env-secrets 0.3.2 → 0.4.0

package/docs/AWS.md

@@ -10,7 +10,7 @@ The `env-secrets` tool supports AWS Secrets Manager as a secret vault. It can re
 
 - [AWS CLI](https://docs.aws.amazon.com/cli/index.html) installed and configured
 - AWS credentials with appropriate permissions to access Secrets Manager
-- Node.js 18.0.0 or higher
+- Node.js 20.0.0 or higher
 
 ## Authentication Methods
 
@@ -120,7 +120,7 @@ env-secrets aws -s my-secret-name -r us-east-1 -- node app.js
 
 ## Required Permissions
 
-Your AWS credentials must have the following permissions to use Secrets Manager:
+Your AWS credentials must have the following permissions to use secret injection and secret management commands:
 
 ```json
 {
@@ -128,7 +128,14 @@ Your AWS credentials must have the following permissions to use Secrets Manager:
   "Statement": [
     {
       "Effect": "Allow",
-      "Action": ["secretsmanager:GetSecretValue"],
+      "Action": [
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:CreateSecret",
+        "secretsmanager:UpdateSecret",
+        "secretsmanager:ListSecrets",
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:DeleteSecret"
+      ],
       "Resource": "arn:aws:secretsmanager:*:*:secret:*"
     },
     {
@@ -140,6 +147,74 @@ Your AWS credentials must have the following permissions to use Secrets Manager:
 }
 ```
 
+## Secret Management Commands
+
+In addition to injecting variables into a process, `env-secrets` can manage AWS secrets directly:
+
+- `env-secrets aws secret create`
+- `env-secrets aws secret update`
+- `env-secrets aws secret list`
+- `env-secrets aws secret get`
+- `env-secrets aws secret delete`
+
+`aws secret` subcommands consistently honor `--region`, `--profile`, and `--output`.
+Use these options directly with each subcommand.
+
+### Secret Management Examples
+
+1. **Create a secret with inline value:**
+
+   ```bash
+   env-secrets aws secret create \
+     -n my-app/dev/api \
+     -v '{"API_KEY":"abc123"}' \
+     -r us-east-1 \
+     --output json
+   ```
+
+2. **Create from stdin (recommended for sensitive values):**
+
+   ```bash
+   echo -n 'super-secret-value' | env-secrets aws secret create -n my-app/dev/raw --value-stdin -r us-east-1
+   ```
+
+3. **Update an existing secret value:**
+
+   ```bash
+   env-secrets aws secret update -n my-app/dev/api -v '{"API_KEY":"rotated"}' -r us-east-1
+   ```
+
+4. **List secrets by prefix:**
+
+   ```bash
+   env-secrets aws secret list --prefix my-app/dev -r us-east-1 --output table
+   ```
+
+   Multi-region validation example:
+
+   ```bash
+   env-secrets aws secret list --prefix my-app/dev -r us-west-2 --output json
+   env-secrets aws secret list --prefix my-app/dev -r us-east-1 --output json
+   ```
+
+5. **Get metadata and version info (without printing secret value):**
+
+   ```bash
+   env-secrets aws secret get -n my-app/dev/api -r us-east-1 --output json
+   ```
+
+6. **Delete with explicit confirmation:**
+
+   ```bash
+   env-secrets aws secret delete -n my-app/dev/raw --recovery-days 7 --yes -r us-east-1
+   ```
+
+### Secret Management Safety Notes
+
+- `delete` requires `--yes`.
+- Use `--value-stdin` to avoid shell history leakage for sensitive values.
+- Use either `--recovery-days` or `--force-delete-without-recovery` for delete operations.
+
 ## Examples
 
