptions.output === 'string'
+            ? globalOptions.output
+            : 'table');
+        const result = yield (0, secretsmanager_admin_1.getSecretMetadata)({
+            name: options.name,
+            profile,
+            region
+        });
+        const row = {
+            name: result.name,
+            arn: result.arn,
+            description: result.description,
+            kmsKeyId: result.kmsKeyId,
+            createdDate: result.createdDate,
+            lastChangedDate: result.lastChangedDate,
+            deletedDate: result.deletedDate
+        };
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'name', label: 'Name' },
+            { key: 'arn', label: 'ARN' },
+            { key: 'description', label: 'Description' },
+            { key: 'kmsKeyId', label: 'KmsKeyId' },
+            { key: 'createdDate', label: 'Created' },
+            { key: 'lastChangedDate', label: 'LastChanged' },
+            { key: 'deletedDate', label: 'Deleted' }
+        ], [row]);
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
+secretCommand
+    .command('delete')
+    .description('delete a secret in AWS Secrets Manager')
+    .requiredOption('-n, --name <name>', 'secret name')
+    .option('--recovery-days <days>', 'recovery window in days (7-30)', helpers_1.parseRecoveryDays)
+    .option('--force-delete-without-recovery', 'permanently delete secret without recovery window', false)
+    .option('-y, --yes', 'confirm delete action', false)
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    var _e;
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const globalOptions = command.optsWithGlobals();
+        const output = (_e = options.output) !== null && _e !== void 0 ? _e : (typeof globalOptions.output === 'string'
+            ? globalOptions.output
+            : 'table');
+        if (!options.yes) {
+            throw new Error('Delete requires --yes confirmation.');
+        }
+        if (options.recoveryDays && options.forceDeleteWithoutRecovery) {
+            throw new Error('Use either --recovery-days or --force-delete-without-recovery, not both.');
+        }
+        const result = yield (0, secretsmanager_admin_1.deleteSecret)({
+            name: options.name,
+            recoveryDays: options.recoveryDays,
+            forceDeleteWithoutRecovery: options.forceDeleteWithoutRecovery,
+            profile,
+            region
+        });
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'name', label: 'Name' },
+            { key: 'arn', label: 'ARN' },
+            { key: 'deletedDate', label: 'DeletedDate' }
+        ], [result]);
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
 program.parse();

package/dist/vaults/aws-config.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildAwsClientConfig = void 0;
+const credential_providers_1 = require("@aws-sdk/credential-providers");
+const getCredentialsProvider = (options) => {
+    const { AWS_ACCESS_KEY_ID: awsAccessKeyId, AWS_SECRET_ACCESS_KEY: awsSecretAccessKey } = process.env;
+    if (options.profile) {
+        return (0, credential_providers_1.fromIni)({ profile: options.profile });
+    }
+    if (awsAccessKeyId && awsSecretAccessKey) {
+        return undefined;
+    }
+    return (0, credential_providers_1.fromIni)({ profile: 'default' });
+};
+const getEndpoint = () => {
+    return (process.env.AWS_ENDPOINT_URL || process.env.AWS_SECRETS_MANAGER_ENDPOINT);
+};
+const buildAwsClientConfig = (options) => {
+    const endpoint = getEndpoint();
+    const config = {
+        region: options.region,
+        credentials: getCredentialsProvider(options)
+    };
+    if (endpoint) {
+        config.endpoint = endpoint;
+    }
+    return config;
+};
+exports.buildAwsClientConfig = buildAwsClientConfig;

