firebase-tools 13.6.0 → 13.6.1

package/lib/apphosting/config.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.store = exports.load = exports.yamlPath = void 0;
+const path = require("path");
+const fs_1 = require("fs");
+const yaml = require("js-yaml");
+const fs = require("../fsutils");
+function yamlPath(cwd) {
+    let dir = cwd;
+    while (!fs.fileExistsSync(path.resolve(dir, "apphosting.yaml"))) {
+        if (fs.fileExistsSync(path.resolve(dir, "firebase.json"))) {
+            return null;
+        }
+        const parent = path.dirname(dir);
+        if (parent === dir) {
+            return null;
+        }
+        dir = parent;
+    }
+    return path.resolve(dir, "apphosting.yaml");
+}
+exports.yamlPath = yamlPath;
+function load(yamlPath) {
+    const raw = fs.readFile(yamlPath);
+    return yaml.load(raw, yaml.DEFAULT_FULL_SCHEMA);
+}
+exports.load = load;
+function store(yamlPath, config) {
+    (0, fs_1.writeFileSync)(yamlPath, yaml.dump(config));
+}
+exports.store = store;

package/lib/apphosting/githubConnections.js

@@ -0,0 +1,261 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchAllRepositories = exports.listAppHostingConnections = exports.getOrCreateRepository = exports.getOrCreateConnection = exports.createConnection = exports.ensureSecretManagerAdminGrant = exports.getOrCreateOauthConnection = exports.linkGitHubRepository = exports.generateRepositoryId = exports.extractRepoSlugFromUri = exports.parseConnectionName = void 0;
+const clc = require("colorette");
+const devConnect = require("../gcp/devConnect");
+const rm = require("../gcp/resourceManager");
+const poller = require("../operation-poller");
+const utils = require("../utils");
+const error_1 = require("../error");
+const prompt_1 = require("../prompt");
+const getProjectNumber_1 = require("../getProjectNumber");
+const api_1 = require("../api");
+const fuzzy = require("fuzzy");
+const inquirer = require("inquirer");
+const APPHOSTING_CONN_PATTERN = /.+\/apphosting-github-conn-.+$/;
+const APPHOSTING_OAUTH_CONN_NAME = "apphosting-github-oauth";
+const CONNECTION_NAME_REGEX = /^projects\/(?<projectId>[^\/]+)\/locations\/(?<location>[^\/]+)\/connections\/(?<id>[^\/]+)$/;
+function parseConnectionName(name) {
+    const match = CONNECTION_NAME_REGEX.exec(name);
+    if (!match || typeof match.groups === undefined) {
+        return;
+    }
+    const { projectId, location, id } = match.groups;
+    return {
+        projectId,
+        location,
+        id,
+    };
+}
+exports.parseConnectionName = parseConnectionName;
+const devConnectPollerOptions = {
+    apiOrigin: (0, api_1.developerConnectOrigin)(),
+    apiVersion: "v1",
+    masterTimeout: 25 * 60 * 1000,
+    maxBackoff: 10000,
+};
+function extractRepoSlugFromUri(cloneUri) {
+    const match = /github.com\/(.+).git/.exec(cloneUri);
+    if (!match) {
+        return undefined;
+    }
+    return match[1];
+}
+exports.extractRepoSlugFromUri = extractRepoSlugFromUri;
+function generateRepositoryId(remoteUri) {
+    var _a;
+    return (_a = extractRepoSlugFromUri(remoteUri)) === null || _a === void 0 ? void 0 : _a.replaceAll("/", "-");
+}
+exports.generateRepositoryId = generateRepositoryId;
+function generateConnectionId() {
+    const randomHash = Math.random().toString(36).slice(6);
+    return `apphosting-github-conn-${randomHash}`;
+}
+const ADD_CONN_CHOICE = "@ADD_CONN";
+async function linkGitHubRepository(projectId, location) {
+    var _a, _b;
+    utils.logBullet(clc.bold(`${clc.yellow("===")} Set up a GitHub connection`));
+    const oauthConn = await getOrCreateOauthConnection(projectId, location);
+    const existingConns = await listAppHostingConnections(projectId);
+    if (existingConns.length === 0) {
+        utils.logBullet("no connections exist");
+        existingConns.push(await createFullyInstalledConnection(projectId, location, generateConnectionId(), oauthConn));
+    }
+    let repoCloneUri;
+    let connection;
+    do {
+        if (repoCloneUri === ADD_CONN_CHOICE) {
