feat(wrangler): Add Secrets Store support (#8382)

Author: jvaughan-cloudflare

.changeset/soft-buses-sniff.md

@@ -0,0 +1,5 @@
+---
+"wrangler": minor
+---
+
+Add Secrets Store command support to Wrangler CLI

packages/wrangler/e2e/secrets-store.test.ts

@@ -0,0 +1,153 @@
+import { afterAll, beforeAll, describe, expect, it } from "vitest";
+import { WranglerE2ETestHelper } from "./helpers/e2e-wrangler-test";
+import { generateResourceName } from "./helpers/generate-resource-name";
+import { normalizeOutput } from "./helpers/normalize";
+
+describe("secrets-store", async () => {
+	let cachedStoreId = "";
+	let cachedSecretId = "";
+
+	const storeName = generateResourceName("secrets-store-store");
+	const secretName = generateResourceName("secrets-store-secret");
+	const helper = new WranglerE2ETestHelper();
+
+	const originalColumns = process.stdout.columns;
+	beforeAll(() => {
+		process.stdout.columns = 180;
+	});
+
+	afterAll(() => {
+		process.stdout.columns = originalColumns;
+	});
+
+	const normalize = (str: string) => {
+		return normalizeOutput(str, {
+			[storeName]: "tmp-e2e-secrets-store-store",
+			[secretName]: "tmp-e2e-secrets-store-secret",
+			[process.env.CLOUDFLARE_ACCOUNT_ID as string]: "CLOUDFLARE_ACCOUNT_ID",
+		});
+	};
+
+	it("creates a store", async () => {
+		const output = await helper.run(
+			`wrangler secrets-store store create ${storeName} --remote`
+		);
+
+		const regex = /ID:\s*(\w{32})/;
+		const match = output.stdout.match(regex);
+
+		if (match && match[1]) {
+			cachedStoreId = match[1];
+		} else {
+			throw new Error("No uuid for store found.");
+		}
+
+		expect(normalize(output.stdout)).toMatchInlineSnapshot(`
+			"🔐 Creating store... (Name: tmp-e2e-secrets-store-store-00000000-0000-0000-0000-000000000000)
+✅ Created store! (Name: tmp-e2e-secrets-store-store-00000000-0000-0000-0000-000000000000, ID: 00000000000000000000000000000000)"
+		`);
+	});
+
+	it("lists stores", async () => {
+		const output = await helper.run(
+			`wrangler secrets-store store list --per-page 100 --remote`
+		);
+
+		expect(normalize(output.stdout)).toContain(
+			"tmp-e2e-secrets-store-store-00000000-0000-0000-0000-000000000000"
+		);
+	});
+
+	it("creates a secret", async () => {
+		const output = await helper.run(
+			`wrangler secrets-store secret create ${cachedStoreId} --name ${secretName} --value shh --scopes workers --comment test --remote`
+		);
+
+		const regex = /ID:\s*(\w{32})/;
+		const match = output.stdout.match(regex);
+
+		if (match && match[1]) {
+			cachedSecretId = match[1];
+		}
+
+		expect(normalize(output.stdout)).toContain(
+			"🔐 Creating secret... (Name: tmp-e2e-secrets-store-secret-00000000-0000-0000-0000-000000000000, Value: REDACTED, Scopes: workers, Comment: test"
+		);
+		expect(normalize(output.stdout)).toContain(
+			"✅ Created secret! (ID: 00000000000000000000000000000000)"
+		);
+	});
+
+	it("gets a secret", async () => {
+		const output = await helper.run(
+			`wrangler secrets-store secret get ${cachedStoreId} --secret-id ${cachedSecretId} --remote`
+		);
+
+		expect(normalize(output.stdout)).toContain(
+			"🔐 Getting secret... (ID: 00000000000000000000000000000000)"
+		);
+		expect(normalize(output.stdout)).toContain(
+			"tmp-e2e-secrets-store-secret-00000000-0000-0000-0000-000000000000"
+		);
+	});
+
+	it("updates a secret", async () => {
+		const output = await helper.run(
+			`wrangler secrets-store secret update ${cachedStoreId} --secret-id ${cachedSecretId} --value shh --remote`
+		);
+
+		expect(normalize(output.stdout)).toContain(
+			"🔐 Updating secret... (ID: 00000000000000000000000000000000)"
+		);
+		expect(normalize(output.stdout)).toContain(
+			"✅ Updated secret! (ID: 00000000000000000000000000000000)"
+		);
+		expect(normalize(output.stdout)).toContain(
+			"tmp-e2e-secrets-store-secret-00000000-0000-0000-0000-00000000000"
+		);
+	});
+
+	it("deletes a secret", async () => {
+		const output = await helper.run(
+			`wrangler secrets-store secret delete ${cachedStoreId} --secret-id ${cachedSecretId} --remote`
+		);
+
+		expect(normalize(output.stdout)).toMatchInlineSnapshot(`
+			"🔐 Deleting secret... (ID: 00000000000000000000000000000000)
+✅ Deleted secret! (ID: 00000000000000000000000000000000)"
+		`);
+	});
+
+	it("validates a secret is deleted", async () => {
+		const output = await helper.run(
+			`wrangler secrets-store secret get ${cachedStoreId} --secret-id ${cachedSecretId} --remote`
+		);
+
+		expect(normalize(output.stdout)).toContain(
+			"🔐 Getting secret... (ID: 00000000000000000000000000000000)"
+		);
+		expect(normalize(output.stdout)).toContain("secret_not_found [code: 1001]");
+	});
+
+	it("deletes a store", async () => {
+		const output = await helper.run(
+			`wrangler secrets-store store delete ${cachedStoreId} --remote`
+		);
+
+		expect(normalize(output.stdout)).toMatchInlineSnapshot(`
+			"🔐 Deleting store... (Name: 00000000000000000000000000000000)
+✅ Deleted store! (ID: 00000000000000000000000000000000)"
+		`);
+	});
+
+	it("validates a store is deleted", async () => {
+		const output = await helper.run(
+			`wrangler secrets-store secret get ${cachedStoreId} --secret-id ${cachedSecretId} --remote`
+		);
+
+		expect(normalize(output.stdout)).toContain(
+			"🔐 Getting secret... (ID: 00000000000000000000000000000000)"
+		);
+		expect(normalize(output.stdout)).toContain("store_not_found [code: 1001]");
+	});
+});

