env-secrets 0.3.3 → 0.5.0

package/dist/cli/helpers.js

@@ -0,0 +1,172 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveAwsScope = exports.parseEnvSecretsFile = exports.parseEnvSecrets = exports.resolveSecretValue = exports.readStdin = exports.parseRecoveryDays = exports.printData = exports.renderTable = exports.asOutputFormat = void 0;
+const promises_1 = require("node:fs/promises");
+const asOutputFormat = (value) => {
+    if (value !== 'json' && value !== 'table') {
+        throw new Error(`Invalid output format "${value}". Use "json" or "table".`);
+    }
+    return value;
+};
+exports.asOutputFormat = asOutputFormat;
+const renderTable = (headers, rows) => {
+    if (rows.length === 0) {
+        return 'No results.';
+    }
+    const widths = headers.map((header) => {
+        return Math.max(header.label.length, ...rows.map((row) => String(row[header.key] || '').length));
+    });
+    const headerLine = headers
+        .map((header, index) => header.label.padEnd(widths[index]))
+        .join('  ');
+    const divider = headers
+        .map((_, index) => '-'.repeat(widths[index]))
+        .join('  ');
+    const lines = rows.map((row) => headers
+        .map((header, index) => String(row[header.key] || '').padEnd(widths[index]))
+        .join('  '));
+    return [headerLine, divider, ...lines].join('\n');
+};
+exports.renderTable = renderTable;
+const printData = (format, headers, rows) => {
+    if (format === 'json') {
+        // eslint-disable-next-line no-console
+        console.log(JSON.stringify(rows, null, 2));
+        return;
+    }
+    // eslint-disable-next-line no-console
+    console.log((0, exports.renderTable)(headers, rows));
+};
+exports.printData = printData;
+const parseRecoveryDays = (value) => {
+    const parsed = Number(value);
+    if (!Number.isInteger(parsed) || parsed < 7 || parsed > 30) {
+        throw new Error('Recovery days must be an integer between 7 and 30.');
+    }
+    return parsed;
+};
+exports.parseRecoveryDays = parseRecoveryDays;
+const readStdin = (stdin = process.stdin) => __awaiter(void 0, void 0, void 0, function* () {
+    const chunks = [];
+    return yield new Promise((resolve, reject) => {
+        const onData = (chunk) => {
+            chunks.push(chunk);
+        };
+        const onEnd = () => {
+            cleanup();
+            resolve(Buffer.concat(chunks)
+                .toString('utf8')
+                .replace(/\r?\n$/, ''));
+        };
+        const onError = (error) => {
+            cleanup();
+            reject(error);
+        };
+        const cleanup = () => {
+            stdin.off('data', onData);
+            stdin.off('end', onEnd);
+            stdin.off('error', onError);
+        };
+        stdin.on('data', onData);
+        stdin.once('end', onEnd);
+        stdin.once('error', onError);
+    });
+});
+exports.readStdin = readStdin;
+const resolveSecretValue = (value, valueStdin, valueFile) => __awaiter(void 0, void 0, void 0, function* () {
+    const providedSources = [
+        value !== undefined,
+        valueStdin === true,
+        valueFile !== undefined
+    ].filter(Boolean).length;
+    if (providedSources > 1) {
+        throw new Error('Use only one secret value source: --value, --value-stdin, or --file.');
+    }
+    if (valueStdin) {
+        if (process.stdin.isTTY) {
+            throw new Error('No stdin detected. Pipe a value when using --value-stdin.');
+        }
+        return yield (0, exports.readStdin)();
+    }
+    if (valueFile) {
+        const content = yield (0, promises_1.readFile)(valueFile, 'utf8');
+        return content.replace(/\r?\n$/, '');
+    }
+    return value;
+});
+exports.resolveSecretValue = resolveSecretValue;
+const parseEnvLine = (line, lineNumber) => {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) {
+        return undefined;
+    }
+    const candidate = trimmed.startsWith('export ')
+        ? trimmed.slice('export '.length).trimStart()
+        : trimmed;
+    const separatorIndex = candidate.indexOf('=');
+    if (separatorIndex <= 0) {
+        throw new Error(`Malformed env line ${lineNumber}. Expected KEY=value or export KEY=value.`);
+    }
+    const key = candidate.slice(0, separatorIndex).trim();
+    const value = candidate.slice(separatorIndex + 1).trim();
+    if (!key) {
+        throw new Error(`Malformed env line ${lineNumber}. Expected KEY=value or export KEY=value.`);
+    }
+    return { key, value };
+};
+const parseEnvSecrets = (content) => {
+    const seenKeys = new Set();
+    const entries = [];
+    const skipped = [];
+    const lines = content.split(/\r?\n/);
+    for (let index = 0; index < lines.length; index += 1) {
+        const parsed = parseEnvLine(lines[index], index + 1);
+        if (!parsed) {
+            continue;
+        }
+        if (seenKeys.has(parsed.key)) {
+            skipped.push({
+                key: parsed.key,
+                line: index + 1,
+                reason: 'duplicate key'
+            });
+            continue;
+        }
+        seenKeys.add(parsed.key);
+        entries.push({
