FAH ensure secret (#6940)

* Chose service accounts dialog

* upsert secret

* Run formatter

* Fix field rename

* Formatter

* Fix refactoring bug

* PR feedback

* PR feedback

* Fix tests

Author: inlined

src/apphosting/secrets/index.ts

@@ -0,0 +1,60 @@
+import { FirebaseError } from "../../error";
+import * as gcsm from "../../gcp/secretManager";
+import { FIREBASE_MANAGED } from "../../gcp/secretManager";
+import { isFunctionsManaged } from "../../gcp/secretManager";
+import * as utils from "../../utils";
+import * as prompt from "../../prompt";
+
+/**
+ * Ensures a secret exists for use with app hosting, optionally locked to a region.
+ * If a secret exists, we verify the user is not trying to change the region and verifies a secret
+ * is not being used for both functions and app hosting as their garbage collection is incompatible
+ * (client vs server-side).
+ * @returns true if a secret was created, false if a secret already existed, and null if a user aborts.
+ */
+export async function upsertSecret(
+  project: string,
+  secret: string,
+  location?: string,
+): Promise<boolean | null> {
+  let existing: gcsm.Secret;
+  try {
+    existing = await gcsm.getSecret(project, secret);
+  } catch (err: any) {
+    if (err.status !== 404) {
+      throw new FirebaseError("Unexpected error loading secret", { original: err });
+    }
+    await gcsm.createSecret(project, secret, gcsm.labels("apphosting"), location);
+    return true;
+  }
+  const replication = existing.replication?.userManaged;
+  if (
+    location &&
+    (replication?.replicas?.length !== 1 || replication?.replicas?.[0]?.location !== location)
+  ) {
+    utils.logLabeledError(
+      "apphosting",
+      "Secret replication policies cannot be changed after creation",
+    );
+    return null;
+  }
+  if (isFunctionsManaged(existing)) {
+    utils.logLabeledWarning(
+      "apphosting",
+      `Cloud Functions for Firebase currently manages versions of ${secret}. Continuing will disable ` +
+        "automatic deletion of old versions.",
+    );
+    const stopTracking = await prompt.confirm({
+      message: "Do you wish to continue?",
+      default: false,
+    });
+    if (!stopTracking) {
+      return null;
+    }
+    delete existing.labels[FIREBASE_MANAGED];
+    await gcsm.patchSecret(project, secret, existing.labels);
+  }
+  // TODO: consider whether we should prompt a user who has an unmanaged secret to enroll in version control.
+  // This may not be a great idea until version control is actually implemented.
+  return false;
+}

src/commands/apphosting-secrets-grantaccess.ts

@@ -3,7 +3,7 @@ import { Options } from "../options";
 import { needProjectId, needProjectNumber } from "../projectUtils";
 import { FirebaseError } from "../error";
 import { requireAuth } from "../requireAuth";
-import * as secrets from "../functions/secrets";
+import * as secretManager from "../gcp/secretManager";
 import { requirePermissions } from "../requirePermissions";
 import * as apphosting from "../gcp/apphosting";
 import { grantSecretAccess } from "../init/features/apphosting/secrets";
@@ -13,7 +13,7 @@ export const command = new Command("apphosting:secrets:grantaccess <secretName>"
   .option("-l, --location <location>", "app backend location")
   .option("-b, --backend <backend>", "app backend name")
   .before(requireAuth)
-  .before(secrets.ensureApi)
+  .before(secretManager.ensureApi)
   .before(apphosting.ensureApiEnabled)
   .before(requirePermissions, [
     "secretmanager.secrets.create",
@@ -27,6 +27,7 @@ export const command = new Command("apphosting:secrets:grantaccess <secretName>"
     const projectId = needProjectId(options);
     const projectNumber = await needProjectNumber(options);
 