 ### Basic Usage

package/eslint.config.js

@@ -0,0 +1,67 @@
+const globals = require('globals');
+const js = require('@eslint/js');
+const tsParser = require('@typescript-eslint/parser');
+const tsPlugin = require('@typescript-eslint/eslint-plugin');
+const prettierPlugin = require('eslint-plugin-prettier');
+const prettierConfig = require('eslint-config-prettier');
+
+const tsEslintRecommendedRules =
+  tsPlugin.configs['eslint-recommended']?.overrides?.[0]?.rules ?? {};
+
+module.exports = [
+  {
+    ignores: [
+      'node_modules/**',
+      'dist/**',
+      'website/build/**',
+      'website/node_modules/**',
+      'website/.docusaurus/**',
+      'coverage/**',
+      'coverage-e2e/**'
+    ]
+  },
+  {
+    ...js.configs.recommended,
+    files: ['**/*.{js,mjs,cjs}'],
+    languageOptions: {
+      ...(js.configs.recommended.languageOptions ?? {}),
+      globals: globals.node
+    },
+    rules: {
+      ...(js.configs.recommended.rules ?? {}),
+      'no-console': 'warn'
+    }
+  },
+  {
+    files: ['**/*.ts'],
+    languageOptions: {
+      parser: tsParser,
+      parserOptions: {
+        ecmaVersion: 'latest',
+        sourceType: 'module'
+      },
+      globals: {
+        ...globals.node,
+        ...globals.jest
+      }
+    },
+    plugins: {
+      '@typescript-eslint': tsPlugin
+    },
+    rules: {
+      ...(js.configs.recommended.rules ?? {}),
+      ...tsEslintRecommendedRules,
+      ...(tsPlugin.configs.recommended.rules ?? {}),
+      'no-console': 'warn'
+    }
+  },
+  {
+    plugins: {
+      prettier: prettierPlugin
+    },
+    rules: {
+      'prettier/prettier': 'error'
+    }
+  },
+  prettierConfig
+];

package/jest.e2e.config.js

@@ -4,5 +4,6 @@ module.exports = {
   preset: 'ts-jest',
   testEnvironment: 'node',
   setupFilesAfterEnv: ['<rootDir>/__e2e__/setup.ts'],
+  testMatch: ['<rootDir>/__e2e__/**/*.test.ts'],
   testTimeout: 30000 // 30 seconds timeout for e2e tests
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "env-secrets",
-  "version": "0.3.2",
+  "version": "0.4.0",
   "description": "get secrets from a secrets vault and inject them into the running environment",
   "main": "index.js",
   "author": "Mark C Allen (@markcallen)",
@@ -16,10 +16,12 @@
     "build": "rimraf ./dist && tsc -b src",
     "start": "node dist/index.js",
     "postbuild": "chmod 755 ./dist/index.js",
-    "lint": "eslint . --ext .ts,.js",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
     "release": "release-it",
-    "prettier:fix": "npx prettier --write .",
-    "prettier:check": "npx prettier --check .",
+    "prettier": "prettier . --check",
+    "prettier:fix": "prettier . --write",
+    "prettier:check": "prettier . --check",
     "test": "npm run test:unit && npm run test:e2e",
     "test:unit": "jest __tests__",
     "test:unit:coverage": "jest __tests__ --coverage",
@@ -27,6 +29,7 @@
     "test:e2e:debug": "npm run build && DEBUG=true jest --config jest.e2e.config.js"
   },
   "devDependencies": {
+    "@everydaydevopsio/ballast": "^3.2.1",
     "@types/debug": "^4.1.12",
     "@types/jest": "^29.5.14",
     "@types/node": "^18.19.130",
@@ -36,30 +39,37 @@
     "eslint": "^8.57.1",
     "eslint-config-prettier": "^8.10.2",
     "eslint-plugin-prettier": "^4.2.5",
+    "globals": "^16.0.0",
     "husky": "^8.0.3",
     "jest": "^29.7.0",
     "lint-staged": "13.3.0",
     "prettier": "^2.8.8",
     "release-it": "^15.11.0",
     "rimraf": "^3.0.2",
+    "tsc-files": "^1.1.4",
     "ts-jest": "^29.4.6",
     "ts-node": "^10.9.2",
     "typescript": "^4.9.5"
   },
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.899.0",
-    "@aws-sdk/client-sts": "^3.899.0",
-    "@aws-sdk/credential-providers": "^3.899.0",
+    "@aws-sdk/client-secrets-manager": "^3.990.0",
+    "@aws-sdk/client-sts": "^3.990.0",
+    "@aws-sdk/credential-providers": "^3.990.0",
     "commander": "^9.5.0",
     "debug": "^4.4.3"
   },
   "lint-staged": {
-    "*.{ts,js}": [
-      "prettier --write .",
-      "eslint --fix ."
+    "**/*.js": [
+      "prettier --write",
+      "eslint --fix"
     ],
-    "*.{json,md,mdx,yaml,yml}": [
-      "prettier --write ."
+    "**/*.ts": [
+      "bash -lc 'tsc --noEmit --project src/tsconfig.json'",
+      "prettier --write",
+      "eslint --fix"
+    ],
+    "**/*.{json,md,mdx,yaml,yml}": [
+      "prettier --write"
     ]
   },
   "publishConfig": {
@@ -70,6 +80,6 @@
     "env-secrets": "dist/index.js"
   },
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=20.0.0"
   }
 }

