env-secrets 0.5.0 → 0.5.2

package/__e2e__/aws-secret-mutation-args.test.ts

@@ -0,0 +1,199 @@
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+
+import {
+  cliWithEnv,
+  cleanupTempFile,
+  execAwslocalCommand
+} from './utils/test-utils';
+import { registerAwsE2eContext } from './utils/aws-e2e-context';
+
+describe('AWS Secret Mutation CLI Args', () => {
+  const { getLocalStackEnv } = registerAwsE2eContext();
+
+  test('should append and remove keys on a JSON secret', async () => {
+    const secretName = `managed-secret-append-remove-${Date.now()}`;
+    const tempFile = path.join(
+      os.tmpdir(),
+      `env-secrets-append-remove-${Date.now()}.env`
+    );
+    fs.writeFileSync(tempFile, 'API_KEY=first');
+
+    const createResult = await cliWithEnv(
+      [
+        'aws',
+        'secret',
+        'upsert',
+        '--file',
+        tempFile,
+        '--name',
+        secretName,
+        '--output',
+        'json'
+      ],
+      getLocalStackEnv()
+    );
+    expect(createResult.code).toBe(0);
+
+    const appendResult = await cliWithEnv(
+      [
+        'aws',
+        'secret',
+        'append',
+        '-n',
+        secretName,
+        '--key',
+        'JIRA_EMAIL_TOKEN',
+        '-v',
+        'blah',
+        '--output',
+        'json'
+      ],
+      getLocalStackEnv()
+    );
+    expect(appendResult.code).toBe(0);
+
+    const afterAppend = await execAwslocalCommand(
+      `awslocal secretsmanager get-secret-value --secret-id "${secretName}" --region us-east-1 --query SecretString --output text`,
+      getLocalStackEnv()
+    );
+    expect(JSON.parse(afterAppend.stdout.trim())).toEqual({
+      API_KEY: 'first',
+      JIRA_EMAIL_TOKEN: 'blah'
+    });
+
+    const removeResult = await cliWithEnv(
+      [
+        'aws',
+        'secret',
+        'remove',
+        '-n',
+        secretName,
+        '--key',
+        'API_KEY',
+        '--output',
+        'json'
+      ],
+      getLocalStackEnv()
+    );
+    expect(removeResult.code).toBe(0);
+
+    const afterRemove = await execAwslocalCommand(
+      `awslocal secretsmanager get-secret-value --secret-id "${secretName}" --region us-east-1 --query SecretString --output text`,
+      getLocalStackEnv()
+    );
+    expect(JSON.parse(afterRemove.stdout.trim())).toEqual({
+      JIRA_EMAIL_TOKEN: 'blah'
+    });
+
+    const deleteResult = await cliWithEnv(
+      [
+        'aws',
+        'secret',
+        'delete',
+        '-n',
+        secretName,
+        '--force-delete-without-recovery',
+        '--yes'
+      ],
+      getLocalStackEnv()
+    );
+    expect(deleteResult.code).toBe(0);
+    cleanupTempFile(tempFile);
+  });
+
+  test('should upsert secrets from env file', async () => {
+    const secretName = `e2e-upsert-${Date.now()}`;
+    const tempFile = path.join(
+      os.tmpdir(),
+      `env-secrets-upsert-${Date.now()}.env`
+    );
+
+    fs.writeFileSync(
+      tempFile,
+      ['# sample', 'export API_KEY=first', 'DB_URL = postgres://one'].join('\n')
+    );
+
+    const firstRun = await cliWithEnv(
+      [
+        'aws',
+        'secret',
+        'upsert',
+        '--file',
+        tempFile,
+        '--name',
+        secretName,
+        '--output',
+        'json'
+      ],
+      getLocalStackEnv()
+    );
+    expect(firstRun.code).toBe(0);
+    const firstJson = JSON.parse(firstRun.stdout) as {
+      summary: { created: number; updated: number; skipped: number };
+    };
+    expect(firstJson.summary.created).toBe(1);
+    expect(firstJson.summary.updated).toBe(0);
+
+    const firstSecret = await execAwslocalCommand(
+      `awslocal secretsmanager get-secret-value --secret-id "${secretName}" --region us-east-1 --query SecretString --output text`,
+      getLocalStackEnv()
+    );
+    expect(JSON.parse(firstSecret.stdout.trim())).toEqual({
+      API_KEY: 'first',
+      DB_URL: 'postgres://one'
+    });
+
+    fs.writeFileSync(
+      tempFile,
+      ['export API_KEY=second', 'DB_URL=postgres://two'].join('\n')
+    );
+
+    const secondRun = await cliWithEnv(
+      [
+        'aws',
+        'secret',
+        'import',
+        '--file',
+        tempFile,
+        '--name',
+        secretName,
+        '--output',
+        'json'
+      ],
+      getLocalStackEnv()
+    );
+    expect(secondRun.code).toBe(0);
+    const secondJson = JSON.parse(secondRun.stdout) as {
+      summary: { created: number; updated: number; skipped: number };
+    };
+    expect(secondJson.summary.created).toBe(0);
+    expect(secondJson.summary.updated).toBe(1);
+    expect(secondJson.summary.skipped).toBe(0);
+
+    const secondSecret = await execAwslocalCommand(
+      `awslocal secretsmanager get-secret-value --secret-id "${secretName}" --region us-east-1 --query SecretString --output text`,
+      getLocalStackEnv()
+    );
+    expect(JSON.parse(secondSecret.stdout.trim())).toEqual({
+      API_KEY: 'second',
+      DB_URL: 'postgres://two'
+    });
+
+    const deleteResult = await cliWithEnv(
+      [
+        'aws',
+        'secret',
+        'delete',
+        '-n',
+        secretName,
+        '--force-delete-without-recovery',
+        '--yes'
+      ],
+      getLocalStackEnv()
+    );
+    expect(deleteResult.code).toBe(0);
+    cleanupTempFile(tempFile);
+  });
+});

