firebase-tools 13.6.0 → 13.7.0

package/lib/apphosting/secrets/index.js

@@ -0,0 +1,98 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.upsertSecret = exports.grantSecretAccess = exports.serviceAccountsForBackend = exports.toMulti = void 0;
+const error_1 = require("../../error");
+const gcsm = require("../../gcp/secretManager");
+const gcb = require("../../gcp/cloudbuild");
+const gce = require("../../gcp/computeEngine");
+const secretManager_1 = require("../../gcp/secretManager");
+const secretManager_2 = require("../../gcp/secretManager");
+const utils = require("../../utils");
+const prompt = require("../../prompt");
+function toMulti(accounts) {
+    const m = {
+        buildServiceAccounts: [accounts.buildServiceAccount],
+        runServiceAccounts: [],
+    };
+    if (accounts.buildServiceAccount !== accounts.runServiceAccount) {
+        m.runServiceAccounts.push(accounts.runServiceAccount);
+    }
+    return m;
+}
+exports.toMulti = toMulti;
+function serviceAccountsForBackend(projectNumber, backend) {
+    if (backend.serviceAccount) {
+        return {
+            buildServiceAccount: backend.serviceAccount,
+            runServiceAccount: backend.serviceAccount,
+        };
+    }
+    return {
+        buildServiceAccount: gcb.getDefaultServiceAccount(projectNumber),
+        runServiceAccount: gce.getDefaultServiceAccount(projectNumber),
+    };
+}
+exports.serviceAccountsForBackend = serviceAccountsForBackend;
+async function grantSecretAccess(projectId, secretName, accounts) {
+    const newBindings = [
+        {
+            role: "roles/secretmanager.secretAccessor",
+            members: [...accounts.buildServiceAccounts, ...accounts.runServiceAccounts].map((sa) => `serviceAccount:${sa}`),
+        },
+        {
+            role: "roles/secretmanager.viewer",
+            members: accounts.buildServiceAccounts.map((sa) => `serviceAccount:${sa}`),
+        },
+    ];
+    let existingBindings;
+    try {
+        existingBindings = (await gcsm.getIamPolicy({ projectId, name: secretName })).bindings || [];
+    }
+    catch (err) {
+        throw new error_1.FirebaseError(`Failed to get IAM bindings on secret: ${secretName}. Ensure you have the permissions to do so and try again.`, { original: err });
+    }
+    try {
+        const updatedBindings = existingBindings.concat(newBindings);
+        await gcsm.setIamPolicy({ projectId, name: secretName }, updatedBindings);
+    }
+    catch (err) {
+        throw new error_1.FirebaseError(`Failed to set IAM bindings ${JSON.stringify(newBindings)} on secret: ${secretName}. Ensure you have the permissions to do so and try again.`, { original: err });
+    }
+    utils.logSuccess(`Successfully set IAM bindings on secret ${secretName}.\n`);
+}
+exports.grantSecretAccess = grantSecretAccess;
+async function upsertSecret(project, secret, location) {
+    var _a, _b, _c, _d;
+    let existing;
+    try {
+        existing = await gcsm.getSecret(project, secret);
+    }
+    catch (err) {
+        if (err.status !== 404) {
+            throw new error_1.FirebaseError("Unexpected error loading secret", { original: err });
+        }
+        await gcsm.createSecret(project, secret, gcsm.labels("apphosting"), location);
+        return true;
+    }
+    const replication = (_a = existing.replication) === null || _a === void 0 ? void 0 : _a.userManaged;
+    if (location &&
+        (((_b = replication === null || replication === void 0 ? void 0 : replication.replicas) === null || _b === void 0 ? void 0 : _b.length) !== 1 || ((_d = (_c = replication === null || replication === void 0 ? void 0 : replication.replicas) === null || _c === void 0 ? void 0 : _c[0]) === null || _d === void 0 ? void 0 : _d.location) !== location)) {
+        utils.logLabeledError("apphosting", "Secret replication policies cannot be changed after creation");
+        return null;
+    }
+    if ((0, secretManager_2.isFunctionsManaged)(existing)) {
+        utils.logLabeledWarning("apphosting", `Cloud Functions for Firebase currently manages versions of ${secret}. Continuing will disable ` +
+            "automatic deletion of old versions.");
+        const stopTracking = await prompt.confirm({
+            message: "Do you wish to continue?",
+            default: false,
+        });
+        if (!stopTracking) {
+            return null;
+        }
+        delete existing.labels[secretManager_1.FIREBASE_MANAGED];
+        await gcsm.patchSecret(project, secret, existing.labels);
+    }
+    return false;
+}
+exports.upsertSecret = upsertSecret;