+            existingConns.push(await createFullyInstalledConnection(projectId, location, generateConnectionId(), oauthConn));
+        }
+        const selection = await promptCloneUri(projectId, existingConns);
+        repoCloneUri = selection.cloneUri;
+        connection = selection.connection;
+    } while (repoCloneUri === ADD_CONN_CHOICE);
+    const { id: connectionId } = parseConnectionName(connection.name);
+    await getOrCreateConnection(projectId, location, connectionId, {
+        authorizerCredential: (_a = connection.githubConfig) === null || _a === void 0 ? void 0 : _a.authorizerCredential,
+        appInstallationId: (_b = connection.githubConfig) === null || _b === void 0 ? void 0 : _b.appInstallationId,
+    });
+    const repo = await getOrCreateRepository(projectId, location, connectionId, repoCloneUri);
+    utils.logSuccess(`Successfully linked GitHub repository at remote URI`);
+    utils.logSuccess(`\t${repo.cloneUri}`);
+    return repo;
+}
+exports.linkGitHubRepository = linkGitHubRepository;
+async function createFullyInstalledConnection(projectId, location, connectionId, oauthConn) {
+    var _a, _b;
+    let conn = await createConnection(projectId, location, connectionId, {
+        appInstallationId: (_a = oauthConn.githubConfig) === null || _a === void 0 ? void 0 : _a.appInstallationId,
+        authorizerCredential: (_b = oauthConn.githubConfig) === null || _b === void 0 ? void 0 : _b.authorizerCredential,
+    });
+    while (conn.installationState.stage !== "COMPLETE") {
+        utils.logBullet("Install the Firebase GitHub app to enable access to GitHub repositories");
+        const targetUri = conn.installationState.actionUri.replace("install_v2", "direct_install_v2");
+        utils.logBullet(targetUri);
+        await utils.openInBrowser(targetUri);
+        await (0, prompt_1.promptOnce)({
+            type: "input",
+            message: "Press Enter once you have installed or configured the Firebase GitHub app to access your GitHub repo.",
+        });
+        conn = await devConnect.getConnection(projectId, location, connectionId);
+    }
+    return conn;
+}
+async function getOrCreateOauthConnection(projectId, location) {
+    let conn;
+    try {
+        conn = await devConnect.getConnection(projectId, location, APPHOSTING_OAUTH_CONN_NAME);
+    }
+    catch (err) {
+        if (err.status === 404) {
+            await ensureSecretManagerAdminGrant(projectId);
+            conn = await createConnection(projectId, location, APPHOSTING_OAUTH_CONN_NAME);
+        }
+        else {
+            throw err;
+        }
+    }
+    while (conn.installationState.stage === "PENDING_USER_OAUTH") {
+        utils.logBullet("You must authorize the Firebase GitHub app.");
+        utils.logBullet("Sign in to GitHub and authorize Firebase GitHub app:");
+        const { url, cleanup } = await utils.openInBrowserPopup(conn.installationState.actionUri, "Authorize the GitHub app");
+        utils.logBullet(`\t${url}`);
+        await (0, prompt_1.promptOnce)({
+            type: "input",
+            message: "Press Enter once you have authorized the app",
+        });
+        cleanup();
+        const { projectId, location, id } = parseConnectionName(conn.name);
+        conn = await devConnect.getConnection(projectId, location, id);
+    }
+    return conn;
+}
+exports.getOrCreateOauthConnection = getOrCreateOauthConnection;
+async function promptCloneUri(projectId, connections) {
+    const { cloneUris, cloneUriToConnection } = await fetchAllRepositories(projectId, connections);
+    const cloneUri = await (0, prompt_1.promptOnce)({
+        type: "autocomplete",
+        name: "cloneUri",
+        message: "Which of the following repositories would you like to deploy?",
+        source: (_, input = "") => {
+            return new Promise((resolve) => resolve([
+                new inquirer.Separator(),
+                {
+                    name: "Missing a repo? Select this option to configure your GitHub connection settings",