+    // TODO: Consider reusing dialog in apphosting/secrets/dialogs.ts if backend (and location) is not set.
     if (!options.location) {
       throw new FirebaseError(
         "Missing required flag --location. See firebase apphosting:secrets:grantaccess --help for more info",

src/commands/functions-secrets-access.ts

@@ -4,14 +4,14 @@ import { Options } from "../options";
 import { needProjectId } from "../projectUtils";
 import { accessSecretVersion } from "../gcp/secretManager";
 import { requireAuth } from "../requireAuth";
-import * as secrets from "../functions/secrets";
+import * as secretManager from "../gcp/secretManager";
 
 export const command = new Command("functions:secrets:access <KEY>[@version]")
   .description(
     "Access secret value given secret and its version. Defaults to accessing the latest version.",
   )
   .before(requireAuth)
-  .before(secrets.ensureApi)
+  .before(secretManager.ensureApi)
   .action(async (key: string, options: Options) => {
     const projectId = needProjectId(options);
     let [name, version] = key.split("@");

src/commands/functions-secrets-destroy.ts

@@ -7,6 +7,8 @@ import {
   getSecret,
   getSecretVersion,
   listSecretVersions,
+  ensureApi,
+  isFunctionsManaged,
 } from "../gcp/secretManager";
 import { promptOnce } from "../prompt";
 import { logBullet, logWarning } from "../utils";
@@ -19,7 +21,7 @@ export const command = new Command("functions:secrets:destroy <KEY>[@version]")
   .description("Destroy a secret. Defaults to destroying the latest version.")
   .withForce("Destroys a secret without confirmation.")
   .before(requireAuth)
-  .before(secrets.ensureApi)
+  .before(ensureApi)
   .action(async (key: string, options: Options) => {
     const projectId = needProjectId(options);
     const projectNumber = await needProjectNumber(options);
@@ -70,7 +72,7 @@ export const command = new Command("functions:secrets:destroy <KEY>[@version]")
     logBullet(`Destroyed secret version ${name}@${sv.versionId}`);
 
     const secret = await getSecret(projectId, name);
-    if (secrets.isFirebaseManaged(secret)) {
+    if (isFunctionsManaged(secret)) {
       const versions = await listSecretVersions(projectId, name);
       if (versions.filter((v) => v.state === "ENABLED").length === 0) {
         logBullet(`No active secret versions left. Destroying secret ${name}`);

src/commands/functions-secrets-get.ts

@@ -7,12 +7,12 @@ import { Options } from "../options";
 import { needProjectId } from "../projectUtils";
 import { listSecretVersions } from "../gcp/secretManager";
 import { requirePermissions } from "../requirePermissions";
-import * as secrets from "../functions/secrets";
+import * as secretManager from "../gcp/secretManager";
 
 export const command = new Command("functions:secrets:get <KEY>")
   .description("Get metadata for secret and its versions")
   .before(requireAuth)
-  .before(secrets.ensureApi)
+  .before(secretManager.ensureApi)
   .before(requirePermissions, ["secretmanager.secrets.get"])
   .action(async (key: string, options: Options) => {
     const projectId = needProjectId(options);

src/commands/functions-secrets-prune.ts

@@ -1,6 +1,7 @@
 import * as args from "../deploy/functions/args";
 import * as backend from "../deploy/functions/backend";
 import * as secrets from "../functions/secrets";
+import * as secretManager from "../gcp/secretManager";
 
 import { Command } from "../command";
 import { Options } from "../options";
@@ -16,7 +17,7 @@ export const command = new Command("functions:secrets:prune")
   .withForce("Destroys unused secrets without prompt")
   .description("Destroys unused secrets")
   .before(requireAuth)
-  .before(secrets.ensureApi)
+  .before(secretManager.ensureApi)
   .before(requirePermissions, [
     "cloudfunctions.functions.list",
     "secretmanager.secrets.list",