packages/wrangler/src/__tests__/deploy.test.ts

@@ -560,7 +560,7 @@ describe("deploy", () => {
 
 			expect(std.out).toMatchInlineSnapshot(`
 				"Attempting to login via OAuth...
-				Opening a link in your default browser: https://dash.cloudflare.com/oauth2/auth?response_type=code&client_id=54d11594-84e4-41aa-b438-e81b8fa78ee7&redirect_uri=http%3A%2F%2Flocalhost%3A8976%2Foauth%2Fcallback&scope=account%3Aread%20user%3Aread%20workers%3Awrite%20workers_kv%3Awrite%20workers_routes%3Awrite%20workers_scripts%3Awrite%20workers_tail%3Aread%20d1%3Awrite%20pages%3Awrite%20zone%3Aread%20ssl_certs%3Awrite%20ai%3Awrite%20queues%3Awrite%20pipelines%3Awrite%20offline_access&state=MOCK_STATE_PARAM&code_challenge=MOCK_CODE_CHALLENGE&code_challenge_method=S256
+				Opening a link in your default browser: https://dash.cloudflare.com/oauth2/auth?response_type=code&client_id=54d11594-84e4-41aa-b438-e81b8fa78ee7&redirect_uri=http%3A%2F%2Flocalhost%3A8976%2Foauth%2Fcallback&scope=account%3Aread%20user%3Aread%20workers%3Awrite%20workers_kv%3Awrite%20workers_routes%3Awrite%20workers_scripts%3Awrite%20workers_tail%3Aread%20d1%3Awrite%20pages%3Awrite%20zone%3Aread%20ssl_certs%3Awrite%20ai%3Awrite%20queues%3Awrite%20pipelines%3Awrite%20secrets_store%3Awrite%20offline_access&state=MOCK_STATE_PARAM&code_challenge=MOCK_CODE_CHALLENGE&code_challenge_method=S256
 				Successfully logged in.
 				Total Upload: xx KiB / gzip: xx KiB
 				Worker Startup Time: 100 ms
@@ -602,7 +602,7 @@ describe("deploy", () => {
 