+            key: parsed.key,
+            value: parsed.value,
+            line: index + 1
+        });
+    }
+    return { entries, skipped };
+};
+exports.parseEnvSecrets = parseEnvSecrets;
+const parseEnvSecretsFile = (path) => __awaiter(void 0, void 0, void 0, function* () {
+    const content = yield (0, promises_1.readFile)(path, 'utf8');
+    return (0, exports.parseEnvSecrets)(content);
+});
+exports.parseEnvSecretsFile = parseEnvSecretsFile;
+const resolveAwsScope = (options, command) => {
+    var _a;
+    const globalOptions = ((_a = command === null || command === void 0 ? void 0 : command.optsWithGlobals) === null || _a === void 0 ? void 0 : _a.call(command)) || {};
+    const profile = options.profile ||
+        (typeof globalOptions.profile === 'string'
+            ? globalOptions.profile
+            : undefined);
+    const region = options.region ||
+        (typeof globalOptions.region === 'string'
+            ? globalOptions.region
+            : undefined);
+    return { profile, region };
+};
+exports.resolveAwsScope = resolveAwsScope;

package/dist/index.js

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
 "use strict";
+/* istanbul ignore file */
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
@@ -19,24 +20,47 @@ const node_fs_1 = require("node:fs");
 const debug_1 = __importDefault(require("debug"));
 const version_1 = require("./version");
 const secretsmanager_1 = require("./vaults/secretsmanager");
+const secretsmanager_admin_1 = require("./vaults/secretsmanager-admin");
+const helpers_1 = require("./cli/helpers");
 const utils_1 = require("./vaults/utils");
 const debug = (0, debug_1.default)('env-secrets');
 const program = new commander_1.Command();
+const exitWithError = (error) => {
+    // eslint-disable-next-line no-console
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exit(1);
+};
+const parseSecretJsonObject = (secretName, value) => {
+    let parsed;
+    try {
+        parsed = JSON.parse(value);
+    }
+    catch (_a) {
+        throw new Error(`Secret "${secretName}" is not valid JSON. append/remove requires a JSON object secret.`);
+    }
+    if (!parsed || Array.isArray(parsed) || typeof parsed !== 'object') {
+        throw new Error(`Secret "${secretName}" must be a JSON object. append/remove does not support arrays or scalar values.`);
+    }
+    return parsed;
+};
 // main program
 program
     .name('env-secrets')
     .description('pull secrets from vaults and inject them into the running environment')
     .version(version_1.LIB_VERSION);
 // aws secretsmanager
-program
+const awsCommand = program
     .command('aws')
     .description('get secrets from AWS secrets manager')
     .addArgument(new commander_1.Argument('[program...]', 'program to run'))
-    .requiredOption('-s, --secret <secret>', 'secret to get')
+    .option('-s, --secret <secret>', 'secret to get')
     .option('-p, --profile <profile>', 'profile to use')
     .option('-r, --region <region>', 'region to use')
     .option('-o, --output <file>', 'output secrets to file instead of environment variables')
     .action((program, options) => __awaiter(void 0, void 0, void 0, function* () {
+    if (!options.secret) {
+        exitWithError(new Error('Missing required option --secret for this command.'));
+    }
     const secrets = yield (0, secretsmanager_1.secretsmanager)(options);
     debug(secrets);
     if (options.output) {
@@ -72,4 +96,434 @@ program
         }
     }
 }));
+const secretCommand = awsCommand
+    .command('secret')
+    .description('manage AWS secrets');
+secretCommand
+    .command('create')
+    .description('create a secret in AWS Secrets Manager')
+    .requiredOption('-n, --name <name>', 'secret name')
+    .option('-v, --value <value>', 'secret value')
+    .option('--value-stdin', 'read secret value from stdin')
+    .option('-f, --file <path>', 'read secret value from local file')
+    .option('-d, --description <description>', 'secret description')
+    .option('-k, --kms-key-id <kmsKeyId>', 'kms key id')
+    .option('-t, --tag <tag...>', 'tag in key=value format')
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const globalOptions = command.optsWithGlobals();
+        const output = (_a = options.output) !== null && _a !== void 0 ? _a : (typeof globalOptions.output === 'string'
+            ? globalOptions.output
+            : 'table');
+        const value = yield (0, helpers_1.resolveSecretValue)(options.value, options.valueStdin, options.file);
+        if (!value) {
+            throw new Error('Secret value is required. Provide --value, --value-stdin, or --file.');
+        }
+        const result = yield (0, secretsmanager_admin_1.createSecret)({
+            name: options.name,
+            value,
+            description: options.description,
+            kmsKeyId: options.kmsKeyId,
+            tags: options.tag,
+            profile,
+            region
+        });
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'name', label: 'Name' },
+            { key: 'arn', label: 'ARN' },
+            { key: 'versionId', label: 'VersionId' }