package/lib/commands/apphosting-backends-create.js

@@ -4,17 +4,19 @@ exports.command = void 0;
 const command_1 = require("../command");
 const projectUtils_1 = require("../projectUtils");
 const requireInteractive_1 = require("../requireInteractive");
-const apphosting_1 = require("../init/features/apphosting");
+const apphosting_1 = require("../apphosting");
 const apphosting_2 = require("../gcp/apphosting");
 exports.command = new command_1.Command("apphosting:backends:create")
     .description("create a backend in a Firebase project")
     .option("-l, --location <location>", "specify the region of the backend", "")
     .option("-s, --service-account <serviceAccount>", "specify the service account used to run the server", "")
+    .option("-w, --with-dev-connect", "use the Developer Connect flow insetad of Cloud Build Repositories (testing)", false)
     .before(apphosting_2.ensureApiEnabled)
     .before(requireInteractive_1.default)
     .action(async (options) => {
     const projectId = (0, projectUtils_1.needProjectId)(options);
     const location = options.location;
     const serviceAccount = options.serviceAccount;
-    await (0, apphosting_1.doSetup)(projectId, location, serviceAccount);
+    const withDevConnect = options.withDevConnect;
+    await (0, apphosting_1.doSetup)(projectId, location, serviceAccount, withDevConnect);
 });

package/lib/commands/apphosting-backends-delete.js

@@ -5,7 +5,7 @@ const command_1 = require("../command");
 const projectUtils_1 = require("../projectUtils");
 const error_1 = require("../error");
 const prompt_1 = require("../prompt");
-const constants_1 = require("../init/features/apphosting/constants");
+const constants_1 = require("../apphosting/constants");
 const utils = require("../utils");
 const apphosting = require("../gcp/apphosting");
 const apphosting_backends_list_1 = require("./apphosting-backends-list");

package/lib/commands/apphosting-secrets-access.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.command = void 0;
+const command_1 = require("../command");
+const logger_1 = require("../logger");
+const projectUtils_1 = require("../projectUtils");
+const secretManager_1 = require("../gcp/secretManager");
+const requireAuth_1 = require("../requireAuth");
+const secretManager = require("../gcp/secretManager");
+const requirePermissions_1 = require("../requirePermissions");
+exports.command = new command_1.Command("apphosting:secrets:access <secretName>[@version]")
+    .description("Access secret value given secret and its version. Defaults to accessing the latest version.")
+    .before(requireAuth_1.requireAuth)
+    .before(secretManager.ensureApi)
+    .before(requirePermissions_1.requirePermissions, ["secretmanager.versions.access"])
+    .action(async (key, options) => {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    let [name, version] = key.split("@");
+    if (!version) {
+        version = "latest";
+    }
+    const value = await (0, secretManager_1.accessSecretVersion)(projectId, name, version);
+    logger_1.logger.info(value);
+});

package/lib/commands/apphosting-secrets-describe.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.command = void 0;
+const command_1 = require("../command");
+const projectUtils_1 = require("../projectUtils");
+const logger_1 = require("../logger");
+const requireAuth_1 = require("../requireAuth");
+const secretManager_1 = require("../gcp/secretManager");
+const secretManager = require("../gcp/secretManager");
+const requirePermissions_1 = require("../requirePermissions");
+const Table = require("cli-table");
+exports.command = new command_1.Command("apphosting:secrets:describe <secretName>")
+    .description("Get metadata for secret and its versions.")
+    .before(requireAuth_1.requireAuth)
+    .before(secretManager.ensureApi)
+    .before(requirePermissions_1.requirePermissions, ["secretmanager.secrets.get"])
+    .action(async (secretName, options) => {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    const versions = await (0, secretManager_1.listSecretVersions)(projectId, secretName);
+    const table = new Table({
+        head: ["Name", "Version", "Status", "Create Time"],
+        style: { head: ["yellow"] },
+    });
+    for (const version of versions) {
+        table.push([secretName, version.versionId, version.state, version.createTime]);
+    }
+    logger_1.logger.info(table.toString());
+    return { secrets: versions };
+});