+                    value: ADD_CONN_CHOICE,
+                },
+                new inquirer.Separator(),
+                ...fuzzy
+                    .filter(input, cloneUris, {
+                    extract: (uri) => extractRepoSlugFromUri(uri) || "",
+                })
+                    .map((result) => {
+                    return {
+                        name: extractRepoSlugFromUri(result.original) || "",
+                        value: result.original,
+                    };
+                }),
+            ]));
+        },
+    });
+    return { cloneUri, connection: cloneUriToConnection[cloneUri] };
+}
+async function ensureSecretManagerAdminGrant(projectId) {
+    const projectNumber = await (0, getProjectNumber_1.getProjectNumber)({ projectId });
+    const dcsaEmail = devConnect.serviceAgentEmail(projectNumber);
+    const alreadyGranted = await rm.serviceAccountHasRoles(projectId, dcsaEmail, ["roles/secretmanager.admin"], true);
+    if (alreadyGranted) {
+        utils.logBullet("secret manager admin role already granted");
+        return;
+    }
+    utils.logBullet("To create a new GitHub connection, Secret Manager Admin role (roles/secretmanager.admin) is required on the Developer Connect Service Agent.");
+    const grant = await (0, prompt_1.promptOnce)({
+        type: "confirm",
+        message: "Grant the required role to the Developer Connect Service Agent?",
+    });
+    if (!grant) {
+        utils.logBullet("You, or your project administrator, should run the following command to grant the required role:\n\n" +
+            "You, or your project adminstrator, can run the following command to grant the required role manually:\n\n" +
+            `\tgcloud projects add-iam-policy-binding ${projectId} \\\n` +
+            `\t  --member="serviceAccount:${dcsaEmail} \\\n` +
+            `\t  --role="roles/secretmanager.admin\n`);
+        throw new error_1.FirebaseError("Insufficient IAM permissions to create a new connection to GitHub");
+    }
+    try {
+        await rm.addServiceAccountToRoles(projectId, dcsaEmail, ["roles/secretmanager.admin"], true);
+    }
+    catch (e) {
+        if ((e === null || e === void 0 ? void 0 : e.code) === 400 || (e === null || e === void 0 ? void 0 : e.status) === 400) {
+            await devConnect.generateP4SA(projectNumber);
+            await rm.addServiceAccountToRoles(projectId, dcsaEmail, ["roles/secretmanager.admin"], true);
+        }
+        else {
+            throw e;
+        }
+    }
+    utils.logSuccess("Successfully granted the required role to the Developer Connect Service Agent!");
+}
+exports.ensureSecretManagerAdminGrant = ensureSecretManagerAdminGrant;
+async function createConnection(projectId, location, connectionId, githubConfig) {
+    const op = await devConnect.createConnection(projectId, location, connectionId, githubConfig);
+    const conn = await poller.pollOperation(Object.assign(Object.assign({}, devConnectPollerOptions), { pollerName: `create-${location}-${connectionId}`, operationResourceName: op.name }));
+    return conn;
+}
+exports.createConnection = createConnection;
+async function getOrCreateConnection(projectId, location, connectionId, githubConfig) {
+    let conn;
+    try {
+        conn = await devConnect.getConnection(projectId, location, connectionId);
+    }
+    catch (err) {
+        if (err.status === 404) {
+            utils.logBullet("creating connection");
+            conn = await createConnection(projectId, location, connectionId, githubConfig);
+        }
+        else {
+            throw err;
+        }
+    }
+    return conn;
+}
+exports.getOrCreateConnection = getOrCreateConnection;
+async function getOrCreateRepository(projectId, location, connectionId, cloneUri) {
+    const repositoryId = generateRepositoryId(cloneUri);
+    if (!repositoryId) {
+        throw new error_1.FirebaseError(`Failed to generate repositoryId for URI "${cloneUri}".`);
+    }
+    let repo;
+    try {
