BREAKING: Rewrite functions:config:export command (#9341)

Target the new defineJsonSecret API as migration target for functions.config() usage. The new API is a simpler migration target for existing functions.config() use cases.

Example flow:

```shell
$ firebase functions:config:export
i  This command retrieves your Runtime Config values (accessed via functions.config()) and exports them as a Secret Manager secret.

i  Fetching your existing functions.config() from danielylee-90... ✔  Fetched your existing functions.config().

i  Configuration to be exported:
⚠  This may contain sensitive data. Do not share this output.

{
   <CONFIG>
}

✔ What would you like to name the new secret for your configuration? RUNTIME_CONFIG

✔  Created new secret version projects/XXX/secrets/RUNTIME_CONFIG/versions/1

i  To complete the migration, update your code:

  // Before:
  const functions = require('firebase-functions');

  exports.myFunction = functions.https.onRequest((req, res) => {
    const apiKey = functions.config().service.key;
    // ...
  });

  // After:
  const functions = require('firebase-functions');
  const { defineJsonSecret } = require('firebase-functions/params');

  const config = defineJsonSecret("RUNTIME_CONFIG");

  exports.myFunction = functions
    .runWith({ secrets: [config] })  // Bind secret here
    .https.onRequest((req, res) => {
      const apiKey = config.value().service.key;
      // ...
    });

i  Note: defineJsonSecret requires firebase-functions v6.6.0 or later. Update your package.json if needed. i  Then deploy your functions:
  firebase deploy --only functions
```

Author: taeold

src/commands/functions-config-export.ts

@@ -1,151 +1,199 @@
-import * as path from "path";
-
 import * as clc from "colorette";
+import * as semver from "semver";
 
-import requireInteractive from "../requireInteractive";
+import * as functionsConfig from "../functionsConfig";
 import { Command } from "../command";
 import { FirebaseError } from "../error";
-import { testIamPermissions } from "../gcp/iam";
-import { logger } from "../logger";
 import { input, confirm } from "../prompt";
 import { requirePermissions } from "../requirePermissions";
-import { logBullet, logWarning } from "../utils";
-import { zip } from "../functional";
-import * as configExport from "../functions/runtimeConfigExport";
+import { logBullet, logSuccess } from "../utils";
 import { requireConfig } from "../requireConfig";
+import { ensureValidKey, ensureSecret } from "../functions/secrets";
+import { addVersion, listSecretVersions, toSecretVersionResourceName } from "../gcp/secretManager";
+import { needProjectId } from "../projectUtils";
+import { requireAuth } from "../requireAuth";
+import { ensureApi } from "../gcp/secretManager";
+import { getFunctionsSDKVersion } from "../deploy/functions/runtimes/node/versioning";
 
 import type { Options } from "../options";
-import { normalizeAndValidate, resolveConfigDir } from "../functions/projectConfig";
 
-const REQUIRED_PERMISSIONS = [
+const RUNTIME_CONFIG_PERMISSIONS = [
   "runtimeconfig.configs.list",
   "runtimeconfig.configs.get",
   "runtimeconfig.variables.list",
   "runtimeconfig.variables.get",
 ];
 
-const RESERVED_PROJECT_ALIAS = ["local"];
-const MAX_ATTEMPTS = 3;
+const SECRET_MANAGER_PERMISSIONS = [
+  "secretmanager.secrets.create",
+  "secretmanager.secrets.get",
+  "secretmanager.secrets.update",
+  "secretmanager.versions.add",
+];
 
-function checkReservedAliases(pInfos: configExport.ProjectConfigInfo[]): void {
-  for (const pInfo of pInfos) {
-    if (pInfo.alias && RESERVED_PROJECT_ALIAS.includes(pInfo.alias)) {
-      logWarning(
-        `Project alias (${clc.bold(pInfo.alias)}) is reserved for internal use. ` +
-          `Saving exported config in .env.${pInfo.projectId} instead.`,
-      );
-      delete pInfo.alias;
+const DEFAULT_SECRET_NAME = "FUNCTIONS_CONFIG_EXPORT";
+
+function maskConfigValues(obj: any): any {
+  if (typeof obj === "object" && obj !== null && !Array.isArray(obj)) {
+    const masked: Record<string, any> = {};
+    for (const [key, value] of Object.entries(obj)) {
+      masked[key] = maskConfigValues(value);
     }
+    return masked;
   }
+  return "******";
 }
 