package/lib/commands/apphosting-secrets-grantaccess.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.command = void 0;
+const command_1 = require("../command");
+const projectUtils_1 = require("../projectUtils");
+const error_1 = require("../error");
+const requireAuth_1 = require("../requireAuth");
+const secretManager = require("../gcp/secretManager");
+const requirePermissions_1 = require("../requirePermissions");
+const apphosting = require("../gcp/apphosting");
+const secrets = require("../apphosting/secrets");
+exports.command = new command_1.Command("apphosting:secrets:grantaccess <secretName>")
+    .description("grant service accounts permissions to the provided secret")
+    .option("-l, --location <location>", "app backend location")
+    .option("-b, --backend <backend>", "app backend name")
+    .before(requireAuth_1.requireAuth)
+    .before(secretManager.ensureApi)
+    .before(apphosting.ensureApiEnabled)
+    .before(requirePermissions_1.requirePermissions, [
+    "secretmanager.secrets.create",
+    "secretmanager.secrets.get",
+    "secretmanager.secrets.update",
+    "secretmanager.versions.add",
+    "secretmanager.secrets.getIamPolicy",
+    "secretmanager.secrets.setIamPolicy",
+])
+    .action(async (secretName, options) => {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    const projectNumber = await (0, projectUtils_1.needProjectNumber)(options);
+    if (!options.location) {
+        throw new error_1.FirebaseError("Missing required flag --location. See firebase apphosting:secrets:grantaccess --help for more info");
+    }
+    const location = options.location;
+    if (!options.backend) {
+        throw new error_1.FirebaseError("Missing required flag --backend. See firebase apphosting:secrets:grantaccess --help for more info");
+    }
+    const exists = await secretManager.secretExists(projectId, secretName);
+    if (!exists) {
+        throw new error_1.FirebaseError(`Cannot find secret ${secretName}`);
+    }
+    const backendId = options.backend;
+    const backend = await apphosting.getBackend(projectId, location, backendId);
+    const accounts = secrets.toMulti(secrets.serviceAccountsForBackend(projectNumber, backend));
+    await secrets.grantSecretAccess(projectId, secretName, accounts);
+});

package/lib/commands/apphosting-secrets-set.js

@@ -0,0 +1,105 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.command = void 0;
+const tty = require("tty");
+const clc = require("colorette");
+const path_1 = require("path");
+const command_1 = require("../command");
+const projectUtils_1 = require("../projectUtils");
+const requireAuth_1 = require("../requireAuth");
+const fs = require("fs");
+const gcsm = require("../gcp/secretManager");
+const apphosting = require("../gcp/apphosting");
+const requirePermissions_1 = require("../requirePermissions");
+const prompt_1 = require("../prompt");
+const secrets = require("../apphosting/secrets");
+const dialogs = require("../apphosting/secrets/dialogs");
+const config = require("../apphosting/config");
+const utils_1 = require("../utils");
+exports.command = new command_1.Command("apphosting:secrets:set <secretName>")
+    .description("grant service accounts permissions to the provided secret")
+    .option("-l, --location <location>", "optional location to retrict secret replication")
+    .withForce("Automatically create a secret, grant permissions, and add to YAML.")
+    .before(requireAuth_1.requireAuth)
+    .before(gcsm.ensureApi)
+    .before(apphosting.ensureApiEnabled)
+    .before(requirePermissions_1.requirePermissions, [
+    "secretmanager.secrets.create",
+    "secretmanager.secrets.get",
+    "secretmanager.secrets.update",
+    "secretmanager.versions.add",
+    "secretmanager.secrets.getIamPolicy",
+    "secretmanager.secrets.setIamPolicy",
+])
+    .option("--data-file <dataFile>", 'File path from which to read secret data. Set to "-" to read the secret data from stdin.')
+    .action(async (secretName, options) => {
+    var _a;
+    const howToAccess = `You can access the contents of the secret's latest value with ${clc.bold(`firebase apphosting:secrets:access ${secretName}`)}`;
+    const grantAccess = `To use this secret in your backend, you must grant access. You can do so in the future with ${clc.bold("firebase apphosting:secrets:grantAccess")}`;
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    const projectNumber = await (0, projectUtils_1.needProjectNumber)(options);
+    const created = await secrets.upsertSecret(projectId, secretName, options.location);
+    if (created === null) {
+        return;
+    }
+    let secretValue;
+    if ((!options.dataFile || options.dataFile === "-") && tty.isatty(0)) {
+        secretValue = await (0, prompt_1.promptOnce)({
+            type: "password",
+            message: `Enter a value for ${secretName}`,
+        });
+    }
+    else {
+        let dataFile = 0;
+        if (options.dataFile && options.dataFile !== "-") {
+            dataFile = options.dataFile;
+        }
+        secretValue = fs.readFileSync(dataFile, "utf-8");
+    }
+    if (created) {
+        (0, utils_1.logSuccess)(`Created new secret projects/${projectId}/secrets/${secretName}`);
+    }
+    const version = await gcsm.addVersion(projectId, secretName, secretValue);
+    (0, utils_1.logSuccess)(`Created new secret version ${gcsm.toSecretVersionResourceName(version)}`);
+    (0, utils_1.logSuccess)(howToAccess);
+    if (!created) {
+        (0, utils_1.logWarning)(grantAccess);
+        return;
+    }
+    const accounts = await dialogs.selectBackendServiceAccounts(projectNumber, projectId, options);
+    if (!accounts.buildServiceAccounts.length && !accounts.runServiceAccounts.length) {
+        (0, utils_1.logWarning)(grantAccess);
+    }
+    else {
+        await secrets.grantSecretAccess(projectId, secretName, accounts);
+    }
+    let path = config.yamlPath(process.cwd());
+    let yaml = {};
+    if (path) {
+        yaml = config.load(path);
+        if ((_a = yaml.env) === null || _a === void 0 ? void 0 : _a.find((env) => env.variable === secretName)) {
+            return;
+        }
+    }
+    const addToYaml = await (0, prompt_1.confirm)({
+        message: "Would you like to add this secret to apphosting.yaml?",
+        default: true,
+    });
+    if (!addToYaml) {
+        return;
+    }
+    if (!path) {
+        path = await (0, prompt_1.promptOnce)({
+            message: "It looks like you don't have an apphosting.yaml yet. Where would you like to store it?",
+            default: process.cwd(),
+        });
+        path = (0, path_1.join)(path, "apphosting.yaml");
+    }
+    const envName = await dialogs.envVarForSecret(secretName);
+    yaml.env = yaml.env || [];
+    yaml.env.push({
+        variable: envName,
+        secret: secretName,
+    });
+    config.store(path, yaml);
+});