package/__e2e__/utils/aws-e2e-context.ts

@@ -0,0 +1,50 @@
+import {
+  LocalStackHelper,
+  createTestProfile,
+  restoreTestProfile,
+  TestProfileContext,
+  TestSecret,
+  CreatedSecret
+} from './test-utils';
+
+export interface AwsE2eContext {
+  createTestSecret: (
+    secret: TestSecret,
+    region?: string
+  ) => Promise<CreatedSecret>;
+  getLocalStackEnv: (
+    overrides?: Record<string, string>
+  ) => Record<string, string>;
+}
+
+export function registerAwsE2eContext(): AwsE2eContext {
+  let localStack: LocalStackHelper;
+  let profileContext: TestProfileContext | undefined;
+
+  beforeAll(async () => {
+    localStack = new LocalStackHelper();
+    await localStack.waitForLocalStack();
+    profileContext = createTestProfile();
+  });
+
+  afterAll(async () => {
+    await localStack.cleanupRunSecrets();
+    restoreTestProfile(profileContext);
+  });
+
+  return {
+    createTestSecret: async (
+      secret: TestSecret,
+      region?: string
+    ): Promise<CreatedSecret> => {
+      return await localStack.createSecret(secret, region);
+    },
+    getLocalStackEnv: (overrides: Record<string, string> = {}) => ({
+      AWS_ENDPOINT_URL: process.env.LOCALSTACK_URL || 'http://localhost:4566',
+      AWS_ACCESS_KEY_ID: 'test',
+      AWS_SECRET_ACCESS_KEY: 'test',
+      AWS_DEFAULT_REGION: 'us-east-1',
+      ...overrides
+    })
+  };
+}

package/__e2e__/utils/test-utils.ts

@@ -584,26 +584,11 @@ export function cleanupTempFile(filePath: string): void {
 }
 
 export function createTestProfile() {
-  const homeDir = os.homedir();
-  const awsDir = path.join(homeDir, '.aws');
-  const credentialsFile = path.join(awsDir, 'credentials');
-  const configFile = path.join(awsDir, 'config');
-
-  // Create .aws directory if it doesn't exist
-  if (!fs.existsSync(awsDir)) {
-    fs.mkdirSync(awsDir, { mode: 0o700 });
-  }
-
-  // Backup existing files if they exist
-  const backupCredentials = credentialsFile + '.backup';
-  const backupConfig = configFile + '.backup';
-
-  if (fs.existsSync(credentialsFile)) {
-    fs.copyFileSync(credentialsFile, backupCredentials);
-  }
-  if (fs.existsSync(configFile)) {
-    fs.copyFileSync(configFile, backupConfig);
-  }
+  const tempAwsDir = fs.mkdtempSync(path.join(os.tmpdir(), 'env-secrets-aws-'));
+  const credentialsFile = path.join(tempAwsDir, 'credentials');
+  const configFile = path.join(tempAwsDir, 'config');
+  const previousCredentialsFile = process.env.AWS_SHARED_CREDENTIALS_FILE;
+  const previousConfigFile = process.env.AWS_CONFIG_FILE;
 