src/commands/functions-secrets-set.ts

@@ -15,6 +15,8 @@ import {
   addVersion,
   destroySecretVersion,
   toSecretVersionResourceName,
+  isFunctionsManaged,
+  ensureApi,
 } from "../gcp/secretManager";
 import { check } from "../ensureApiEnabled";
 import { requireAuth } from "../requireAuth";
@@ -26,7 +28,7 @@ export const command = new Command("functions:secrets:set <KEY>")
   .description("Create or update a secret for use in Cloud Functions for Firebase.")
   .withForce("Automatically updates functions to use the new secret.")
   .before(requireAuth)
-  .before(secrets.ensureApi)
+  .before(ensureApi)
   .before(requirePermissions, [
     "secretmanager.secrets.create",
     "secretmanager.secrets.get",
@@ -61,7 +63,7 @@ export const command = new Command("functions:secrets:set <KEY>")
     const secretVersion = await addVersion(projectId, key, secretValue);
     logSuccess(`Created a new secret version ${toSecretVersionResourceName(secretVersion)}`);
 
-    if (!secrets.isFirebaseManaged(secret)) {
+    if (!isFunctionsManaged(secret)) {
       logBullet(
         "Please deploy your functions for the change to take effect by running:\n\t" +
           clc.bold("firebase deploy --only functions"),

src/deploy/functions/params.ts

@@ -7,7 +7,7 @@ import * as secretManager from "../../gcp/secretManager";
 import { listBuckets } from "../../gcp/storage";
 import { isCelExpression, resolveExpression } from "./cel";
 import { FirebaseConfig } from "./args";
-import { labels as secretLabels } from "../../functions/secrets";
+import { labels as secretLabels } from "../../gcp/secretManager";
 
 // A convenience type containing options for Prompt's select
 interface ListItem {

src/functions/secrets.ts

@@ -3,13 +3,13 @@ import * as poller from "../operation-poller";
 import * as gcfV1 from "../gcp/cloudfunctions";
 import * as gcfV2 from "../gcp/cloudfunctionsv2";
 import * as backend from "../deploy/functions/backend";
-import * as ensureApiEnabled from "../ensureApiEnabled";
-import { functionsOrigin, functionsV2Origin, secretManagerOrigin } from "../api";
+import { functionsOrigin, functionsV2Origin } from "../api";
 import {
   createSecret,
   destroySecretVersion,
   getSecret,
   getSecretVersion,
+  isAppHostingManaged,
   listSecrets,
   listSecretVersions,
   parseSecretResourceName,
@@ -24,9 +24,8 @@ import { promptOnce } from "../prompt";
 import { validateKey } from "./env";
 import { logger } from "../logger";
 import { assertExhaustive } from "../functional";
-import { needProjectId } from "../projectUtils";
-
-const FIREBASE_MANAGED = "firebase-managed";
+import { isFunctionsManaged, FIREBASE_MANAGED } from "../gcp/secretManager";
+import { labels } from "../gcp/secretManager";
 
 // For mysterious reasons, importing the poller option in fabricator.ts leads to some
 // value of the poller option to be undefined at runtime. I can't figure out what's going on,
@@ -51,36 +50,13 @@ type ProjectInfo = {
   projectNumber: string;
 };
 
-/**
- * Returns true if secret is managed by Firebase.
- */
-export function isFirebaseManaged(secret: Secret): boolean {
-  return Object.keys(secret.labels || []).includes(FIREBASE_MANAGED);
-}
-
-/**
- * Return labels to mark secret as managed by Firebase.
- * @internal
- */
-export function labels(): Record<string, string> {
-  return { [FIREBASE_MANAGED]: "true" };
-}
-
 function toUpperSnakeCase(key: string): string {
   return key
     .replace(/[.-]/g, "_")
     .replace(/([a-z])([A-Z])/g, "$1_$2")
     .toUpperCase();
 }
 