+        repo = await devConnect.getGitRepositoryLink(projectId, location, connectionId, repositoryId);
+    }
+    catch (err) {
+        if (err.status === 404) {
+            const op = await devConnect.createGitRepositoryLink(projectId, location, connectionId, repositoryId, cloneUri);
+            repo = await poller.pollOperation(Object.assign(Object.assign({}, devConnectPollerOptions), { pollerName: `create-${location}-${connectionId}-${repositoryId}`, operationResourceName: op.name }));
+        }
+        else {
+            throw err;
+        }
+    }
+    return repo;
+}
+exports.getOrCreateRepository = getOrCreateRepository;
+async function listAppHostingConnections(projectId) {
+    const conns = await devConnect.listAllConnections(projectId, "-");
+    return conns.filter((conn) => APPHOSTING_CONN_PATTERN.test(conn.name) &&
+        conn.installationState.stage === "COMPLETE" &&
+        !conn.disabled);
+}
+exports.listAppHostingConnections = listAppHostingConnections;
+async function fetchAllRepositories(projectId, connections) {
+    const cloneUriToConnection = {};
+    for (const conn of connections) {
+        const { location, id } = parseConnectionName(conn.name);
+        const connectionRepos = await devConnect.listAllLinkableGitRepositories(projectId, location, id);
+        connectionRepos.forEach((repo) => {
+            cloneUriToConnection[repo.cloneUri] = conn;
+        });
+    }
+    return { cloneUris: Object.keys(cloneUriToConnection), cloneUriToConnection };
+}
+exports.fetchAllRepositories = fetchAllRepositories;

package/lib/{init/features/apphosting → apphosting}/index.js

@@ -3,18 +3,19 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.orchestrateRollout = exports.setDefaultTrafficPolicy = exports.createBackend = exports.doSetup = void 0;
 const clc = require("colorette");
 const repo = require("./repo");
-const poller = require("../../../operation-poller");
-const apphosting = require("../../../gcp/apphosting");
-const utils_1 = require("../../../utils");
-const api_1 = require("../../../api");
-const apphosting_1 = require("../../../gcp/apphosting");
-const resourceManager_1 = require("../../../gcp/resourceManager");
-const iam_1 = require("../../../gcp/iam");
-const error_1 = require("../../../error");
-const prompt_1 = require("../../../prompt");
+const poller = require("../operation-poller");
+const apphosting = require("../gcp/apphosting");
+const githubConnections = require("./githubConnections");
+const utils_1 = require("../utils");
+const api_1 = require("../api");
+const apphosting_1 = require("../gcp/apphosting");
+const resourceManager_1 = require("../gcp/resourceManager");
+const iam = require("../gcp/iam");
+const error_1 = require("../error");
+const prompt_1 = require("../prompt");
 const constants_1 = require("./constants");
-const ensureApiEnabled_1 = require("../../../ensureApiEnabled");
-const deploymentTool = require("../../../deploymentTool");
+const ensureApiEnabled_1 = require("../ensureApiEnabled");
+const deploymentTool = require("../deploymentTool");
 const DEFAULT_COMPUTE_SERVICE_ACCOUNT_NAME = "firebase-app-hosting-compute";
 const apphostingPollerOptions = {
     apiOrigin: (0, api_1.apphostingOrigin)(),
@@ -22,8 +23,9 @@ const apphostingPollerOptions = {
     masterTimeout: 25 * 60 * 1000,
     maxBackoff: 10000,
 };
-async function doSetup(projectId, location, serviceAccount) {
+async function doSetup(projectId, location, serviceAccount, withDevConnect) {
     await Promise.all([
+        ...(withDevConnect ? [(0, ensureApiEnabled_1.ensure)(projectId, (0, api_1.developerConnectOrigin)(), "apphosting", true)] : []),
         (0, ensureApiEnabled_1.ensure)(projectId, (0, api_1.cloudbuildOrigin)(), "apphosting", true),
         (0, ensureApiEnabled_1.ensure)(projectId, (0, api_1.secretManagerOrigin)(), "apphosting", true),
         (0, ensureApiEnabled_1.ensure)(projectId, (0, api_1.cloudRunApiOrigin)(), "apphosting", true),
@@ -53,8 +55,10 @@ async function doSetup(projectId, location, serviceAccount) {