   // Create test profile
   const credentialsContent = `[default]
@@ -625,34 +610,45 @@ region = us-east-1
   fs.writeFileSync(credentialsFile, credentialsContent, { mode: 0o600 });
   fs.writeFileSync(configFile, configContent, { mode: 0o600 });
 
-  return awsDir;
+  process.env.AWS_SHARED_CREDENTIALS_FILE = credentialsFile;
+  process.env.AWS_CONFIG_FILE = configFile;
+
+  return {
+    tempAwsDir,
+    previousCredentialsFile,
+    previousConfigFile
+  };
 }
 
-export function restoreTestProfile(awsDir: string | undefined): void {
-  if (!awsDir) {
-    debugWarn('No AWS directory provided for profile restoration');
+export interface TestProfileContext {
+  tempAwsDir: string;
+  previousCredentialsFile?: string;
+  previousConfigFile?: string;
+}
+
+export function restoreTestProfile(
+  profileContext: TestProfileContext | undefined
+): void {
+  if (!profileContext) {
+    debugWarn('No test profile context provided for profile restoration');
     return;
   }
 
-  const credentialsFile = path.join(awsDir, 'credentials');
-  const configFile = path.join(awsDir, 'config');
-  const backupCredentials = credentialsFile + '.backup';
-  const backupConfig = configFile + '.backup';
-
   try {
-    if (fs.existsSync(backupCredentials)) {
-      fs.copyFileSync(backupCredentials, credentialsFile);
-      fs.unlinkSync(backupCredentials);
-    } else if (fs.existsSync(credentialsFile)) {
-      fs.unlinkSync(credentialsFile);
+    if (profileContext.previousCredentialsFile) {
+      process.env.AWS_SHARED_CREDENTIALS_FILE =
+        profileContext.previousCredentialsFile;
+    } else {
+      delete process.env.AWS_SHARED_CREDENTIALS_FILE;
     }
 
-    if (fs.existsSync(backupConfig)) {
-      fs.copyFileSync(backupConfig, configFile);
-      fs.unlinkSync(backupConfig);
-    } else if (fs.existsSync(configFile)) {
-      fs.unlinkSync(configFile);
+    if (profileContext.previousConfigFile) {
+      process.env.AWS_CONFIG_FILE = profileContext.previousConfigFile;
+    } else {
+      delete process.env.AWS_CONFIG_FILE;
     }
+
+    fs.rmSync(profileContext.tempAwsDir, { recursive: true, force: true });
   } catch (error) {
     debugWarn('Failed to restore AWS profile:', error);
   }

package/__tests__/index.test.ts

@@ -30,9 +30,11 @@ const mockWriteFileSync = writeFileSync as jest.MockedFunction<
 >;
 const mockExistsSync = existsSync as jest.MockedFunction<typeof existsSync>;
 const mockDebug = Debug as jest.MockedFunction<typeof Debug>;
-const mockSecretsmanager = secretsmanager as jest.MockedFunction<
-  typeof secretsmanager
->;
+interface SecretsmanagerMockFn {
+  (options: Record<string, unknown>): Promise<Record<string, string>>;
+}
+const mockSecretsmanager =
+  secretsmanager as unknown as jest.MockedFunction<SecretsmanagerMockFn>;
 const mockObjectToExport = objectToExport as jest.MockedFunction<
   typeof objectToExport
 >;

package/__tests__/vaults/secretsmanager.test.ts

@@ -247,6 +247,40 @@ describe('secretsmanager', () => {
       expect(result).toEqual({});
     });
 