package/src/cli/helpers.ts

@@ -0,0 +1,144 @@
+export type OutputFormat = 'json' | 'table';
+export interface AwsScopeOptions {
+  profile?: string;
+  region?: string;
+}
+
+interface CommandLikeWithGlobalOpts {
+  optsWithGlobals?: () => Record<string, unknown>;
+}
+
+export const asOutputFormat = (value: string): OutputFormat => {
+  if (value !== 'json' && value !== 'table') {
+    throw new Error(`Invalid output format "${value}". Use "json" or "table".`);
+  }
+
+  return value;
+};
+
+export const renderTable = (
+  headers: Array<{ key: string; label: string }>,
+  rows: Array<Record<string, string | undefined>>
+) => {
+  if (rows.length === 0) {
+    return 'No results.';
+  }
+
+  const widths = headers.map((header) => {
+    return Math.max(
+      header.label.length,
+      ...rows.map((row) => String(row[header.key] || '').length)
+    );
+  });
+
+  const headerLine = headers
+    .map((header, index) => header.label.padEnd(widths[index]))
+    .join('  ');
+  const divider = headers
+    .map((_, index) => '-'.repeat(widths[index]))
+    .join('  ');
+  const lines = rows.map((row) =>
+    headers
+      .map((header, index) =>
+        String(row[header.key] || '').padEnd(widths[index])
+      )
+      .join('  ')
+  );
+
+  return [headerLine, divider, ...lines].join('\n');
+};
+
+export const printData = (
+  format: OutputFormat,
+  headers: Array<{ key: string; label: string }>,
+  rows: Array<Record<string, string | undefined>>
+) => {
+  if (format === 'json') {
+    // eslint-disable-next-line no-console
+    console.log(JSON.stringify(rows, null, 2));
+    return;
+  }
+
+  // eslint-disable-next-line no-console
+  console.log(renderTable(headers, rows));
+};
+
+export const parseRecoveryDays = (value: string) => {
+  const parsed = Number(value);
+  if (!Number.isInteger(parsed) || parsed < 7 || parsed > 30) {
+    throw new Error('Recovery days must be an integer between 7 and 30.');
+  }
+
+  return parsed;
+};
+
+export const readStdin = async (stdin: NodeJS.ReadStream = process.stdin) => {
+  const chunks: Buffer[] = [];
+
+  return await new Promise<string>((resolve, reject) => {
+    const onData = (chunk: Buffer) => {
+      chunks.push(chunk);
+    };
+    const onEnd = () => {
+      cleanup();
+      resolve(
+        Buffer.concat(chunks)
+          .toString('utf8')
+          .replace(/\r?\n$/, '')
+      );
+    };
+    const onError = (error: Error) => {
+      cleanup();
+      reject(error);
+    };
+    const cleanup = () => {
+      stdin.off('data', onData);
+      stdin.off('end', onEnd);
+      stdin.off('error', onError);
+    };
+
+    stdin.on('data', onData);
+    stdin.once('end', onEnd);
+    stdin.once('error', onError);
+  });
+};
+
+export const resolveSecretValue = async (
+  value?: string,
+  valueStdin?: boolean
+): Promise<string | undefined> => {
+  if (value && valueStdin) {
+    throw new Error('Use either --value or --value-stdin, not both.');
+  }
+
+  if (valueStdin) {
+    if (process.stdin.isTTY) {
+      throw new Error(
+        'No stdin detected. Pipe a value when using --value-stdin.'
+      );
+    }
+    return await readStdin();
+  }
+
+  return value;
+};
+
+export const resolveAwsScope = (
+  options: AwsScopeOptions,
+  command?: CommandLikeWithGlobalOpts
+): AwsScopeOptions => {
+  const globalOptions = command?.optsWithGlobals?.() || {};
+
+  const profile =
+    options.profile ||
+    (typeof globalOptions.profile === 'string'
+      ? globalOptions.profile
+      : undefined);
+  const region =
+    options.region ||
+    (typeof globalOptions.region === 'string'
+      ? globalOptions.region
+      : undefined);
+
+  return { profile, region };
+};