+        ], [result]);
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
+secretCommand
+    .command('update')
+    .description('update secret value or metadata')
+    .requiredOption('-n, --name <name>', 'secret name')
+    .option('-v, --value <value>', 'new secret value')
+    .option('--value-stdin', 'read secret value from stdin')
+    .option('-f, --file <path>', 'read secret value from local file')
+    .option('-d, --description <description>', 'secret description')
+    .option('-k, --kms-key-id <kmsKeyId>', 'kms key id')
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    var _b;
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const globalOptions = command.optsWithGlobals();
+        const output = (_b = options.output) !== null && _b !== void 0 ? _b : (typeof globalOptions.output === 'string'
+            ? globalOptions.output
+            : 'table');
+        const value = yield (0, helpers_1.resolveSecretValue)(options.value, options.valueStdin, options.file);
+        if (!value && !options.description && !options.kmsKeyId) {
+            throw new Error('Nothing to update. Provide --value/--value-stdin/--file, --description, or --kms-key-id.');
+        }
+        const result = yield (0, secretsmanager_admin_1.updateSecret)({
+            name: options.name,
+            value,
+            description: options.description,
+            kmsKeyId: options.kmsKeyId,
+            profile,
+            region
+        });
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'name', label: 'Name' },
+            { key: 'arn', label: 'ARN' },
+            { key: 'versionId', label: 'VersionId' }
+        ], [result]);
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
+secretCommand
+    .command('upsert')
+    .alias('import')
+    .description('create or update a secret from a local env file')
+    .requiredOption('-f, --file <path>', 'path to env file')
+    .requiredOption('-n, --name <name>', 'secret name')
+    .option('-d, --description <description>', 'secret description')
+    .option('-k, --kms-key-id <kmsKeyId>', 'kms key id')
+    .option('-t, --tag <tag...>', 'tag in key=value format (applies on create)')
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    var _c;
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const globalOptions = command.optsWithGlobals();
+        const output = (_c = options.output) !== null && _c !== void 0 ? _c : (typeof globalOptions.output === 'string'
+            ? globalOptions.output
+            : 'table');
+        const parsed = yield (0, helpers_1.parseEnvSecretsFile)(options.file);
+        if (parsed.entries.length === 0) {
+            throw new Error('No env entries found. Include lines like KEY=value or export KEY=value.');
+        }
+        const payload = Object.fromEntries(parsed.entries.map((entry) => [entry.key, entry.value]));
+        const value = JSON.stringify(payload);
+        const rows = [];
+        let created = 0;
+        let updated = 0;
+        let failed = 0;
+        const skipped = parsed.skipped.length;
+        for (const skip of parsed.skipped) {
+            rows.push({
+                name: options.name,
+                status: 'skipped',
+                line: String(skip.line),
+                message: `${skip.reason}: ${skip.key}`
+            });
+        }
+        try {
+            try {
+                yield (0, secretsmanager_admin_1.createSecret)({
+                    name: options.name,
+                    value,
+                    description: options.description,
+                    kmsKeyId: options.kmsKeyId,
+                    tags: options.tag,
+                    profile,
+                    region
+                });
+                created += 1;
+                rows.push({
+                    name: options.name,
+                    status: 'created',
+                    message: `imported ${parsed.entries.length} keys`
+                });
+            }
+            catch (createError) {
+                const message = createError instanceof Error
+                    ? createError.message
+                    : String(createError);
+                if (!/already exists/i.test(message)) {
+                    throw createError;
+                }
+                yield (0, secretsmanager_admin_1.updateSecret)({
+                    name: options.name,
+                    value,
+                    description: options.description,
+                    kmsKeyId: options.kmsKeyId,
+                    profile,
+                    region
+                });
+                updated += 1;
+                rows.push({
+                    name: options.name,
+                    status: 'updated',
+                    message: `imported ${parsed.entries.length} keys`
+                });
+            }
+        }
+        catch (error) {
+            failed += 1;
+            rows.push({
+                name: options.name,
+                status: 'failed',
+                message: error instanceof Error ? error.message : String(error)
+            });
+        }