-/**
- * Utility used in the "before" command annotation to enable the API.
- */
-export function ensureApi(options: any): Promise<void> {
-  const projectId = needProjectId(options);
-  return ensureApiEnabled.ensure(projectId, secretManagerOrigin(), "secretmanager", true);
-}
-
 /**
  * Validate and transform keys to match the convention recommended by Firebase.
  */
@@ -122,18 +98,39 @@ export async function ensureSecret(
 ): Promise<Secret> {
   try {
     const secret = await getSecret(projectId, name);
-    if (!isFirebaseManaged(secret)) {
+    if (isAppHostingManaged(secret)) {
+      logWarning(
+        "Your secret is managed by Firebase App Hosting. Continuing will disable automatic deletion of old versions.",
+      );
+      const stopTracking = await promptOnce(
+        {
+          name: "doNotTrack",
+          type: "confirm",
+          default: false,
+          message: "Do you wish to continue?",
+        },
+        options,
+      );
+      if (stopTracking) {
+        delete secret.labels[FIREBASE_MANAGED];
+        await patchSecret(secret.projectId, secret.name, secret.labels);
+      } else {
+        throw new Error(
+          "A secret cannot be managed by both Firebase App Hosting and Cloud Functions for Firebase",
+        );
+      }
+    } else if (!isFunctionsManaged(secret)) {
       if (!options.force) {
         logWarning(
-          "Your secret is not managed by Firebase. " +
+          "Your secret is not managed by Cloud Functions for Firebase. " +
             "Firebase managed secrets are automatically pruned to reduce your monthly cost for using Secret Manager. ",
         );
         const confirm = await promptOnce(
           {
             name: "updateLabels",
             type: "confirm",
             default: true,
-            message: `Would you like to have your secret ${secret.name} managed by Firebase?`,
+            message: `Would you like to have your secret ${secret.name} managed by Cloud Functions for Firebase?`,
           },
           options,
         );

src/gcp/secretManager.ts

@@ -4,6 +4,8 @@ import { logLabeledSuccess } from "../utils";
 import { FirebaseError } from "../error";
 import { Client } from "../apiv2";
 import { secretManagerOrigin } from "../api";
+import * as ensureApiEnabled from "../ensureApiEnabled";
+import { needProjectId } from "../projectUtils";
 
 // Matches projects/{PROJECT}/secrets/{SECRET}
 const SECRET_NAME_REGEX = new RegExp(
@@ -25,11 +27,30 @@ export interface Secret {
   name: string;
   // This is either projectID or number
   projectId: string;
-  labels?: Record<string, string>;
+  labels: Record<string, string>;
+  replication: Replication;
+}
+
+export interface WireSecret {
+  name: string;
+  labels: Record<string, string>;
+  replication: Replication;
 }
 
 type SecretVersionState = "STATE_UNSPECIFIED" | "ENABLED" | "DISABLED" | "DESTROYED";
 
+export interface Replication {
+  automatic?: {};
+  userManaged?: {
+    replicas: Array<{
+      location: string;
+      customerManagedEncryption?: {
+        kmsKeyName: string;
+      };
+    }>;
+  };
+}
+
 export interface SecretVersion {
   secret: Secret;
   versionId: string;
@@ -40,7 +61,7 @@ export interface SecretVersion {
 
 interface CreateSecretRequest {
   name: string;
-  replication: { automatic: {} };
+  replication: Replication;
   labels: Record<string, string>;
 }
 
@@ -68,17 +89,18 @@ const client = new Client({ urlPrefix: secretManagerOrigin(), apiVersion: API_VE
  * Returns secret resource of given name in the project.
  */
 export async function getSecret(projectId: string, name: string): Promise<Secret> {
-  const getRes = await client.get<Secret>(`projects/${projectId}/secrets/${name}`);
+  const getRes = await client.get<WireSecret>(`projects/${projectId}/secrets/${name}`);
   const secret = parseSecretResourceName(getRes.body.name);
   secret.labels = getRes.body.labels ?? {};
+  secret.replication = getRes.body.replication ?? {};
   return secret;
 }
 