-/* For projects where we failed to fetch the runtime config, find out what permissions are missing in the project. */
-async function checkRequiredPermission(pInfos: configExport.ProjectConfigInfo[]): Promise<void> {
-  pInfos = pInfos.filter((pInfo) => !pInfo.config);
-  const testPermissions = pInfos.map((pInfo) =>
-    testIamPermissions(pInfo.projectId, REQUIRED_PERMISSIONS),
-  );
-  const results = await Promise.all(testPermissions);
-  for (const [pInfo, result] of zip(pInfos, results)) {
-    if (result.passed) {
-      // We should've been able to fetch the config but couldn't. Ask the user to try export command again.
+export const command = new Command("functions:config:export")
+  .description("export environment config as a JSON secret to store in Cloud Secret Manager")
+  .option("--secret <name>", `name of the secret to create (default: ${DEFAULT_SECRET_NAME})`)
+  .withForce("use default secret name without prompting")
+  .before(requireAuth)
+  .before(ensureApi)
+  .before(requirePermissions, [...RUNTIME_CONFIG_PERMISSIONS, ...SECRET_MANAGER_PERMISSIONS])
+  .before(requireConfig)
+  .action(async (options: Options) => {
+    const projectId = needProjectId(options);
+
+    logBullet(
+      "This command retrieves your Runtime Config values (accessed via " +
+        clc.bold("functions.config()") +
+        ") and exports them as a Secret Manager secret.",
+    );
+    console.log("");
+
+    logBullet(`Fetching your existing functions.config() from ${clc.bold(projectId)}...`);
+
+    let configJson: Record<string, unknown>;
+    try {
+      configJson = await functionsConfig.materializeAll(projectId);
+    } catch (err: unknown) {
       throw new FirebaseError(
-        `Unexpectedly failed to fetch runtime config for project ${pInfo.projectId}`,
+        `Failed to fetch runtime config for project ${projectId}. ` +
+          "Ensure you have the required permissions:\n\t" +
+          RUNTIME_CONFIG_PERMISSIONS.join("\n\t"),
+        { original: err as Error },
       );
     }
-    logWarning(
-      "You are missing the following permissions to read functions config on project " +
-        `${clc.bold(pInfo.projectId)}:\n\t${result.missing.join("\n\t")}`,
-    );
 
-    const confirmed = await confirm({
-      message: `Continue without importing configs from project ${pInfo.projectId}?`,
-      default: true,
-    });
+    if (Object.keys(configJson).length === 0) {
+      logSuccess("Your functions.config() is empty. Nothing to do.");
+      return;
+    }
+
+    logSuccess("Fetched your existing functions.config().");
+    console.log("");
 
-    if (!confirmed) {
-      throw new FirebaseError("Command aborted!");
+    // Display config in interactive mode
+    if (!options.nonInteractive) {
+      logBullet(clc.bold("Configuration to be exported:"));
+      console.log(JSON.stringify(maskConfigValues(configJson), null, 2));
+      console.log("");
     }
-  }
-}
 
-async function promptForPrefix(errMsg: string): Promise<string> {
-  logWarning("The following configs keys could not be exported as environment variables:\n");
-  logWarning(errMsg);
-  return await input({
-    default: "CONFIG_",
-    message: "Enter a PREFIX to rename invalid environment variable keys:",
-  });
-}
+    let secretName = options.secret as string;
+    if (!secretName) {
+      if (options.force) {
+        secretName = DEFAULT_SECRET_NAME;
+      } else {
+        secretName = await input({
+          message: "What would you like to name the new secret for your configuration?",
+          default: DEFAULT_SECRET_NAME,
+          nonInteractive: options.nonInteractive,
+        });
+      }
+    }
 
-function fromEntries<V>(itr: Iterable<[string, V]>): Record<string, V> {
-  const obj: Record<string, V> = {};
-  for (const [k, v] of itr) {
-    obj[k] = v;
-  }
-  return obj;
-}
+    const key = await ensureValidKey(secretName, options);
+    await ensureSecret(projectId, key, options);
 
-export const command = new Command("functions:config:export")
-  .description("export environment config as environment variables in dotenv format")
-  .before(requirePermissions, [
-    "runtimeconfig.configs.list",
-    "runtimeconfig.configs.get",
-    "runtimeconfig.variables.list",
-    "runtimeconfig.variables.get",
-  ])
-  .before(requireConfig)
-  .before(requireInteractive)
-  .action(async (options: Options) => {
-    const config = normalizeAndValidate(options.config.src.functions)[0];
-    const configDir = resolveConfigDir(config);
-    if (!configDir) {
+    const versions = await listSecretVersions(projectId, key);
+    const enabledVersions = versions.filter((v) => v.state === "ENABLED");
+    enabledVersions.sort((a, b) => (b.createTime || "").localeCompare(a.createTime || ""));
+    const latest = enabledVersions[0];
+
+    if (latest) {
+      logBullet(
+        `Secret ${clc.bold(key)} already exists (latest version: ${clc.bold(latest.versionId)}, created: ${latest.createTime}).`,
+      );
+      const proceed = await confirm({
+        message: "Do you want to add a new version to this secret?",
+        default: false,
+        nonInteractive: options.nonInteractive,
+        force: options.force,
+      });
+      if (!proceed) {
+        return;
+      }
+      console.log("");
+    }
+
+    const secretValue = JSON.stringify(configJson, null, 2);
+
+    // Check size limit (64KB)
+    const sizeInBytes = Buffer.byteLength(secretValue, "utf8");
+    const maxSize = 64 * 1024; // 64KB
+    if (sizeInBytes > maxSize) {
       throw new FirebaseError(
-        "functions:config:export requires a local env directory. Set functions[].configDir in firebase.json when using remoteSource.",
+        `Configuration size (${sizeInBytes} bytes) exceeds the 64KB limit for JSON secrets. ` +
+          "Please reduce the size of your configuration or split it into multiple secrets.",
       );
     }
 