 				expect(std.out).toMatchInlineSnapshot(`
 					"Attempting to login via OAuth...
-					Opening a link in your default browser: https://dash.staging.cloudflare.com/oauth2/auth?response_type=code&client_id=54d11594-84e4-41aa-b438-e81b8fa78ee7&redirect_uri=http%3A%2F%2Flocalhost%3A8976%2Foauth%2Fcallback&scope=account%3Aread%20user%3Aread%20workers%3Awrite%20workers_kv%3Awrite%20workers_routes%3Awrite%20workers_scripts%3Awrite%20workers_tail%3Aread%20d1%3Awrite%20pages%3Awrite%20zone%3Aread%20ssl_certs%3Awrite%20ai%3Awrite%20queues%3Awrite%20pipelines%3Awrite%20offline_access&state=MOCK_STATE_PARAM&code_challenge=MOCK_CODE_CHALLENGE&code_challenge_method=S256
+					Opening a link in your default browser: https://dash.staging.cloudflare.com/oauth2/auth?response_type=code&client_id=54d11594-84e4-41aa-b438-e81b8fa78ee7&redirect_uri=http%3A%2F%2Flocalhost%3A8976%2Foauth%2Fcallback&scope=account%3Aread%20user%3Aread%20workers%3Awrite%20workers_kv%3Awrite%20workers_routes%3Awrite%20workers_scripts%3Awrite%20workers_tail%3Aread%20d1%3Awrite%20pages%3Awrite%20zone%3Aread%20ssl_certs%3Awrite%20ai%3Awrite%20queues%3Awrite%20pipelines%3Awrite%20secrets_store%3Awrite%20offline_access&state=MOCK_STATE_PARAM&code_challenge=MOCK_CODE_CHALLENGE&code_challenge_method=S256
 					Successfully logged in.
 					Total Upload: xx KiB / gzip: xx KiB
 					Worker Startup Time: 100 ms

packages/wrangler/src/__tests__/index.test.ts

@@ -66,6 +66,7 @@ describe("wrangler", () => {
 				  wrangler login                  🔓 Login to Cloudflare
 				  wrangler logout                 🚪 Logout from Cloudflare
 				  wrangler whoami                 🕵️  Retrieve your user information
+				  wrangler secrets-store          🔐 Manage the Secrets Store [alpha]
 
 				GLOBAL FLAGS
 				  -c, --config   Path to Wrangler configuration file  [string]
@@ -124,6 +125,7 @@ describe("wrangler", () => {
 				  wrangler login                  🔓 Login to Cloudflare
 				  wrangler logout                 🚪 Logout from Cloudflare
 				  wrangler whoami                 🕵️  Retrieve your user information
+				  wrangler secrets-store          🔐 Manage the Secrets Store [alpha]
 
 				GLOBAL FLAGS
 				  -c, --config   Path to Wrangler configuration file  [string]

