env-secrets 0.3.2 → 0.4.0

package/src/index.ts

@@ -1,4 +1,5 @@
 #!/usr/bin/env node
+/* istanbul ignore file */
 
 import { Command, Argument } from 'commander';
 import { spawn } from 'node:child_process';
@@ -7,12 +8,32 @@ import Debug from 'debug';
 
 import { LIB_VERSION } from './version';
 import { secretsmanager } from './vaults/secretsmanager';
+import {
+  createSecret,
+  updateSecret,
+  listSecrets,
+  getSecretMetadata,
+  deleteSecret
+} from './vaults/secretsmanager-admin';
+import {
+  asOutputFormat,
+  printData,
+  parseRecoveryDays,
+  resolveAwsScope,
+  resolveSecretValue
+} from './cli/helpers';
 import { objectToExport } from './vaults/utils';
 
 const debug = Debug('env-secrets');
 
 const program = new Command();
 
+const exitWithError = (error: unknown) => {
+  // eslint-disable-next-line no-console
+  console.error(error instanceof Error ? error.message : String(error));
+  process.exit(1);
+};
+
 // main program
 program
   .name('env-secrets')
@@ -22,11 +43,11 @@ program
   .version(LIB_VERSION);
 
 // aws secretsmanager
-program
+const awsCommand = program
   .command('aws')
   .description('get secrets from AWS secrets manager')
   .addArgument(new Argument('[program...]', 'program to run'))
-  .requiredOption('-s, --secret <secret>', 'secret to get')
+  .option('-s, --secret <secret>', 'secret to get')
   .option('-p, --profile <profile>', 'profile to use')
   .option('-r, --region <region>', 'region to use')
   .option(
@@ -34,6 +55,12 @@ program
     'output secrets to file instead of environment variables'
   )
   .action(async (program, options) => {
+    if (!options.secret) {
+      exitWithError(
+        new Error('Missing required option --secret for this command.')
+      );
+    }
+
     const secrets = await secretsmanager(options);
     debug(secrets);
 
@@ -75,4 +102,262 @@ program
     }
   });
 