package/lib/commands/functions-secrets-access.js

@@ -6,11 +6,11 @@ const logger_1 = require("../logger");
 const projectUtils_1 = require("../projectUtils");
 const secretManager_1 = require("../gcp/secretManager");
 const requireAuth_1 = require("../requireAuth");
-const secrets = require("../functions/secrets");
+const secretManager = require("../gcp/secretManager");
 exports.command = new command_1.Command("functions:secrets:access <KEY>[@version]")
     .description("Access secret value given secret and its version. Defaults to accessing the latest version.")
     .before(requireAuth_1.requireAuth)
-    .before(secrets.ensureApi)
+    .before(secretManager.ensureApi)
     .action(async (key, options) => {
     const projectId = (0, projectUtils_1.needProjectId)(options);
     let [name, version] = key.split("@");

package/lib/commands/functions-secrets-describe.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.command = void 0;
+const requireAuth_1 = require("../requireAuth");
+const command_1 = require("../command");
+const requirePermissions_1 = require("../requirePermissions");
+const secretManager = require("../gcp/secretManager");
+const secrets = require("../functions/secrets");
+exports.command = new command_1.Command("functions:secrets:describe <KEY>")
+    .description("Get metadata for secret and its versions. Alias for functions:secrets:get to align with gcloud")
+    .before(requireAuth_1.requireAuth)
+    .before(secretManager.ensureApi)
+    .before(requirePermissions_1.requirePermissions, ["secretmanager.secrets.get"])
+    .action(secrets.describeSecret);