         default: "my-web-app",
         message: "Create a name for your backend [1-30 characters]",
     });
-    const cloudBuildConnRepo = await repo.linkGitHubRepository(projectId, location);
-    const backend = await createBackend(projectId, location, backendId, cloudBuildConnRepo, serviceAccount);
+    const gitRepositoryConnection = withDevConnect
+        ? await githubConnections.linkGitHubRepository(projectId, location)
+        : await repo.linkGitHubRepository(projectId, location);
+    const backend = await createBackend(projectId, location, backendId, gitRepositoryConnection, serviceAccount);
     const branch = await (0, prompt_1.promptOnce)({
         name: "branch",
         type: "input",
@@ -111,9 +115,9 @@ async function createBackend(projectId, location, backendId, repository, service
             rootDirectory: "/",
         },
         labels: deploymentTool.labels(),
-        computeServiceAccount: serviceAccount || defaultServiceAccount,
+        serviceAccount: serviceAccount || defaultServiceAccount,
     };
-    delete backendReqBody.computeServiceAccount;
+    delete backendReqBody.serviceAccount;
     async function createBackendAndPoll() {
         const op = await apphosting.createBackend(projectId, location, backendReqBody, backendId);
         return await poller.pollOperation(Object.assign(Object.assign({}, apphostingPollerOptions), { pollerName: `create-${projectId}-${location}-${backendId}`, operationResourceName: op.name }));
@@ -137,7 +141,7 @@ async function createBackend(projectId, location, backendId, repository, service
 exports.createBackend = createBackend;
 async function provisionDefaultComputeServiceAccount(projectId) {
     try {
-        await (0, iam_1.createServiceAccount)(projectId, DEFAULT_COMPUTE_SERVICE_ACCOUNT_NAME, "Firebase App Hosting compute service account", "Default service account used to run builds and deploys for Firebase App Hosting");
+        await iam.createServiceAccount(projectId, DEFAULT_COMPUTE_SERVICE_ACCOUNT_NAME, "Firebase App Hosting compute service account", "Default service account used to run builds and deploys for Firebase App Hosting");
     }
     catch (err) {
         if (err.status !== 409) {

package/lib/{init/features/apphosting → apphosting}/repo.js

@@ -2,14 +2,14 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.fetchAllRepositories = exports.listAppHostingConnections = exports.getOrCreateRepository = exports.getOrCreateConnection = exports.createConnection = exports.getOrCreateOauthConnection = exports.linkGitHubRepository = exports.parseConnectionName = void 0;
 const clc = require("colorette");
-const gcb = require("../../../gcp/cloudbuild");
-const rm = require("../../../gcp/resourceManager");
-const poller = require("../../../operation-poller");
-const utils = require("../../../utils");
-const api_1 = require("../../../api");
-const error_1 = require("../../../error");
-const prompt_1 = require("../../../prompt");
-const getProjectNumber_1 = require("../../../getProjectNumber");
+const gcb = require("../gcp/cloudbuild");
+const rm = require("../gcp/resourceManager");
+const poller = require("../operation-poller");
+const utils = require("../utils");
+const api_1 = require("../api");
+const error_1 = require("../error");
+const prompt_1 = require("../prompt");
+const getProjectNumber_1 = require("../getProjectNumber");
 const fuzzy = require("fuzzy");
 const inquirer = require("inquirer");
 const APPHOSTING_CONN_PATTERN = /.+\/apphosting-github-conn-.+$/;
@@ -158,7 +158,7 @@ async function promptRepositoryUri(projectId, connections) {
 }
 async function ensureSecretManagerAdminGrant(projectId) {
     const projectNumber = await (0, getProjectNumber_1.getProjectNumber)({ projectId });
-    const cbsaEmail = gcb.serviceAgentEmail(projectNumber);
+    const cbsaEmail = gcb.getDefaultServiceAgent(projectNumber);
     const alreadyGranted = await rm.serviceAccountHasRoles(projectId, cbsaEmail, ["roles/secretmanager.admin"], true);