+        const summary = { created, updated, skipped, failed };
+        if (output === 'json') {
+            // eslint-disable-next-line no-console
+            console.log(JSON.stringify({ summary, results: rows }, null, 2));
+            if (failed > 0) {
+                process.exitCode = 1;
+            }
+            return;
+        }
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'name', label: 'Name' },
+            { key: 'status', label: 'Status' },
+            { key: 'line', label: 'Line' },
+            { key: 'message', label: 'Message' }
+        ], rows);
+        // eslint-disable-next-line no-console
+        console.log(`Summary: created=${created}, updated=${updated}, skipped=${skipped}, failed=${failed}`);
+        if (failed > 0) {
+            process.exitCode = 1;
+        }
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
+secretCommand
+    .command('append')
+    .description('append or overwrite one key in an existing JSON secret')
+    .requiredOption('-n, --name <name>', 'secret name')
+    .requiredOption('--key <key>', 'key to append/update')
+    .option('-v, --value <value>', 'value for the key')
+    .option('--value-stdin', 'read value from stdin')
+    .option('-f, --file <path>', 'read value from local file')
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    var _d;
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const globalOptions = command.optsWithGlobals();
+        const output = (_d = options.output) !== null && _d !== void 0 ? _d : (typeof globalOptions.output === 'string'
+            ? globalOptions.output
+            : 'table');
+        const value = yield (0, helpers_1.resolveSecretValue)(options.value, options.valueStdin, options.file);
+        if (!value) {
+            throw new Error('Append value is required. Provide --value, --value-stdin, or --file.');
+        }
+        const current = yield (0, secretsmanager_admin_1.getSecretString)({
+            name: options.name,
+            profile,
+            region
+        });
+        const payload = parseSecretJsonObject(options.name, current);
+        payload[options.key] = value;
+        const result = yield (0, secretsmanager_admin_1.updateSecret)({
+            name: options.name,
+            value: JSON.stringify(payload),
+            profile,
+            region
+        });
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'name', label: 'Name' },
+            { key: 'arn', label: 'ARN' },
+            { key: 'versionId', label: 'VersionId' },
+            { key: 'key', label: 'Key' },
+            { key: 'action', label: 'Action' }
+        ], [
+            Object.assign(Object.assign({}, result), { key: options.key, action: 'appended' })
+        ]);
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
+secretCommand
+    .command('remove')
+    .description('remove one or more keys from an existing JSON secret')
+    .requiredOption('-n, --name <name>', 'secret name')
+    .requiredOption('--key <key...>', 'one or more keys to remove')
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    var _e;
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const globalOptions = command.optsWithGlobals();
+        const output = (_e = options.output) !== null && _e !== void 0 ? _e : (typeof globalOptions.output === 'string'
+            ? globalOptions.output
+            : 'table');
+        const keys = options.key;
+        const current = yield (0, secretsmanager_admin_1.getSecretString)({
+            name: options.name,
+            profile,
+            region
+        });
+        const payload = parseSecretJsonObject(options.name, current);
+        const removed = [];
+        const missing = [];
+        for (const key of keys) {
+            if (Object.prototype.hasOwnProperty.call(payload, key)) {
+                delete payload[key];
+                removed.push(key);
+            }
+            else {
+                missing.push(key);
+            }
+        }
+        if (removed.length === 0) {
+            throw new Error(`None of the requested keys exist in secret "${options.name}".`);
+        }
+        const result = yield (0, secretsmanager_admin_1.updateSecret)({
+            name: options.name,
+            value: JSON.stringify(payload),
+            profile,
+            region
+        });
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'name', label: 'Name' },
+            { key: 'arn', label: 'ARN' },
+            { key: 'versionId', label: 'VersionId' },
+            { key: 'removed', label: 'RemovedKeys' },
+            { key: 'missing', label: 'MissingKeys' }
+        ], [
+            Object.assign(Object.assign({}, result), { removed: removed.join(','), missing: missing.join(',') })
+        ]);
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
+secretCommand
+    .command('list')
+    .description('list secrets in AWS Secrets Manager')
+    .option('--prefix <prefix>', 'filter secrets by name prefix')
+    .option('-t, --tag <tag...>', 'filter tags in key=value format')
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    var _f;