package/lib/commands/functions-secrets-destroy.js

@@ -13,7 +13,7 @@ exports.command = new command_1.Command("functions:secrets:destroy <KEY>[@versio
     .description("Destroy a secret. Defaults to destroying the latest version.")
     .withForce("Destroys a secret without confirmation.")
     .before(requireAuth_1.requireAuth)
-    .before(secrets.ensureApi)
+    .before(secretManager_1.ensureApi)
     .action(async (key, options) => {
     const projectId = (0, projectUtils_1.needProjectId)(options);
     const projectNumber = await (0, projectUtils_1.needProjectNumber)(options);
@@ -54,7 +54,7 @@ exports.command = new command_1.Command("functions:secrets:destroy <KEY>[@versio
     await (0, secretManager_1.destroySecretVersion)(projectId, name, version);
     (0, utils_1.logBullet)(`Destroyed secret version ${name}@${sv.versionId}`);
     const secret = await (0, secretManager_1.getSecret)(projectId, name);
-    if (secrets.isFirebaseManaged(secret)) {
+    if ((0, secretManager_1.isFunctionsManaged)(secret)) {
         const versions = await (0, secretManager_1.listSecretVersions)(projectId, name);
         if (versions.filter((v) => v.state === "ENABLED").length === 0) {
             (0, utils_1.logBullet)(`No active secret versions left. Destroying secret ${name}`);

package/lib/commands/functions-secrets-get.js

@@ -1,28 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.command = void 0;
-const Table = require("cli-table");
 const requireAuth_1 = require("../requireAuth");
 const command_1 = require("../command");
-const logger_1 = require("../logger");
-const projectUtils_1 = require("../projectUtils");
-const secretManager_1 = require("../gcp/secretManager");
 const requirePermissions_1 = require("../requirePermissions");
+const secretManager = require("../gcp/secretManager");
 const secrets = require("../functions/secrets");
 exports.command = new command_1.Command("functions:secrets:get <KEY>")
     .description("Get metadata for secret and its versions")
     .before(requireAuth_1.requireAuth)
-    .before(secrets.ensureApi)
+    .before(secretManager.ensureApi)
     .before(requirePermissions_1.requirePermissions, ["secretmanager.secrets.get"])
-    .action(async (key, options) => {
-    const projectId = (0, projectUtils_1.needProjectId)(options);
-    const versions = await (0, secretManager_1.listSecretVersions)(projectId, key);
-    const table = new Table({
-        head: ["Version", "State"],
-        style: { head: ["yellow"] },
-    });
-    for (const version of versions) {
-        table.push([version.versionId, version.state]);
-    }
-    logger_1.logger.info(table.toString());
-});
+    .action(secrets.describeSecret);

package/lib/commands/functions-secrets-prune.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.command = void 0;
 const backend = require("../deploy/functions/backend");
 const secrets = require("../functions/secrets");
+const secretManager = require("../gcp/secretManager");
 const command_1 = require("../command");
 const projectUtils_1 = require("../projectUtils");
 const requirePermissions_1 = require("../requirePermissions");
@@ -15,7 +16,7 @@ exports.command = new command_1.Command("functions:secrets:prune")
     .withForce("Destroys unused secrets without prompt")
     .description("Destroys unused secrets")
     .before(requireAuth_1.requireAuth)
-    .before(secrets.ensureApi)
+    .before(secretManager.ensureApi)
     .before(requirePermissions_1.requirePermissions, [
     "cloudfunctions.functions.list",
     "secretmanager.secrets.list",

package/lib/commands/functions-secrets-set.js

@@ -20,7 +20,7 @@ exports.command = new command_1.Command("functions:secrets:set <KEY>")
     .description("Create or update a secret for use in Cloud Functions for Firebase.")
     .withForce("Automatically updates functions to use the new secret.")
     .before(requireAuth_1.requireAuth)
-    .before(secrets.ensureApi)
+    .before(secretManager_1.ensureApi)
     .before(requirePermissions_1.requirePermissions, [
     "secretmanager.secrets.create",
     "secretmanager.secrets.get",
@@ -50,7 +50,7 @@ exports.command = new command_1.Command("functions:secrets:set <KEY>")
     }
     const secretVersion = await (0, secretManager_1.addVersion)(projectId, key, secretValue);
     (0, utils_1.logSuccess)(`Created a new secret version ${(0, secretManager_1.toSecretVersionResourceName)(secretVersion)}`);
-    if (!secrets.isFirebaseManaged(secret)) {
+    if (!(0, secretManager_1.isFunctionsManaged)(secret)) {
         (0, utils_1.logBullet)("Please deploy your functions for the change to take effect by running:\n\t" +
             clc.bold("firebase deploy --only functions"));
         return;