package/dist/vaults/secretsmanager-admin.js

@@ -0,0 +1,240 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deleteSecret = exports.getSecretMetadata = exports.listSecrets = exports.updateSecret = exports.createSecret = exports.validateSecretName = void 0;
+const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
+const client_sts_1 = require("@aws-sdk/client-sts");
+const debug_1 = __importDefault(require("debug"));
+const aws_config_1 = require("./aws-config");
+const debug = (0, debug_1.default)('env-secrets:secretsmanager-admin');
+// Allowed characters are documented by AWS Secrets Manager naming rules.
+// See: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html
+const SECRET_NAME_PATTERN = /^[A-Za-z0-9/_+=.@-]+$/;
+const formatDate = (value) => {
+    if (!value) {
+        return undefined;
+    }
+    return value.toISOString();
+};
+const parseTags = (tags) => {
+    if (!tags || tags.length === 0) {
+        return undefined;
+    }
+    return tags.map((tag) => {
+        const parts = tag.split('=');
+        if (parts.length < 2) {
+            throw new Error(`Invalid tag format: ${tag}. Use key=value.`);
+        }
+        const key = parts[0].trim();
+        const value = parts.slice(1).join('=').trim();
+        if (!key || !value) {
+            throw new Error(`Invalid tag format: ${tag}. Use key=value.`);
+        }
+        return { Key: key, Value: value };
+    });
+};
+const tagsToRecord = (tags) => {
+    if (!tags || tags.length === 0) {
+        return undefined;
+    }
+    const result = {};
+    for (const tag of tags) {
+        if (tag.Key && tag.Value) {
+            result[tag.Key] = tag.Value;
+        }
+    }
+    return Object.keys(result).length > 0 ? result : undefined;
+};
+const mapAwsError = (error, secretName) => {
+    const awsError = error;
+    const secretLabel = secretName ? ` for "${secretName}"` : '';
+    if ((awsError === null || awsError === void 0 ? void 0 : awsError.name) === 'AlreadyExistsException') {
+        throw new Error(`Secret${secretLabel} already exists.`);
+    }
+    if ((awsError === null || awsError === void 0 ? void 0 : awsError.name) === 'ResourceNotFoundException') {
+        throw new Error(`Secret${secretLabel} was not found.`);
+    }
+    if ((awsError === null || awsError === void 0 ? void 0 : awsError.name) === 'InvalidRequestException') {
+        throw new Error(awsError.message || 'Invalid request to AWS Secrets Manager.');
+    }
+    if ((awsError === null || awsError === void 0 ? void 0 : awsError.name) === 'AccessDeniedException') {
+        throw new Error(awsError.message ||
+            'Access denied while calling AWS Secrets Manager. Verify IAM permissions.');
+    }
+    if (awsError === null || awsError === void 0 ? void 0 : awsError.message) {
+        throw new Error(awsError.message);
+    }
+    throw new Error(String(error));
+};
+const ensureConnected = (clientConfig) => __awaiter(void 0, void 0, void 0, function* () {
+    const stsClient = new client_sts_1.STSClient(clientConfig);
+    yield stsClient.send(new client_sts_1.GetCallerIdentityCommand({}));
+});
+const createClient = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    const config = (0, aws_config_1.buildAwsClientConfig)(options);
+    debug('Creating AWS clients', {
+        hasProfile: Boolean(options.profile),
+        region: options.region,
+        hasEndpoint: Boolean(config.endpoint)
+    });
+    yield ensureConnected(config);
+    return new client_secrets_manager_1.SecretsManagerClient(config);
+});
+const validateSecretName = (name) => {
+    if (!SECRET_NAME_PATTERN.test(name)) {
+        throw new Error(`Invalid secret name "${name}". Use only letters, numbers, and /_+=.@- characters.`);
+    }
+};
+exports.validateSecretName = validateSecretName;
+const createSecret = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    (0, exports.validateSecretName)(options.name);
+    debug('createSecret called', {
+        name: options.name,
+        hasTags: !!((_a = options.tags) === null || _a === void 0 ? void 0 : _a.length)
+    });
+    const client = yield createClient(options);
+    const tags = parseTags(options.tags);
+    try {
+        const result = yield client.send(new client_secrets_manager_1.CreateSecretCommand({
+            Name: options.name,
+            Description: options.description,
+            SecretString: options.value,
+            KmsKeyId: options.kmsKeyId,
+            Tags: tags
+        }));
+        return {
+            arn: result.ARN,
+            name: result.Name,
+            versionId: result.VersionId
+        };
+    }
+    catch (error) {
+        return mapAwsError(error, options.name);
+    }
+});
+exports.createSecret = createSecret;
+const updateSecret = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    (0, exports.validateSecretName)(options.name);
+    debug('updateSecret called', { name: options.name });
+    const client = yield createClient(options);
+    try {
+        const result = yield client.send(new client_secrets_manager_1.UpdateSecretCommand({
+            SecretId: options.name,
+            Description: options.description,
+            SecretString: options.value,
+            KmsKeyId: options.kmsKeyId
+        }));
+        return {
+            arn: result.ARN,
+            name: result.Name,
+            versionId: result.VersionId
+        };
+    }
+    catch (error) {
+        return mapAwsError(error, options.name);
+    }
+});
+exports.updateSecret = updateSecret;
+const listSecrets = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    var _b;
+    debug('listSecrets called', {
+        prefix: options.prefix,
+        hasTags: !!((_b = options.tags) === null || _b === void 0 ? void 0 : _b.length)
+    });
+    const client = yield createClient(options);
+    const requiredTags = parseTags(options.tags);
+    const secrets = [];
+    try {
+        let nextToken;
+        do {
+            const result = yield client.send(new client_secrets_manager_1.ListSecretsCommand({ NextToken: nextToken }));
+            for (const secret of result.SecretList || []) {
+                if (options.prefix &&
+                    secret.Name &&
+                    !secret.Name.startsWith(options.prefix)) {
+                    continue;
+                }
+                if (requiredTags && requiredTags.length > 0) {
+                    const available = tagsToRecord(secret.Tags);
+                    const matchesAll = requiredTags.every((tag) => tag.Key && tag.Value && (available === null || available === void 0 ? void 0 : available[tag.Key]) === tag.Value);
+                    if (!matchesAll) {
+                        continue;
+                    }
+                }
+                secrets.push({
+                    name: secret.Name || '',
+                    arn: secret.ARN,
+                    description: secret.Description,
+                    lastChangedDate: formatDate(secret.LastChangedDate)
+                });
+            }
+            nextToken = result.NextToken;
+        } while (nextToken);
+    }
+    catch (error) {
+        return mapAwsError(error);
+    }
+    return secrets;
+});
+exports.listSecrets = listSecrets;
+const getSecretMetadata = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    (0, exports.validateSecretName)(options.name);
+    debug('getSecretMetadata called', { name: options.name });
+    const client = yield createClient(options);
+    try {
+        const result = yield client.send(new client_secrets_manager_1.DescribeSecretCommand({ SecretId: options.name }));
+        return {
+            name: result.Name,
+            arn: result.ARN,
+            description: result.Description,
+            kmsKeyId: result.KmsKeyId,
+            deletedDate: formatDate(result.DeletedDate),
+            lastChangedDate: formatDate(result.LastChangedDate),
+            lastAccessedDate: formatDate(result.LastAccessedDate),
+            createdDate: formatDate(result.CreatedDate),
+            versionIdsToStages: result.VersionIdsToStages,
+            tags: tagsToRecord(result.Tags)
+        };
+    }
+    catch (error) {
+        return mapAwsError(error, options.name);
+    }
+});
+exports.getSecretMetadata = getSecretMetadata;
+const deleteSecret = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    (0, exports.validateSecretName)(options.name);
+    debug('deleteSecret called', {
+        name: options.name,
+        recoveryDays: options.recoveryDays,
+        forceDeleteWithoutRecovery: options.forceDeleteWithoutRecovery
+    });
+    const client = yield createClient(options);
+    try {
+        const result = yield client.send(new client_secrets_manager_1.DeleteSecretCommand({
+            SecretId: options.name,
+            RecoveryWindowInDays: options.recoveryDays,
+            ForceDeleteWithoutRecovery: options.forceDeleteWithoutRecovery
+        }));
+        return {
+            arn: result.ARN,
+            name: result.Name,
+            deletedDate: formatDate(result.DeletionDate)
+        };
+    }
+    catch (error) {
+        return mapAwsError(error, options.name);
+    }
+});
+exports.deleteSecret = deleteSecret;