packages/wrangler/src/__tests__/secrets-store.test.ts

@@ -68,7 +68,7 @@ describe("User", () => {
 			expect(counter).toBe(1);
 			expect(std.out).toMatchInlineSnapshot(`
 				"Attempting to login via OAuth...
-				Opening a link in your default browser: https://dash.cloudflare.com/oauth2/auth?response_type=code&client_id=54d11594-84e4-41aa-b438-e81b8fa78ee7&redirect_uri=http%3A%2F%2Flocalhost%3A8976%2Foauth%2Fcallback&scope=account%3Aread%20user%3Aread%20workers%3Awrite%20workers_kv%3Awrite%20workers_routes%3Awrite%20workers_scripts%3Awrite%20workers_tail%3Aread%20d1%3Awrite%20pages%3Awrite%20zone%3Aread%20ssl_certs%3Awrite%20ai%3Awrite%20queues%3Awrite%20pipelines%3Awrite%20offline_access&state=MOCK_STATE_PARAM&code_challenge=MOCK_CODE_CHALLENGE&code_challenge_method=S256
+				Opening a link in your default browser: https://dash.cloudflare.com/oauth2/auth?response_type=code&client_id=54d11594-84e4-41aa-b438-e81b8fa78ee7&redirect_uri=http%3A%2F%2Flocalhost%3A8976%2Foauth%2Fcallback&scope=account%3Aread%20user%3Aread%20workers%3Awrite%20workers_kv%3Awrite%20workers_routes%3Awrite%20workers_scripts%3Awrite%20workers_tail%3Aread%20d1%3Awrite%20pages%3Awrite%20zone%3Aread%20ssl_certs%3Awrite%20ai%3Awrite%20queues%3Awrite%20pipelines%3Awrite%20secrets_store%3Awrite%20offline_access&state=MOCK_STATE_PARAM&code_challenge=MOCK_CODE_CHALLENGE&code_challenge_method=S256
 				Successfully logged in."
 			`);
 			expect(readAuthConfigFile()).toEqual<UserAuthConfig>({
@@ -107,7 +107,7 @@ describe("User", () => {
 			expect(counter).toBe(1);
 			expect(std.out).toMatchInlineSnapshot(`
 				"Attempting to login via OAuth...
-				Opening a link in your default browser: https://dash.staging.cloudflare.com/oauth2/auth?response_type=code&client_id=4b2ea6cc-9421-4761-874b-ce550e0e3def&redirect_uri=http%3A%2F%2Flocalhost%3A8976%2Foauth%2Fcallback&scope=account%3Aread%20user%3Aread%20workers%3Awrite%20workers_kv%3Awrite%20workers_routes%3Awrite%20workers_scripts%3Awrite%20workers_tail%3Aread%20d1%3Awrite%20pages%3Awrite%20zone%3Aread%20ssl_certs%3Awrite%20ai%3Awrite%20queues%3Awrite%20pipelines%3Awrite%20offline_access&state=MOCK_STATE_PARAM&code_challenge=MOCK_CODE_CHALLENGE&code_challenge_method=S256
+				Opening a link in your default browser: https://dash.staging.cloudflare.com/oauth2/auth?response_type=code&client_id=4b2ea6cc-9421-4761-874b-ce550e0e3def&redirect_uri=http%3A%2F%2Flocalhost%3A8976%2Foauth%2Fcallback&scope=account%3Aread%20user%3Aread%20workers%3Awrite%20workers_kv%3Awrite%20workers_routes%3Awrite%20workers_scripts%3Awrite%20workers_tail%3Aread%20d1%3Awrite%20pages%3Awrite%20zone%3Aread%20ssl_certs%3Awrite%20ai%3Awrite%20queues%3Awrite%20pipelines%3Awrite%20secrets_store%3Awrite%20offline_access&state=MOCK_STATE_PARAM&code_challenge=MOCK_CODE_CHALLENGE&code_challenge_method=S256
 				Successfully logged in."
 			`);
 
@@ -210,7 +210,7 @@ describe("User", () => {
 		expect(counter).toBe(1);
 		expect(std.out).toMatchInlineSnapshot(`
 			"Attempting to login via OAuth...
-			Opening a link in your default browser: https://dash.cloudflare.com/oauth2/auth?response_type=code&client_id=54d11594-84e4-41aa-b438-e81b8fa78ee7&redirect_uri=http%3A%2F%2Flocalhost%3A8976%2Foauth%2Fcallback&scope=account%3Aread%20user%3Aread%20workers%3Awrite%20workers_kv%3Awrite%20workers_routes%3Awrite%20workers_scripts%3Awrite%20workers_tail%3Aread%20d1%3Awrite%20pages%3Awrite%20zone%3Aread%20ssl_certs%3Awrite%20ai%3Awrite%20queues%3Awrite%20pipelines%3Awrite%20offline_access&state=MOCK_STATE_PARAM&code_challenge=MOCK_CODE_CHALLENGE&code_challenge_method=S256
+			Opening a link in your default browser: https://dash.cloudflare.com/oauth2/auth?response_type=code&client_id=54d11594-84e4-41aa-b438-e81b8fa78ee7&redirect_uri=http%3A%2F%2Flocalhost%3A8976%2Foauth%2Fcallback&scope=account%3Aread%20user%3Aread%20workers%3Awrite%20workers_kv%3Awrite%20workers_routes%3Awrite%20workers_scripts%3Awrite%20workers_tail%3Aread%20d1%3Awrite%20pages%3Awrite%20zone%3Aread%20ssl_certs%3Awrite%20ai%3Awrite%20queues%3Awrite%20pipelines%3Awrite%20secrets_store%3Awrite%20offline_access&state=MOCK_STATE_PARAM&code_challenge=MOCK_CODE_CHALLENGE&code_challenge_method=S256
 			Successfully logged in."
 		`);
 		expect(std.warn).toMatchInlineSnapshot(`""`);