     if (alreadyGranted) {
         return;

package/lib/apphosting/secrets/dialogs.js

@@ -0,0 +1,169 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.envVarForSecret = exports.selectBackendServiceAccounts = exports.GRANT_ACCESS_IN_FUTURE = exports.WARN_NO_BACKENDS = exports.selectFromMetadata = exports.tableForBackends = exports.serviceAccountDisplay = exports.toMetadata = void 0;
+const clc = require("colorette");
+const Table = require("cli-table");
+const _1 = require(".");
+const apphosting = require("../../gcp/apphosting");
+const prompt = require("../../prompt");
+const utils = require("../../utils");
+const logger_1 = require("../../logger");
+const env = require("../../functions/env");
+function toMetadata(projectNumber, backends) {
+    const metadata = [];
+    for (const backend of backends) {
+        const [, , , location, , id] = backend.name.split("/");
+        metadata.push(Object.assign({ location, id }, (0, _1.serviceAccountsForBackend)(projectNumber, backend)));
+    }
+    return metadata.sort((left, right) => {
+        const cmplocation = left.location.localeCompare(right.location);
+        if (cmplocation) {
+            return cmplocation;
+        }
+        return left.id.localeCompare(right.id);
+    });
+}
+exports.toMetadata = toMetadata;
+function serviceAccountDisplay(metadata) {
+    if (sameServiceAccount(metadata)) {
+        return metadata.runServiceAccount;
+    }
+    return `${metadata.buildServiceAccount}, ${metadata.runServiceAccount}`;
+}
+exports.serviceAccountDisplay = serviceAccountDisplay;
+function sameServiceAccount(metadata) {
+    return metadata.buildServiceAccount === metadata.runServiceAccount;
+}
+const matchesServiceAccounts = (target) => (test) => {
+    return (target.buildServiceAccount === test.buildServiceAccount &&
+        target.runServiceAccount === test.runServiceAccount);
+};
+function tableForBackends(metadata) {
+    const headers = [
+        "location",
+        "backend",
+        metadata.every(sameServiceAccount) ? "service account" : "service accounts",
+    ];
+    const rows = metadata.map((m) => [m.location, m.id, serviceAccountDisplay(m)]);
+    return [headers, rows];
+}
+exports.tableForBackends = tableForBackends;
+function selectFromMetadata(input, selected) {
+    const buildAccounts = new Set();
+    const runAccounts = new Set();
+    for (const sa of selected) {
+        if (input.find((m) => m.buildServiceAccount === sa)) {
+            buildAccounts.add(sa);
+        }
+        else {
+            runAccounts.add(sa);
+        }
+    }
+    return {
+        buildServiceAccounts: [...buildAccounts],
+        runServiceAccounts: [...runAccounts],
+    };
+}
+exports.selectFromMetadata = selectFromMetadata;
+exports.WARN_NO_BACKENDS = "To use this secret, your backend's service account must have secret accessor permission. " +
+    "It does not look like you have a backend yet. After creating a backend, grant access with " +
+    clc.bold("firebase apphosting:secrets:grantAccess");
+exports.GRANT_ACCESS_IN_FUTURE = `To grant access in the future, run ${clc.bold("firebase apphosting:secrets:grantaccess")}`;
+async function selectBackendServiceAccounts(projectNumber, projectId, options) {
+    const listBackends = await apphosting.listBackends(projectId, "-");
+    if (listBackends.unreachable.length) {
+        utils.logLabeledWarning("apphosting", `Could not reach location(s) ${listBackends.unreachable.join(", ")}. You may need to run ` +
+            `${clc.bold("firebase apphosting:secrets:grantAccess")} at a later time if you have backends in these locations`);
+    }
+    if (!listBackends.backends.length) {
+        utils.logLabeledWarning("apphosting", exports.WARN_NO_BACKENDS);
+        return { buildServiceAccounts: [], runServiceAccounts: [] };
+    }
+    if (listBackends.backends.length === 1) {
+        const grant = await prompt.confirm({
+            nonInteractive: options.nonInteractive,
+            default: true,