+const secretCommand = awsCommand
+  .command('secret')
+  .description('manage AWS secrets');
+
+secretCommand
+  .command('create')
+  .description('create a secret in AWS Secrets Manager')
+  .requiredOption('-n, --name <name>', 'secret name')
+  .option('-v, --value <value>', 'secret value')
+  .option('--value-stdin', 'read secret value from stdin')
+  .option('-d, --description <description>', 'secret description')
+  .option('-k, --kms-key-id <kmsKeyId>', 'kms key id')
+  .option('-t, --tag <tag...>', 'tag in key=value format')
+  .option('-p, --profile <profile>', 'profile to use')
+  .option('-r, --region <region>', 'region to use')
+  .option('--output <format>', 'output format: json|table')
+  .action(async (options, command) => {
+    try {
+      const { profile, region } = resolveAwsScope(options, command);
+      const globalOptions = command.optsWithGlobals();
+      const output =
+        options.output ??
+        (typeof globalOptions.output === 'string'
+          ? globalOptions.output
+          : 'table');
+      const value = await resolveSecretValue(options.value, options.valueStdin);
+      if (!value) {
+        throw new Error(
+          'Secret value is required. Provide --value or --value-stdin.'
+        );
+      }
+
+      const result = await createSecret({
+        name: options.name,
+        value,
+        description: options.description,
+        kmsKeyId: options.kmsKeyId,
+        tags: options.tag,
+        profile,
+        region
+      });
+
+      printData(
+        asOutputFormat(output),
+        [
+          { key: 'name', label: 'Name' },
+          { key: 'arn', label: 'ARN' },
+          { key: 'versionId', label: 'VersionId' }
+        ],
+        [result]
+      );
+    } catch (error: unknown) {
+      exitWithError(error);
+    }
+  });
+
+secretCommand
+  .command('update')
+  .description('update secret value or metadata')
+  .requiredOption('-n, --name <name>', 'secret name')
+  .option('-v, --value <value>', 'new secret value')
+  .option('--value-stdin', 'read secret value from stdin')
+  .option('-d, --description <description>', 'secret description')
+  .option('-k, --kms-key-id <kmsKeyId>', 'kms key id')
+  .option('-p, --profile <profile>', 'profile to use')
+  .option('-r, --region <region>', 'region to use')
+  .option('--output <format>', 'output format: json|table')
+  .action(async (options, command) => {
+    try {
+      const { profile, region } = resolveAwsScope(options, command);
+      const globalOptions = command.optsWithGlobals();
+      const output =
+        options.output ??
+        (typeof globalOptions.output === 'string'
+          ? globalOptions.output
+          : 'table');
+      const value = await resolveSecretValue(options.value, options.valueStdin);
+      if (!value && !options.description && !options.kmsKeyId) {
+        throw new Error(
+          'Nothing to update. Provide --value/--value-stdin, --description, or --kms-key-id.'
+        );
+      }
+
+      const result = await updateSecret({
+        name: options.name,
+        value,
+        description: options.description,
+        kmsKeyId: options.kmsKeyId,
+        profile,
+        region
+      });
+
+      printData(
+        asOutputFormat(output),
+        [
+          { key: 'name', label: 'Name' },
+          { key: 'arn', label: 'ARN' },
+          { key: 'versionId', label: 'VersionId' }
+        ],
+        [result]
+      );
+    } catch (error: unknown) {
+      exitWithError(error);
+    }
+  });
+
+secretCommand
+  .command('list')
+  .description('list secrets in AWS Secrets Manager')
+  .option('--prefix <prefix>', 'filter secrets by name prefix')
+  .option('-t, --tag <tag...>', 'filter tags in key=value format')
+  .option('-p, --profile <profile>', 'profile to use')
+  .option('-r, --region <region>', 'region to use')
+  .option('--output <format>', 'output format: json|table')
+  .action(async (options, command) => {
+    try {
+      const { profile, region } = resolveAwsScope(options, command);
+      const globalOptions = command.optsWithGlobals();
+      const output =
+        options.output ??
+        (typeof globalOptions.output === 'string'
+          ? globalOptions.output
+          : 'table');
+      const result = await listSecrets({
+        prefix: options.prefix,
+        tags: options.tag,
+        profile,
+        region
+      });
+      const rows = result.map((secret) => ({
+        name: secret.name,
+        description: secret.description,
+        lastChangedDate: secret.lastChangedDate
+      }));
+
+      printData(
+        asOutputFormat(output),
+        [
+          { key: 'name', label: 'Name' },
+          { key: 'description', label: 'Description' },
+          { key: 'lastChangedDate', label: 'LastChanged' }
+        ],
+        rows
+      );
+    } catch (error: unknown) {
+      exitWithError(error);
+    }
+  });
+
+secretCommand
+  .command('get')
+  .description('get secret metadata and version information')
+  .requiredOption('-n, --name <name>', 'secret name')
+  .option('-p, --profile <profile>', 'profile to use')
+  .option('-r, --region <region>', 'region to use')
+  .option('--output <format>', 'output format: json|table')
+  .action(async (options, command) => {
+    try {
+      const { profile, region } = resolveAwsScope(options, command);
+      const globalOptions = command.optsWithGlobals();
+      const output =
+        options.output ??
+        (typeof globalOptions.output === 'string'
+          ? globalOptions.output
+          : 'table');
+      const result = await getSecretMetadata({
+        name: options.name,
+        profile,
+        region
+      });
+
+      const row = {
+        name: result.name,
+        arn: result.arn,
+        description: result.description,
+        kmsKeyId: result.kmsKeyId,
+        createdDate: result.createdDate,
+        lastChangedDate: result.lastChangedDate,
+        deletedDate: result.deletedDate
+      };
+
+      printData(
+        asOutputFormat(output),
+        [
+          { key: 'name', label: 'Name' },
+          { key: 'arn', label: 'ARN' },
+          { key: 'description', label: 'Description' },
+          { key: 'kmsKeyId', label: 'KmsKeyId' },
+          { key: 'createdDate', label: 'Created' },
+          { key: 'lastChangedDate', label: 'LastChanged' },
+          { key: 'deletedDate', label: 'Deleted' }
+        ],
+        [row]
+      );
+    } catch (error: unknown) {
+      exitWithError(error);
+    }
+  });
+
+secretCommand
+  .command('delete')
+  .description('delete a secret in AWS Secrets Manager')
+  .requiredOption('-n, --name <name>', 'secret name')
+  .option(
+    '--recovery-days <days>',
+    'recovery window in days (7-30)',
+    parseRecoveryDays
+  )
+  .option(
+    '--force-delete-without-recovery',
+    'permanently delete secret without recovery window',
+    false
+  )
+  .option('-y, --yes', 'confirm delete action', false)
+  .option('-p, --profile <profile>', 'profile to use')
+  .option('-r, --region <region>', 'region to use')
+  .option('--output <format>', 'output format: json|table')
+  .action(async (options, command) => {
+    try {
+      const { profile, region } = resolveAwsScope(options, command);
+      const globalOptions = command.optsWithGlobals();
+      const output =
+        options.output ??
+        (typeof globalOptions.output === 'string'
+          ? globalOptions.output
+          : 'table');
+      if (!options.yes) {
+        throw new Error('Delete requires --yes confirmation.');
+      }
+
+      if (options.recoveryDays && options.forceDeleteWithoutRecovery) {
+        throw new Error(
+          'Use either --recovery-days or --force-delete-without-recovery, not both.'
+        );
+      }
+
+      const result = await deleteSecret({
+        name: options.name,
+        recoveryDays: options.recoveryDays,
+        forceDeleteWithoutRecovery: options.forceDeleteWithoutRecovery,
+        profile,
+        region
+      });
+
+      printData(
+        asOutputFormat(output),
+        [
+          { key: 'name', label: 'Name' },
+          { key: 'arn', label: 'ARN' },
+          { key: 'deletedDate', label: 'DeletedDate' }
+        ],
+        [result]
+      );
+    } catch (error: unknown) {
+      exitWithError(error);
+    }
+  });
+
 program.parse();