packages/wrangler/src/__tests__/user.test.ts

@@ -140,6 +140,22 @@ import {
 	secretNamespace,
 	secretPutCommand,
 } from "./secret";
+import {
+	secretsStoreNamespace,
+	secretsStoreSecretNamespace,
+	secretsStoreStoreNamespace,
+} from "./secrets-store";
+import {
+	secretsStoreSecretCreateCommand,
+	secretsStoreSecretDeleteCommand,
+	secretsStoreSecretDuplicateCommand,
+	secretsStoreSecretGetCommand,
+	secretsStoreSecretListCommand,
+	secretsStoreSecretUpdateCommand,
+	secretsStoreStoreCreateCommand,
+	secretsStoreStoreDeleteCommand,
+	secretsStoreStoreListCommand,
+} from "./secrets-store/commands";
 import {
 	addBreadcrumb,
 	captureGlobalException,
@@ -811,6 +827,56 @@ export function createCLIParser(argv: string[]) {
 		return ai(aiYargs.command(subHelp));
 	});
 
+	// secrets store
+	registry.define([
+		{ command: "wrangler secrets-store", definition: secretsStoreNamespace },
+		{
+			command: "wrangler secrets-store store",
+			definition: secretsStoreStoreNamespace,
+		},
+		{
+			command: "wrangler secrets-store store create",
+			definition: secretsStoreStoreCreateCommand,
+		},
+		{
+			command: "wrangler secrets-store store delete",
+			definition: secretsStoreStoreDeleteCommand,
+		},
+		{
+			command: "wrangler secrets-store store list",
+			definition: secretsStoreStoreListCommand,
+		},
+		{
+			command: "wrangler secrets-store secret",
+			definition: secretsStoreSecretNamespace,
+		},
+		{
+			command: "wrangler secrets-store secret create",
+			definition: secretsStoreSecretCreateCommand,
+		},
+		{
+			command: "wrangler secrets-store secret list",
+			definition: secretsStoreSecretListCommand,
+		},
+		{
+			command: "wrangler secrets-store secret get",
+			definition: secretsStoreSecretGetCommand,
+		},
+		{
+			command: "wrangler secrets-store secret update",
+			definition: secretsStoreSecretUpdateCommand,
+		},
+		{
+			command: "wrangler secrets-store secret delete",
+			definition: secretsStoreSecretDeleteCommand,
+		},
+		{
+			command: "wrangler secrets-store secret duplicate",
+			definition: secretsStoreSecretDuplicateCommand,
+		},
+	]);
+	registry.registerNamespace("cert");
+
 	// workflows
 	registry.define([
 		{