 /**
  * Lists all secret resources associated with a project.
  */
 export async function listSecrets(projectId: string, filter?: string): Promise<Secret[]> {
-  type Response = { secrets: Secret[]; nextPageToken?: string };
+  type Response = { secrets: WireSecret[]; nextPageToken?: string };
   const secrets: Secret[] = [];
   const path = `projects/${projectId}/secrets`;
   const baseOpts = filter ? { queryParams: { filter } } : {};
@@ -95,6 +117,7 @@ export async function listSecrets(projectId: string, filter?: string): Promise<S
       secrets.push({
         ...parseSecretResourceName(s.name),
         labels: s.labels ?? {},
+        replication: s.replication ?? {},
       });
     }
 
@@ -238,6 +261,8 @@ export function parseSecretResourceName(resourceName: string): Secret {
   return {
     projectId: match.groups.project,
     name: match.groups.secret,
+    labels: {},
+    replication: {},
   };
 }
 
@@ -253,6 +278,8 @@ export function parseSecretVersionResourceName(resourceName: string): SecretVers
     secret: {
       projectId: match.groups.project,
       name: match.groups.secret,
+      labels: {},
+      replication: {},
     },
     versionId: match.groups.version,
   };
@@ -272,21 +299,36 @@ export async function createSecret(
   projectId: string,
   name: string,
   labels: Record<string, string>,
+  location?: string,
 ): Promise<Secret> {
+  let replication: CreateSecretRequest["replication"];
+  if (location) {
+    replication = {
+      userManaged: {
+        replicas: [
+          {
+            location,
+          },
+        ],
+      },
+    };
+  } else {
+    replication = { automatic: {} };
+  }
+
   const createRes = await client.post<CreateSecretRequest, Secret>(
     `projects/${projectId}/secrets`,
     {
       name,
-      replication: {
-        automatic: {},
-      },
+      replication,
       labels,
     },
     { queryParams: { secretId: name } },
   );
   return {
     ...parseSecretResourceName(createRes.body.name),
     labels,
+    replication,
   };
 }
 
@@ -299,12 +341,16 @@ export async function patchSecret(
   labels: Record<string, string>,
 ): Promise<Secret> {
   const fullName = `projects/${projectId}/secrets/${name}`;
-  const res = await client.patch<Omit<Secret, "projectId">, Secret>(
+  const res = await client.patch<Omit<WireSecret, "replication">, WireSecret>(
     fullName,
     { name: fullName, labels },
     { queryParams: { updateMask: "labels" } }, // Only allow patching labels for now.
   );
-  return parseSecretResourceName(res.body.name);
+  return {
+    ...parseSecretResourceName(res.body.name),
+    labels: res.body.labels,
+    replication: res.body.replication,
+  };
 }
 