+    it('should parse dotenv style secret values', async () => {
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString:
+          'GITHUB_PAT=github_pat_123\nexport API_URL=https://example.com'
+      });
+
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        region: 'us-east-1'
+      });
+
+      expect(result).toEqual({
+        GITHUB_PAT: 'github_pat_123',
+        API_URL: 'https://example.com'
+      });
+    });
+
+    it('should parse JSON-encoded dotenv style secret values', async () => {
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString:
+          '"GITHUB_PAT=github_pat_123\\nexport API_URL=https://example.com"'
+      });
+
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        region: 'us-east-1'
+      });
+
+      expect(result).toEqual({
+        GITHUB_PAT: 'github_pat_123',
+        API_URL: 'https://example.com'
+      });
+    });
+
     it('should handle empty secret values', async () => {
       mockSecretsManagerSend.mockResolvedValueOnce({
         SecretString: ''
@@ -286,6 +320,19 @@ describe('secretsmanager', () => {
       expect(result).toEqual({});
     });
 
+    it('should return empty object for malformed dotenv lines', async () => {
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString: 'NOT_VALID_LINE'
+      });
+
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        region: 'us-east-1'
+      });
+
+      expect(result).toEqual({});
+    });
+
     it('should handle secrets with special characters', async () => {
       mockSecretsManagerSend.mockResolvedValueOnce({
         SecretString: '{"SPECIAL_KEY": "value with spaces & symbols!@#$%"}'

package/dist/index.js

@@ -43,6 +43,40 @@ const parseSecretJsonObject = (secretName, value) => {
     }
     return parsed;
 };
+const parseEnvToObject = (value) => {
+    try {
+        const parsed = (0, helpers_1.parseEnvSecrets)(value);
+        if (parsed.entries.length === 0) {
+            return undefined;
+        }
+        return Object.fromEntries(parsed.entries.map((entry) => [entry.key, entry.value]));
+    }
+    catch (_a) {
+        return undefined;
+    }
+};
+const toSecretJsonObject = (value) => {
+    try {
+        const parsed = JSON.parse(value);
+        if (parsed && !Array.isArray(parsed) && typeof parsed === 'object') {
+            return parsed;
+        }
+        if (typeof parsed === 'string') {
+            const envPayload = parseEnvToObject(parsed);
+            if (envPayload) {
+                return envPayload;
+            }
+        }
+        return { value: parsed };
+    }
+    catch (_a) {
+        const envPayload = parseEnvToObject(value);
+        if (envPayload) {
+            return envPayload;
+        }
+    }
+    return { value };
+};
 // main program
 program
     .name('env-secrets')
@@ -63,6 +97,7 @@ const awsCommand = program
     }
     const secrets = yield (0, secretsmanager_1.secretsmanager)(options);
     debug(secrets);
+    const envSecrets = Object.fromEntries(Object.entries(secrets).map(([key, value]) => [key, String(value)]));
     if (options.output) {
         // Check if file already exists
         if ((0, node_fs_1.existsSync)(options.output)) {
@@ -71,14 +106,14 @@ const awsCommand = program
             process.exit(1);
         }
         // Write secrets to file with 0400 permissions
-        const envContent = (0, utils_1.objectToExport)(secrets);
+        const envContent = (0, utils_1.objectToExport)(envSecrets);
         (0, node_fs_1.writeFileSync)(options.output, envContent, { mode: 0o400 });
         // eslint-disable-next-line no-console
         console.log(`Secrets written to ${options.output}`);
     }
     else {
         // Original behavior: merge secrets into environment and run program
-        const env = Object.assign({}, process.env, secrets);
+        const env = Object.assign({}, process.env, envSecrets);
         debug(env);
         if (program && program.length > 0) {
             debug(`${program[0]} ${program.slice(1)}`);
@@ -124,9 +159,10 @@ secretCommand
         if (!value) {
             throw new Error('Secret value is required. Provide --value, --value-stdin, or --file.');
         }
+        const payload = toSecretJsonObject(value);
         const result = yield (0, secretsmanager_admin_1.createSecret)({
             name: options.name,
-            value,
+            value: JSON.stringify(payload),
             description: options.description,
             kmsKeyId: options.kmsKeyId,
             tags: options.tag,