packages/wrangler/src/index.ts

@@ -0,0 +1,166 @@
+import { fetchResult } from "../cfetch";
+
+// Stores API
+
+export type Store = {
+	id: string;
+	account_id: string;
+	name: string;
+	created: string;
+	modified: string;
+};
+
+export type CreateStore = {
+	name: string;
+};
+
+export async function createStore(
+	accountId: string,
+	body: CreateStore
+): Promise<Store> {
+	return await fetchResult(`/accounts/${accountId}/secrets_store/stores`, {
+		method: "POST",
+		body: JSON.stringify(body),
+	});
+}
+
+export async function deleteStore(
+	accountId: string,
+	storeId: string
+): Promise<Store> {
+	return await fetchResult(
+		`/accounts/${accountId}/secrets_store/stores/${storeId}`,
+		{
+			method: "DELETE",
+		}
+	);
+}
+
+export async function listStores(
+	accountId: string,
+	urlParams: URLSearchParams
+): Promise<Store[]> {
+	return await fetchResult(
+		`/accounts/${accountId}/secrets_store/stores`,
+		{
+			method: "GET",
+		},
+		urlParams
+	);
+}
+
+// Secrets API
+
+export type Secret = {
+	id: string;
+	store_id: string;
+	name: string;
+	comment: string;
+	scopes: string[];
+	created: string;
+	modified: string;
+	status: string;
+};
+
+export async function listSecrets(
+	accountId: string,
+	storeId: string,
+	urlParams: URLSearchParams
+): Promise<Secret[]> {
+	return await fetchResult(
+		`/accounts/${accountId}/secrets_store/stores/${storeId}/secrets`,
+		{
+			method: "GET",
+		},
+		urlParams
+	);
+}
+
+export async function getSecret(
+	accountId: string,
+	storeId: string,
+	secretId: string
+): Promise<Secret> {
+	return await fetchResult(
+		`/accounts/${accountId}/secrets_store/stores/${storeId}/secrets/${secretId}`,
+		{
+			method: "GET",
+		}
+	);
+}
+
+export type CreateSecret = {
+	name: string;
+	value: string;
+	scopes: string[];
+	comment?: string;
+};
+
+export async function createSecret(
+	accountId: string,
+	storeId: string,
+	body: CreateSecret
+): Promise<Secret[]> {
+	return await fetchResult(
+		`/accounts/${accountId}/secrets_store/stores/${storeId}/secrets`,
+		{
+			method: "POST",
+			body: JSON.stringify([body]),
+		}
+	);
+}
+
+export type UpdateSecret = {
+	value?: string;
+	scopes?: string[];
+	comment?: string;
+};
+
+export async function updateSecret(
+	accountId: string,
+	storeId: string,
+	secretId: string,
+	body: UpdateSecret
+): Promise<Secret> {
+	return await fetchResult(
+		`/accounts/${accountId}/secrets_store/stores/${storeId}/secrets/${secretId}`,
+		{
+			method: "PATCH",
+			body: JSON.stringify(body),
+		}
+	);
+}
+
+export async function deleteSecret(
+	accountId: string,
+	storeId: string,
+	secretId: string
+): Promise<Secret> {
+	return await fetchResult(
+		`/accounts/${accountId}/secrets_store/stores/${storeId}/secrets/${secretId}`,
+		{
+			method: "DELETE",
+		}
+	);
+}
+
+export type DuplicateSecret = {
+	name: string;
+	scopes: string[];
+	comment: string;
+};
+
+export async function duplicateSecret(
+	accountId: string,
+	storeId: string,
+	secretId: string,
+	body: DuplicateSecret
+): Promise<Secret> {
+	return await fetchResult(
+		`/accounts/${accountId}/secrets_store/stores/${storeId}/secrets/${secretId}/duplicate`,
+		{
+			method: "POST",
+			body: JSON.stringify(body),
+		}
+	);
+}

packages/wrangler/src/secrets-store/client.ts

@@ -0,0 +1,25 @@
+import { createNamespace } from "../core/create-command";
+
+export const secretsStoreNamespace = createNamespace({
+	metadata: {
+		description: `🔐 Manage the Secrets Store`,
+		status: "alpha",
+		owner: "Product: SSL",
+	},
+});
+
+export const secretsStoreStoreNamespace = createNamespace({
+	metadata: {
+		description: "🔐 Manage Stores within the Secrets Store",
+		status: "alpha",
+		owner: "Product: SSL",
+	},
+});
+
+export const secretsStoreSecretNamespace = createNamespace({
+	metadata: {
+		description: "🔐 Manage Secrets within the Secrets Store",
+		status: "alpha",
+		owner: "Product: SSL",
+	},
+});

packages/wrangler/src/secrets-store/commands.ts

@@ -354,6 +354,8 @@ const DefaultScopes = {
 	"queues:write": "See and change Cloudflare Queues settings and data",
 	"pipelines:write":
 		"See and change Cloudflare Pipelines configurations and data",
+	"secrets_store:write":
+		"See and change secrets + stores within the Secrets Store",
 } as const;
 
 const OptionalScopes = {