-    let pInfos = configExport.getProjectInfos(options);
-    checkReservedAliases(pInfos);
+    const secretVersion = await addVersion(projectId, key, secretValue);
+    console.log("");
 
-    logBullet(
-      "Importing functions configs from projects [" +
-        pInfos.map(({ projectId }) => `${clc.bold(projectId)}`).join(", ") +
-        "]",
-    );
+    logSuccess(`Created new secret version ${toSecretVersionResourceName(secretVersion)}`);
+    console.log("");
+    logBullet(clc.bold("To complete the migration, update your code:"));
+    console.log("");
+    console.log(
+      clc.gray(`  // Before:
+  const functions = require('firebase-functions');
 
-    await configExport.hydrateConfigs(pInfos);
-    await checkRequiredPermission(pInfos);
-    pInfos = pInfos.filter((pInfo) => pInfo.config);
+  exports.myFunction = functions.https.onRequest((req, res) => {
+    const apiKey = functions.config().service.key;
+    // ...
+  });
 
-    logger.debug(`Loaded function configs: ${JSON.stringify(pInfos)}`);
-    logBullet(`Importing configs from projects: [${pInfos.map((p) => p.projectId).join(", ")}]`);
+  // After:
+  const functions = require('firebase-functions');
+  const { defineJsonSecret } = require('firebase-functions/params');
 
-    let attempts = 0;
-    let prefix = "";
-    while (true) {
-      if (attempts >= MAX_ATTEMPTS) {
-        throw new FirebaseError("Exceeded max attempts to fix invalid config keys.");
-      }
+  const config = defineJsonSecret("${key}");
 
-      const errMsg = configExport.hydrateEnvs(pInfos, prefix);
-      if (errMsg.length === 0) {
-        break;
+  exports.myFunction = functions
+    .runWith({ secrets: [config] })  // Bind secret here
+    .https.onRequest((req, res) => {
+      const apiKey = config.value().service.key;
+      // ...
+    });`),
+    );
+    console.log("");
+
+    // Try to detect the firebase-functions version to see if we need to warn about defineJsonSecret
+    let sdkVersion: string | undefined;
+    try {
+      const functionsConfig = options.config.get("functions");
+      const source = Array.isArray(functionsConfig)
+        ? functionsConfig[0]?.source
+        : functionsConfig?.source;
+      if (source) {
+        const sourceDir = options.config.path(source);
+        sdkVersion = getFunctionsSDKVersion(sourceDir);
       }
-      prefix = await promptForPrefix(errMsg);
-      attempts += 1;
+    } catch (e) {
+      // ignore error, just show the warning if we can't detect the version
     }
 
-    const header = `# Exported firebase functions:config:export command on ${new Date().toLocaleDateString()}`;
-    const dotEnvs = pInfos.map((pInfo) => configExport.toDotenvFormat(pInfo.envs!, header));
-    const filenames = pInfos.map(configExport.generateDotenvFilename);
-    const filesToWrite = fromEntries(zip(filenames, dotEnvs));
-    filesToWrite[".env.local"] =
-      `${header}\n# .env.local file contains environment variables for the Functions Emulator.\n`;
-    filesToWrite[".env"] =
-      `${header}# .env file contains environment variables that applies to all projects.\n`;
-
-    for (const [filename, content] of Object.entries(filesToWrite)) {
-      await options.config.askWriteProjectFile(path.join(configDir, filename), content);
+    if (!sdkVersion || semver.lt(sdkVersion, "6.6.0")) {
+      logBullet(
+        clc.bold("Note: ") +
+          "defineJsonSecret requires firebase-functions v6.6.0 or later. " +
+          `Update to a newer version with ${clc.bold("npm i firebase-functions @latest")}${!sdkVersion ? " if needed" : ""}.`,
+      );
     }
+    logBullet("Then deploy your functions:\n  " + clc.bold("firebase deploy --only functions"));
+
+    return secretName;
   });