+            message: "To use this secret, your backend's service account must have secret accessor permission. Would you like to grant it now?",
+        });
+        if (grant) {
+            return (0, _1.toMulti)((0, _1.serviceAccountsForBackend)(projectNumber, listBackends.backends[0]));
+        }
+        utils.logLabeledBullet("apphosting", exports.GRANT_ACCESS_IN_FUTURE);
+        return { buildServiceAccounts: [], runServiceAccounts: [] };
+    }
+    const metadata = toMetadata(projectNumber, listBackends.backends);
+    if (metadata.every(matchesServiceAccounts(metadata[0]))) {
+        utils.logLabeledBullet("apphosting", "To use this secret, your backend's service account must have secret accessor permission. All of your backends use " +
+            (sameServiceAccount(metadata[0]) ? "service account " : "service accounts ") +
+            serviceAccountDisplay(metadata[0]) +
+            ". Granting access to one backend will grant access to all backends.");
+        const grant = await prompt.confirm({
+            nonInteractive: options.nonInteractive,
+            default: true,
+            message: "Would you like to grant it now?",
+        });
+        if (grant) {
+            return selectFromMetadata(metadata, [
+                metadata[0].buildServiceAccount,
+                metadata[0].runServiceAccount,
+            ]);
+        }
+        utils.logLabeledBullet("apphosting", exports.GRANT_ACCESS_IN_FUTURE);
+        return { buildServiceAccounts: [], runServiceAccounts: [] };
+    }
+    utils.logLabeledBullet("apphosting", "To use this secret, your backend's service account must have secret accessor permission. Your backends use the following service accounts:");
+    const tableData = tableForBackends(metadata);
+    const table = new Table({
+        head: tableData[0],
+        style: { head: ["green"] },
+        rows: tableData[1],
+    });
+    logger_1.logger.info(table.toString());
+    const allAccounts = metadata.reduce((accum, row) => {
+        accum.add(row.buildServiceAccount);
+        accum.add(row.runServiceAccount);
+        return accum;
+    }, new Set());
+    const chosen = await prompt.promptOnce({
+        type: "checkbox",
+        message: "Which service accounts would you like to grant access? " +
+            "Press Space to select accounts, then Enter to confirm your choices.",
+        choices: [...allAccounts.values()].sort(),
+    });
+    if (!chosen.length) {
+        utils.logLabeledBullet("apphosting", exports.GRANT_ACCESS_IN_FUTURE);
+    }
+    return selectFromMetadata(metadata, chosen);
+}
+exports.selectBackendServiceAccounts = selectBackendServiceAccounts;
+function toUpperSnakeCase(key) {
+    return key
+        .replace(/[.-]/g, "_")
+        .replace(/([a-z])([A-Z])/g, "$1_$2")
+        .toUpperCase();
+}
+async function envVarForSecret(secret) {
+    const upper = toUpperSnakeCase(secret);
+    if (upper === secret) {
+        try {
+            env.validateKey(secret);
+            return secret;
+        }
+        catch (_a) {
+        }
+    }
+    do {
+        const test = await prompt.promptOnce({
+            message: "What environment variable name would you like to use?",
+            default: upper,
+        });
+        try {
+            env.validateKey(test);
+            return test;
+        }
+        catch (err) {
+            utils.logLabeledError("apphosting", err.message);
+        }
+    } while (true);
+}
+exports.envVarForSecret = envVarForSecret;

package/lib/apphosting/secrets/index.js

@@ -0,0 +1,98 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.upsertSecret = exports.grantSecretAccess = exports.serviceAccountsForBackend = exports.toMulti = void 0;
+const error_1 = require("../../error");
+const gcsm = require("../../gcp/secretManager");
+const gcb = require("../../gcp/cloudbuild");
+const gce = require("../../gcp/computeEngine");
+const secretManager_1 = require("../../gcp/secretManager");
+const secretManager_2 = require("../../gcp/secretManager");