 /**
@@ -340,7 +386,9 @@ export async function addVersion(
 /**
  * Returns IAM policy of a secret resource.
  */
-export async function getIamPolicy(secret: Secret): Promise<iam.Policy> {
+export async function getIamPolicy(
+  secret: Pick<Secret, "projectId" | "name">,
+): Promise<iam.Policy> {
   const res = await client.get<iam.Policy>(
     `projects/${secret.projectId}/secrets/${secret.name}:getIamPolicy`,
   );
@@ -350,7 +398,10 @@ export async function getIamPolicy(secret: Secret): Promise<iam.Policy> {
 /**
  * Sets IAM policy on a secret resource.
  */
-export async function setIamPolicy(secret: Secret, bindings: iam.Binding[]): Promise<void> {
+export async function setIamPolicy(
+  secret: Pick<Secret, "projectId" | "name">,
+  bindings: iam.Binding[],
+): Promise<void> {
   await client.post<{ policy: Partial<iam.Policy>; updateMask: string }, iam.Policy>(
     `projects/${secret.projectId}/secrets/${secret.name}:setIamPolicy`,
     {
@@ -366,7 +417,7 @@ export async function setIamPolicy(secret: Secret, bindings: iam.Binding[]): Pro
  * Ensure that given service agents have the given IAM role on the secret resource.
  */
 export async function ensureServiceAgentRole(
-  secret: Secret,
+  secret: Pick<Secret, "projectId" | "name">,
   serviceAccountEmails: string[],
   role: string,
 ): Promise<void> {
@@ -399,3 +450,40 @@ export async function ensureServiceAgentRole(
     } to ${serviceAccountEmails.join(", ")}`,
   );
 }
+
+export const FIREBASE_MANAGED = "firebase-managed";
+
+/**
+ * Returns true if secret is managed by Cloud Functions for Firebase.
+ * This used to be firebase-managed: true, but was later changed to firebase-managed: functions to
+ * improve readability.
+ */
+export function isFunctionsManaged(secret: Secret): boolean {
+  return (
+    secret.labels[FIREBASE_MANAGED] === "true" || secret.labels[FIREBASE_MANAGED] === "functions"
+  );
+}
+
+/**
+ * Returns true if secret is managed by Firebase App Hosting.
+ */
+export function isAppHostingManaged(secret: Secret): boolean {
+  return secret.labels[FIREBASE_MANAGED] === "apphosting";
+}
+
+/**
+ * Utility used in the "before" command annotation to enable the API.
+ */
+
+export function ensureApi(options: any): Promise<void> {
+  const projectId = needProjectId(options);
+  return ensureApiEnabled.ensure(projectId, secretManagerOrigin(), "secretmanager", true);
+}
+/**
+ * Return labels to mark secret as managed by Firebase.
+ * @internal
+ */
+
+export function labels(product: "functions" | "apphosting" = "functions"): Record<string, string> {
+  return { [FIREBASE_MANAGED]: product };
+}

src/init/features/apphosting/secrets.ts

@@ -43,7 +43,7 @@ export async function grantSecretAccess(
     );
   }
 
-  const secret: secretManager.Secret = {
+  const secret = {
     projectId: projectId,
     name: secretName,
   };
@@ -56,6 +56,8 @@ export async function grantSecretAccess(
         `serviceAccount:${serviceAccounts.runServiceAccount}`,
       ],
     },
+    // Cloud Build needs the viewer role so that it can list secret versions and pin the Build to the
+    // latest version.
     {
       role: "roles/secretmanager.viewer",
       members: [`serviceAccount:${serviceAccounts.buildServiceAccount}`],
@@ -73,6 +75,7 @@ export async function grantSecretAccess(
   }
 
   try {
+    // TODO: Merge with existing bindings with the same role
     const updatedBindings = existingBindings.concat(newBindings);
     await secretManager.setIamPolicy(secret, updatedBindings);
   } catch (err: any) {