package/lib/commands/index.js

@@ -129,6 +129,7 @@ function load(client) {
     client.functions.secrets.access = loadCommand("functions-secrets-access");
     client.functions.secrets.destroy = loadCommand("functions-secrets-destroy");
     client.functions.secrets.get = loadCommand("functions-secrets-get");
+    client.functions.secrets.describe = loadCommand("functions-secrets-describe");
     client.functions.secrets.prune = loadCommand("functions-secrets-prune");
     client.functions.secrets.set = loadCommand("functions-secrets-set");
     client.help = loadCommand("help");
@@ -164,6 +165,11 @@ function load(client) {
         client.apphosting.builds = {};
         client.apphosting.builds.get = loadCommand("apphosting-builds-get");
         client.apphosting.builds.create = loadCommand("apphosting-builds-create");
+        client.apphosting.secrets = {};
+        client.apphosting.secrets.set = loadCommand("apphosting-secrets-set");
+        client.apphosting.secrets.grantaccess = loadCommand("apphosting-secrets-grantaccess");
+        client.apphosting.secrets.describe = loadCommand("apphosting-secrets-describe");
+        client.apphosting.secrets.access = loadCommand("apphosting-secrets-access");
         client.apphosting.rollouts = {};
         client.apphosting.rollouts.create = loadCommand("apphosting-rollouts-create");
         client.apphosting.rollouts.list = loadCommand("apphosting-rollouts-list");

package/lib/deploy/functions/checkIam.js

@@ -1,12 +1,13 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ensureServiceAgentRoles = exports.mergeBindings = exports.obtainDefaultComputeServiceAgentBindings = exports.obtainPubSubServiceAgentBindings = exports.getDefaultComputeServiceAgent = exports.checkHttpIam = exports.checkServiceAccountIam = exports.EVENTARC_EVENT_RECEIVER_ROLE = exports.RUN_INVOKER_ROLE = exports.SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE = void 0;
+exports.ensureServiceAgentRoles = exports.mergeBindings = exports.obtainDefaultComputeServiceAgentBindings = exports.obtainPubSubServiceAgentBindings = exports.checkHttpIam = exports.checkServiceAccountIam = exports.EVENTARC_EVENT_RECEIVER_ROLE = exports.RUN_INVOKER_ROLE = exports.SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE = void 0;
 const colorette_1 = require("colorette");
 const logger_1 = require("../../logger");
 const functionsDeployHelper_1 = require("./functionsDeployHelper");
 const error_1 = require("../../error");
 const functional_1 = require("../../functional");
 const iam = require("../../gcp/iam");
+const gce = require("../../gcp/computeEngine");
 const backend = require("./backend");
 const track_1 = require("../../track");
 const utils = require("../../utils");
@@ -73,10 +74,6 @@ exports.checkHttpIam = checkHttpIam;
 function getPubsubServiceAgent(projectNumber) {
     return `service-${projectNumber}@gcp-sa-pubsub.iam.gserviceaccount.com`;
 }
-function getDefaultComputeServiceAgent(projectNumber) {
-    return `${projectNumber}-compute@developer.gserviceaccount.com`;
-}
-exports.getDefaultComputeServiceAgent = getDefaultComputeServiceAgent;
 function reduceEventsToServices(services, endpoint) {
     const service = (0, services_1.serviceForEndpoint)(endpoint);
     if (service.requiredProjectBindings && !services.find((s) => s.name === service.name)) {
@@ -93,7 +90,7 @@ function obtainPubSubServiceAgentBindings(projectNumber) {
 }
 exports.obtainPubSubServiceAgentBindings = obtainPubSubServiceAgentBindings;
 function obtainDefaultComputeServiceAgentBindings(projectNumber) {
-    const defaultComputeServiceAgent = `serviceAccount:${getDefaultComputeServiceAgent(projectNumber)}`;
+    const defaultComputeServiceAgent = `serviceAccount:${gce.getDefaultServiceAccount(projectNumber)}`;
     const runInvokerBinding = {
         role: exports.RUN_INVOKER_ROLE,
         members: [defaultComputeServiceAgent],