package/src/vaults/aws-config.ts

@@ -0,0 +1,51 @@
+import { fromIni } from '@aws-sdk/credential-providers';
+
+interface AwsConfigOptions {
+  profile?: string;
+  region?: string;
+}
+
+interface AwsClientConfig {
+  region?: string;
+  credentials?: ReturnType<typeof fromIni>;
+  endpoint?: string;
+}
+
+const getCredentialsProvider = (options: AwsConfigOptions) => {
+  const {
+    AWS_ACCESS_KEY_ID: awsAccessKeyId,
+    AWS_SECRET_ACCESS_KEY: awsSecretAccessKey
+  } = process.env;
+
+  if (options.profile) {
+    return fromIni({ profile: options.profile });
+  }
+
+  if (awsAccessKeyId && awsSecretAccessKey) {
+    return undefined;
+  }
+
+  return fromIni({ profile: 'default' });
+};
+
+const getEndpoint = () => {
+  return (
+    process.env.AWS_ENDPOINT_URL || process.env.AWS_SECRETS_MANAGER_ENDPOINT
+  );
+};
+
+export const buildAwsClientConfig = (
+  options: AwsConfigOptions
+): AwsClientConfig => {
+  const endpoint = getEndpoint();
+  const config: AwsClientConfig = {
+    region: options.region,
+    credentials: getCredentialsProvider(options)
+  };
+
+  if (endpoint) {
+    config.endpoint = endpoint;
+  }
+
+  return config;
+};