src/test/apphosting/secrets/index.spec.ts

@@ -0,0 +1,162 @@
+import { expect } from "chai";
+import * as sinon from "sinon";
+
+import * as secrets from "../../../apphosting/secrets";
+import * as gcsmImport from "../../../gcp/secretManager";
+import * as utilsImport from "../../../utils";
+import * as promptImport from "../../../prompt";
+
+describe("secrets", () => {
+  describe("upsertSecret", () => {
+    let gcsm: sinon.SinonStubbedInstance<typeof gcsmImport>;
+    let utils: sinon.SinonStubbedInstance<typeof utilsImport>;
+    let prompt: sinon.SinonStubbedInstance<typeof promptImport>;
+
+    beforeEach(() => {
+      gcsm = sinon.stub(gcsmImport);
+      utils = sinon.stub(utilsImport);
+      prompt = sinon.stub(promptImport);
+      gcsm.isFunctionsManaged.restore();
+      gcsm.labels.restore();
+    });
+
+    afterEach(() => {
+      sinon.verifyAndRestore();
+    });
+
+    it("errors if a user tries to change replication policies (was global)", async () => {
+      gcsm.getSecret.withArgs("project", "secret").resolves({
+        name: "secret",
+        projectId: "project",
+        labels: gcsm.labels("apphosting"),
+        replication: {
+          automatic: {},
+        },
+      });
+      await expect(secrets.upsertSecret("project", "secret", "us-central1")).to.eventually.equal(
+        null,
+      );
+      expect(utils.logLabeledError).to.have.been.calledWith(
+        "apphosting",
+        "Secret replication policies cannot be changed after creation",
+      );
+    });
+
+    it("errors if a user tries to change replication policies (was another region)", async () => {
+      gcsm.getSecret.withArgs("project", "secret").resolves({
+        name: "secret",
+        projectId: "project",
+        labels: gcsm.labels("apphosting"),
+        replication: {
+          userManaged: {
+            replicas: [
+              {
+                location: "us-west1",
+              },
+            ],
+          },
+        },
+      });
+      await expect(secrets.upsertSecret("project", "secret", "us-central1")).to.eventually.equal(
+        null,
+      );
+      expect(utils.logLabeledError).to.have.been.calledWith(
+        "apphosting",
+        "Secret replication policies cannot be changed after creation",
+      );
+    });
+
+    it("noops if a secret already exists (location set)", async () => {
+      gcsm.getSecret.withArgs("project", "secret").resolves({
+        name: "secret",
+        projectId: "project",
+        labels: gcsm.labels("apphosting"),
+        replication: {
+          userManaged: {
+            replicas: [
+              {
+                location: "us-central1",
+              },
+            ],
+          },
+        },
+      });
+      await expect(secrets.upsertSecret("project", "secret", "us-central1")).to.eventually.equal(
+        false,
+      );
+      expect(utils.logLabeledError).to.not.have.been.called;
+    });
+
+    it("noops if a secret already exists (automatic replication)", async () => {
+      gcsm.getSecret.withArgs("project", "secret").resolves({
+        name: "secret",
+        projectId: "project",
+        labels: gcsm.labels("apphosting"),
+        replication: {
+          automatic: {},
+        },
+      });
+      await expect(secrets.upsertSecret("project", "secret")).to.eventually.equal(false);
+      expect(utils.logLabeledError).to.not.have.been.called;
+    });
+
+    it("confirms before erasing functions garbage collection (choose yes)", async () => {
+      gcsm.getSecret.withArgs("project", "secret").resolves({
+        name: "secret",
+        projectId: "project",
+        labels: gcsm.labels("functions"),
+        replication: {
+          automatic: {},
+        },
+      });
+      prompt.confirm.resolves(true);
+      await expect(secrets.upsertSecret("project", "secret")).to.eventually.equal(false);
+      expect(utils.logLabeledWarning).to.have.been.calledWith(
+        "apphosting",
+        "Cloud Functions for Firebase currently manages versions of secret. " +
+          "Continuing will disable automatic deletion of old versions.",
+      );
+      expect(prompt.confirm).to.have.been.calledWithMatch({
+        message: "Do you wish to continue?",
+        default: false,
+      });
+      expect(gcsm.patchSecret).to.have.been.calledWithMatch("project", "secret", {});
+    });
+
+    it("confirms before erasing functions garbage collection (choose no)", async () => {
+      gcsm.getSecret.withArgs("project", "secret").resolves({
+        name: "secret",
+        projectId: "project",
+        labels: gcsm.labels("functions"),
+        replication: {
+          automatic: {},
+        },
+      });
+      prompt.confirm.resolves(false);
+      await expect(secrets.upsertSecret("project", "secret")).to.eventually.equal(null);
+      expect(utils.logLabeledWarning).to.have.been.calledWith(
+        "apphosting",
+        "Cloud Functions for Firebase currently manages versions of secret. " +
+          "Continuing will disable automatic deletion of old versions.",
+      );
+      expect(prompt.confirm).to.have.been.calledWithMatch({
+        message: "Do you wish to continue?",
+        default: false,
+      });
+      expect(gcsm.patchSecret).to.not.have.been.called;
+    });
+
+    it("Creates a secret if none exists", async () => {
+      gcsm.getSecret.withArgs("project", "secret").rejects({ status: 404 });
+
+      await expect(secrets.upsertSecret("project", "secret")).to.eventually.equal(true);
+
+      expect(gcsm.createSecret).to.have.been.calledWithMatch(
+        "project",
+        "secret",
+        gcsm.labels("apphosting"),
+        undefined,
+      );
+    });
+  });
+});