package/dist/vaults/secretsmanager.js

@@ -15,11 +15,18 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.secretsmanager = void 0;
 const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
 const client_sts_1 = require("@aws-sdk/client-sts");
-const credential_providers_1 = require("@aws-sdk/credential-providers");
 const debug_1 = __importDefault(require("debug"));
+const aws_config_1 = require("./aws-config");
 const debug = (0, debug_1.default)('env-secrets:secretsmanager');
-const checkConnection = (region) => __awaiter(void 0, void 0, void 0, function* () {
-    const stsClient = new client_sts_1.STSClient({ region });
+const isCredentialsError = (error) => {
+    if (!error || typeof error !== 'object') {
+        return false;
+    }
+    const errorName = 'name' in error ? error.name : undefined;
+    return (errorName === 'CredentialsError' || errorName === 'CredentialsProviderError');
+};
+const checkConnection = (config) => __awaiter(void 0, void 0, void 0, function* () {
+    const stsClient = new client_sts_1.STSClient(config);
     const command = new client_sts_1.GetCallerIdentityCommand({});
     try {
         const data = yield stsClient.send(command);
@@ -27,6 +34,11 @@ const checkConnection = (region) => __awaiter(void 0, void 0, void 0, function*
         return true;
     }
     catch (err) {
+        if (isCredentialsError(err) && err.message) {
+            // eslint-disable-next-line no-console
+            console.error(err.message);
+            return false;
+        }
         // eslint-disable-next-line no-console
         console.error(err);
         return false;
@@ -34,28 +46,20 @@ const checkConnection = (region) => __awaiter(void 0, void 0, void 0, function*
 });
 const secretsmanager = (options) => __awaiter(void 0, void 0, void 0, function* () {
     const { secret, profile, region } = options;
-    const { AWS_ACCESS_KEY_ID: awsAccessKeyId, AWS_SECRET_ACCESS_KEY: awsSecretAccessKey } = process.env;
-    let credentials;
+    const config = (0, aws_config_1.buildAwsClientConfig)({ profile, region });
     if (profile) {
         debug(`Using profile: ${profile}`);
-        credentials = (0, credential_providers_1.fromIni)({ profile });
     }
-    else if (awsAccessKeyId && awsSecretAccessKey) {
-        debug('Using environment variables');
-        credentials = undefined; // Will use environment variables automatically
+    else if (config.credentials) {
+        debug('Using profile: default');
     }
     else {
-        debug('Using profile: default');
-        credentials = (0, credential_providers_1.fromIni)({ profile: 'default' });
+        debug('Using environment variables');
     }
-    const config = {
-        region,
-        credentials
-    };
     if (!config.region) {
         debug('no region set');
     }
-    const connected = yield checkConnection(region);
+    const connected = yield checkConnection(config);
     if (connected) {
         const client = new client_secrets_manager_1.SecretsManagerClient(config);
         try {