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const globalOptions = command.optsWithGlobals();
+        const output = (_f = options.output) !== null && _f !== void 0 ? _f : (typeof globalOptions.output === 'string'
+            ? globalOptions.output
+            : 'table');
+        const result = yield (0, secretsmanager_admin_1.listSecrets)({
+            prefix: options.prefix,
+            tags: options.tag,
+            profile,
+            region
+        });
+        const rows = result.map((secret) => ({
+            name: secret.name,
+            description: secret.description,
+            lastChangedDate: secret.lastChangedDate
+        }));
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'name', label: 'Name' },
+            { key: 'description', label: 'Description' },
+            { key: 'lastChangedDate', label: 'LastChanged' }
+        ], rows);
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
+secretCommand
+    .command('get')
+    .description('get secret metadata and version information')
+    .requiredOption('-n, --name <name>', 'secret name')
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    var _g;
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const globalOptions = command.optsWithGlobals();
+        const output = (_g = options.output) !== null && _g !== void 0 ? _g : (typeof globalOptions.output === 'string'
+            ? globalOptions.output
+            : 'table');
+        const result = yield (0, secretsmanager_admin_1.getSecretMetadata)({
+            name: options.name,
+            profile,
+            region
+        });
+        const row = {
+            name: result.name,
+            arn: result.arn,
+            description: result.description,
+            kmsKeyId: result.kmsKeyId,
+            createdDate: result.createdDate,
+            lastChangedDate: result.lastChangedDate,
+            deletedDate: result.deletedDate
+        };
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'name', label: 'Name' },
+            { key: 'arn', label: 'ARN' },
+            { key: 'description', label: 'Description' },
+            { key: 'kmsKeyId', label: 'KmsKeyId' },
+            { key: 'createdDate', label: 'Created' },
+            { key: 'lastChangedDate', label: 'LastChanged' },
+            { key: 'deletedDate', label: 'Deleted' }
+        ], [row]);
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
+secretCommand
+    .command('delete')
+    .description('delete a secret in AWS Secrets Manager')
+    .requiredOption('-n, --name <name>', 'secret name')
+    .option('--recovery-days <days>', 'recovery window in days (7-30)', helpers_1.parseRecoveryDays)
+    .option('--force-delete-without-recovery', 'permanently delete secret without recovery window', false)
+    .option('-y, --yes', 'confirm delete action', false)
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    var _h;
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const globalOptions = command.optsWithGlobals();
+        const output = (_h = options.output) !== null && _h !== void 0 ? _h : (typeof globalOptions.output === 'string'
+            ? globalOptions.output
+            : 'table');
+        if (!options.yes) {
+            throw new Error('Delete requires --yes confirmation.');
+        }
+        if (options.recoveryDays && options.forceDeleteWithoutRecovery) {
+            throw new Error('Use either --recovery-days or --force-delete-without-recovery, not both.');
+        }
+        const result = yield (0, secretsmanager_admin_1.deleteSecret)({
+            name: options.name,
+            recoveryDays: options.recoveryDays,
+            forceDeleteWithoutRecovery: options.forceDeleteWithoutRecovery,
+            profile,
+            region
+        });
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'name', label: 'Name' },
+            { key: 'arn', label: 'ARN' },
+            { key: 'deletedDate', label: 'DeletedDate' }
+        ], [result]);
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
 program.parse();

package/dist/vaults/aws-config.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildAwsClientConfig = void 0;
+const credential_providers_1 = require("@aws-sdk/credential-providers");
+const getCredentialsProvider = (options) => {
+    const { AWS_ACCESS_KEY_ID: awsAccessKeyId, AWS_SECRET_ACCESS_KEY: awsSecretAccessKey } = process.env;
+    if (options.profile) {
+        return (0, credential_providers_1.fromIni)({ profile: options.profile });
+    }
+    if (awsAccessKeyId && awsSecretAccessKey) {
+        return undefined;
+    }
+    return (0, credential_providers_1.fromIni)({ profile: 'default' });
+};
+const getEndpoint = () => {
+    return (process.env.AWS_ENDPOINT_URL || process.env.AWS_SECRETS_MANAGER_ENDPOINT);
+};
+const buildAwsClientConfig = (options) => {
+    const endpoint = getEndpoint();
+    const config = {
+        region: options.region,
+        credentials: getCredentialsProvider(options)
+    };
+    if (endpoint) {
+        config.endpoint = endpoint;
+    }
+    return config;
+};
+exports.buildAwsClientConfig = buildAwsClientConfig;