package/lib/deploy/functions/containerCleaner.js

@@ -49,7 +49,7 @@ async function cleanupBuildImages(haveFunctions, deletedFunctions, cleaners = {}
     }));
     cleanup.push(...deletedFunctions.map(async (func) => {
         try {
-            await Promise.all([arCleaner.cleanupFunction(func), arCleaner.cleanupFunctionCache(func)]);
+            await arCleaner.cleanupFunction(func);
         }
         catch (err) {
             const path = `${func.project}/${func.region}/gcf-artifacts`;
@@ -106,13 +106,6 @@ class ArtifactRegistryCleaner {
         }
         await poller.pollOperation(Object.assign(Object.assign({}, ArtifactRegistryCleaner.POLLER_OPTIONS), { pollerName: `cleanup-${func.region}-${func.id}`, operationResourceName: op.name }));
     }
-    async cleanupFunctionCache(func) {
-        const op = await artifactregistry.deletePackage(`${ArtifactRegistryCleaner.packagePath(func)}%2Fcache`);
-        if (op.done) {
-            return;
-        }
-        await poller.pollOperation(Object.assign(Object.assign({}, ArtifactRegistryCleaner.POLLER_OPTIONS), { pollerName: `cleanup-cache-${func.region}-${func.id}`, operationResourceName: op.name }));
-    }
 }
 exports.ArtifactRegistryCleaner = ArtifactRegistryCleaner;
 ArtifactRegistryCleaner.POLLER_OPTIONS = {
@@ -124,9 +117,6 @@ class NoopArtifactRegistryCleaner extends ArtifactRegistryCleaner {
     cleanupFunction() {
         return Promise.resolve();
     }
-    cleanupFunctionCache() {
-        return Promise.resolve();
-    }
 }
 exports.NoopArtifactRegistryCleaner = NoopArtifactRegistryCleaner;
 class ContainerRegistryCleaner {

package/lib/deploy/functions/params.js

@@ -8,7 +8,7 @@ const functional_1 = require("../../functional");
 const secretManager = require("../../gcp/secretManager");
 const storage_1 = require("../../gcp/storage");
 const cel_1 = require("./cel");
-const secrets_1 = require("../../functions/secrets");
+const secretManager_1 = require("../../gcp/secretManager");
 function dependenciesCEL(expr) {
     const deps = [];
     const paramCapture = /{{ params\.(\w+) }}/g;
@@ -222,7 +222,7 @@ async function handleSecret(secretParam, projectId) {
             type: "password",
             message: `This secret will be stored in Cloud Secret Manager (https://cloud.google.com/secret-manager/pricing) as ${secretParam.name}. Enter a value for ${secretParam.label || secretParam.name}:`,
         });
-        await secretManager.createSecret(projectId, secretParam.name, (0, secrets_1.labels)());
+        await secretManager.createSecret(projectId, secretParam.name, (0, secretManager_1.labels)());
         await secretManager.addVersion(projectId, secretParam.name, secretValue);
         return secretValue;
     }

package/lib/deploy/functions/prepare.js

@@ -8,6 +8,7 @@ const ensureApiEnabled = require("../../ensureApiEnabled");
 const functionsConfig = require("../../functionsConfig");
 const functionsEnv = require("../../functions/env");
 const runtimes = require("./runtimes");
+const supported = require("./runtimes/supported");
 const validate = require("./validate");
 const ensure = require("./ensure");
 const api_1 = require("../../api");
@@ -284,12 +285,20 @@ async function loadCodebases(config, options, firebaseConfig, runtimeConfig, fil
             projectId,
             sourceDir,
             projectDir: options.config.projectDir,
-            runtime: codebaseConfig.runtime || "",
         };
+        const firebaseJsonRuntime = codebaseConfig.runtime;
+        if (firebaseJsonRuntime && !supported.isRuntime(firebaseJsonRuntime)) {
+            throw new error_1.FirebaseError(`Functions codebase ${codebase} has invalid runtime ` +
+                `${firebaseJsonRuntime} specified in firebase.json. Valid values are: ` +
+                Object.keys(supported.RUNTIMES)
+                    .map((s) => `- ${s}`)
+                    .join("\n"));
+        }
         const runtimeDelegate = await runtimes.getRuntimeDelegate(delegateContext);
-        logger_1.logger.debug(`Validating ${runtimeDelegate.name} source`);
+        logger_1.logger.debug(`Validating ${runtimeDelegate.language} source`);
+        supported.guardVersionSupport(runtimeDelegate.runtime);
         await runtimeDelegate.validate();
-        logger_1.logger.debug(`Building ${runtimeDelegate.name} source`);
+        logger_1.logger.debug(`Building ${runtimeDelegate.language} source`);
         await runtimeDelegate.build();
         const firebaseEnvs = functionsEnv.loadFirebaseEnvs(firebaseConfig, projectId);
         (0, utils_1.logLabeledBullet)("functions", `Loading and analyzing source code for codebase ${codebase} to determine what to deploy`);