+const utils = require("../../utils");
+const prompt = require("../../prompt");
+function toMulti(accounts) {
+    const m = {
+        buildServiceAccounts: [accounts.buildServiceAccount],
+        runServiceAccounts: [],
+    };
+    if (accounts.buildServiceAccount !== accounts.runServiceAccount) {
+        m.runServiceAccounts.push(accounts.runServiceAccount);
+    }
+    return m;
+}
+exports.toMulti = toMulti;
+function serviceAccountsForBackend(projectNumber, backend) {
+    if (backend.serviceAccount) {
+        return {
+            buildServiceAccount: backend.serviceAccount,
+            runServiceAccount: backend.serviceAccount,
+        };
+    }
+    return {
+        buildServiceAccount: gcb.getDefaultServiceAccount(projectNumber),
+        runServiceAccount: gce.getDefaultServiceAccount(projectNumber),
+    };
+}
+exports.serviceAccountsForBackend = serviceAccountsForBackend;
+async function grantSecretAccess(projectId, secretName, accounts) {
+    const newBindings = [
+        {
+            role: "roles/secretmanager.secretAccessor",
+            members: [...accounts.buildServiceAccounts, ...accounts.runServiceAccounts].map((sa) => `serviceAccount:${sa}`),
+        },
+        {
+            role: "roles/secretmanager.viewer",
+            members: accounts.buildServiceAccounts.map((sa) => `serviceAccount:${sa}`),
+        },
+    ];
+    let existingBindings;
+    try {
+        existingBindings = (await gcsm.getIamPolicy({ projectId, name: secretName })).bindings || [];
+    }
+    catch (err) {
+        throw new error_1.FirebaseError(`Failed to get IAM bindings on secret: ${secretName}. Ensure you have the permissions to do so and try again.`, { original: err });
+    }
+    try {
+        const updatedBindings = existingBindings.concat(newBindings);
+        await gcsm.setIamPolicy({ projectId, name: secretName }, updatedBindings);
+    }
+    catch (err) {
+        throw new error_1.FirebaseError(`Failed to set IAM bindings ${JSON.stringify(newBindings)} on secret: ${secretName}. Ensure you have the permissions to do so and try again.`, { original: err });
+    }
+    utils.logSuccess(`Successfully set IAM bindings on secret ${secretName}.\n`);
+}
+exports.grantSecretAccess = grantSecretAccess;
+async function upsertSecret(project, secret, location) {
+    var _a, _b, _c, _d;
+    let existing;
+    try {
+        existing = await gcsm.getSecret(project, secret);
+    }
+    catch (err) {
+        if (err.status !== 404) {
+            throw new error_1.FirebaseError("Unexpected error loading secret", { original: err });
+        }
+        await gcsm.createSecret(project, secret, gcsm.labels("apphosting"), location);
+        return true;
+    }
+    const replication = (_a = existing.replication) === null || _a === void 0 ? void 0 : _a.userManaged;
+    if (location &&
+        (((_b = replication === null || replication === void 0 ? void 0 : replication.replicas) === null || _b === void 0 ? void 0 : _b.length) !== 1 || ((_d = (_c = replication === null || replication === void 0 ? void 0 : replication.replicas) === null || _c === void 0 ? void 0 : _c[0]) === null || _d === void 0 ? void 0 : _d.location) !== location)) {
+        utils.logLabeledError("apphosting", "Secret replication policies cannot be changed after creation");
+        return null;
+    }
+    if ((0, secretManager_2.isFunctionsManaged)(existing)) {
+        utils.logLabeledWarning("apphosting", `Cloud Functions for Firebase currently manages versions of ${secret}. Continuing will disable ` +
+            "automatic deletion of old versions.");
+        const stopTracking = await prompt.confirm({
+            message: "Do you wish to continue?",
+            default: false,
+        });
+        if (!stopTracking) {
+            return null;
+        }
+        delete existing.labels[secretManager_1.FIREBASE_MANAGED];
+        await gcsm.patchSecret(project, secret, existing.labels);
+    }
+    return false;
+}
+exports.upsertSecret = upsertSecret;