package/dist/vaults/secretsmanager.js

@@ -17,7 +17,52 @@ const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
 const client_sts_1 = require("@aws-sdk/client-sts");
 const debug_1 = __importDefault(require("debug"));
 const aws_config_1 = require("./aws-config");
+const helpers_1 = require("../cli/helpers");
 const debug = (0, debug_1.default)('env-secrets:secretsmanager');
+const isSecretValue = (value) => {
+    return (typeof value === 'string' ||
+        typeof value === 'number' ||
+        typeof value === 'boolean');
+};
+const asSecretRecord = (value) => {
+    if (!value || Array.isArray(value) || typeof value !== 'object') {
+        return {};
+    }
+    return Object.entries(value).reduce((result, [key, entryValue]) => {
+        if (isSecretValue(entryValue)) {
+            result[key] = entryValue;
+        }
+        return result;
+    }, {});
+};
+const parseSecretString = (secretvalue) => {
+    const parseAsEnvRecord = (envSource) => {
+        try {
+            const parsedEnv = (0, helpers_1.parseEnvSecrets)(envSource);
+            if (parsedEnv.entries.length === 0) {
+                return {};
+            }
+            return Object.fromEntries(parsedEnv.entries.map((entry) => [entry.key, entry.value]));
+        }
+        catch (_a) {
+            return {};
+        }
+    };
+    try {
+        const parsedJson = JSON.parse(secretvalue);
+        const parsedRecord = asSecretRecord(parsedJson);
+        if (Object.keys(parsedRecord).length > 0) {
+            return parsedRecord;
+        }
+        if (typeof parsedJson === 'string') {
+            return parseAsEnvRecord(parsedJson);
+        }
+        return {};
+    }
+    catch (_a) {
+        return parseAsEnvRecord(secretvalue);
+    }
+};
 const isCredentialsError = (error) => {
     if (!error || typeof error !== 'object') {
         return false;
@@ -68,14 +113,8 @@ const secretsmanager = (options) => __awaiter(void 0, void 0, void 0, function*
             });
             const response = yield client.send(command);
             const secretvalue = response.SecretString;
-            try {
-                if (secretvalue) {
-                    return JSON.parse(secretvalue);
-                }
-            }
-            catch (err) {
-                // eslint-disable-next-line no-console
-                console.error(err);
+            if (secretvalue) {
+                return parseSecretString(secretvalue);
             }
         }
         catch (err) {

package/docs/AWS.md

@@ -200,6 +200,12 @@ source secrets.env
      --output json
    ```
 
+   `create` always writes a JSON object:
+
+   - object JSON input is preserved semantically as an object (formatting and key order may change) (`{"API_KEY":"abc123"}`)
+   - dotenv-style input is converted (`KEY=value` -> `{"KEY":"value"}`)
+   - non-object/scalar input is wrapped (`super-secret-value` -> `{"value":"super-secret-value"}`)
+
 2. **Create from stdin (recommended for sensitive values):**
 
    ```bash
@@ -262,6 +268,7 @@ source secrets.env
 
 - `delete` requires `--yes`.
 - `create`/`update` accept `--value`, `--value-stdin`, or `--file` (use only one).
+- `create` always stores `SecretString` as a JSON object.
 - `append` and `remove` require the secret value to be a JSON object.
 - `upsert/import --file --name` parses `export KEY=value` and `KEY=value`, stores them as one JSON secret object, ignores blank lines/comments, and reports `created`, `updated`, `skipped`, and `failed`.
 - Use `--value-stdin` to avoid shell history leakage for sensitive values.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "env-secrets",
-  "version": "0.5.0",
+  "version": "0.5.2",
   "description": "get secrets from a secrets vault and inject them into the running environment",
   "main": "index.js",
   "author": "Mark C Allen (@markcallen)",
@@ -26,6 +26,7 @@
     "test:unit": "jest __tests__",
     "test:unit:coverage": "jest __tests__ --coverage",
     "test:e2e": "npm run build && jest --config jest.e2e.config.js",
+    "test:e2e:coverage": "npm run build && jest --config jest.e2e.config.js --coverage --coverageDirectory=coverage-e2e",
     "test:e2e:debug": "npm run build && DEBUG=true jest --config jest.e2e.config.js"
   },
   "devDependencies": {
@@ -52,9 +53,9 @@
     "typescript": "^4.9.5"
   },
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.996.0",
-    "@aws-sdk/client-sts": "^3.996.0",
-    "@aws-sdk/credential-providers": "^3.996.0",
+    "@aws-sdk/client-secrets-manager": "^3.1004.0",
+    "@aws-sdk/client-sts": "^3.1004.0",
+    "@aws-sdk/credential-providers": "^3.1004.0",
     "commander": "^9.5.0",
     "debug": "^4.4.3"
   },