src/test/deploy/functions/validate.spec.ts

@@ -544,7 +544,12 @@ describe("validate", () => {
       httpsTrigger: {},
     };
 
-    const secret: secretManager.Secret = { projectId: project, name: "MY_SECRET" };
+    const secret: secretManager.Secret = {
+      projectId: project,
+      name: "MY_SECRET",
+      labels: {},
+      replication: {},
+    };
 
     let secretVersionStub: sinon.SinonStub;
 

src/test/functions/secrets.spec.ts

@@ -81,7 +81,8 @@ describe("functions/secret", () => {
     const secret: secretManager.Secret = {
       projectId: "project-id",
       name: "MY_SECRET",
-      labels: secrets.labels(),
+      labels: secretManager.labels("functions"),
+      replication: {},
     };
 
     let sandbox: sinon.SinonSandbox;
@@ -127,7 +128,7 @@ describe("functions/secret", () => {
     });
 
     it("does not prompt user to have Firebase manage the secret if already managed by Firebase", async () => {
-      getStub.resolves({ ...secret, labels: secrets.labels() });
+      getStub.resolves({ ...secret, labels: secretManager.labels() });
       patchStub.resolves(secret);
 
       await expect(
@@ -228,6 +229,8 @@ describe("functions/secret", () => {
     const secret1: secretManager.Secret = {
       projectId: "project",
       name: "MY_SECRET1",
+      labels: {},
+      replication: {},
     };
     const secretVersion11: secretManager.SecretVersion = {
       secret: secret1,
@@ -241,6 +244,8 @@ describe("functions/secret", () => {
     const secret2: secretManager.Secret = {
       projectId: "project",
       name: "MY_SECRET2",
+      labels: {},
+      replication: {},
     };
     const secretVersion21: secretManager.SecretVersion = {
       secret: secret2,
@@ -333,6 +338,8 @@ describe("functions/secret", () => {
     const secret: secretManager.Secret = {
       projectId,
       name: "MY_SECRET",
+      labels: {},
+      replication: {},
     };
 
     it("returns true if secret is in use", () => {
@@ -381,6 +388,8 @@ describe("functions/secret", () => {
       secret: {
         projectId,
         name: "MY_SECRET",
+        labels: {},
+        replication: {},
       },
     };
 
@@ -498,6 +507,8 @@ describe("functions/secret", () => {
       secret: {
         projectId,
         name: "MY_SECRET",
+        labels: {},
+        replication: {},
       },
       versionId: "2",
     };

src/test/gcp/secretManager.spec.ts

@@ -11,7 +11,7 @@ describe("secretManager", () => {
     it("parses valid secret resource name", () => {
       expect(
         secretManager.parseSecretResourceName("projects/my-project/secrets/my-secret"),
-      ).to.deep.equal({ projectId: "my-project", name: "my-secret" });
+      ).to.deep.equal({ projectId: "my-project", name: "my-secret", labels: {}, replication: {} });
     });
 
     it("throws given invalid resource name", () => {
@@ -27,7 +27,7 @@ describe("secretManager", () => {
     it("parse secret version resource name", () => {
       expect(
         secretManager.parseSecretResourceName("projects/my-project/secrets/my-secret/versions/8"),
-      ).to.deep.equal({ projectId: "my-project", name: "my-secret" });
+      ).to.deep.equal({ projectId: "my-project", name: "my-secret", labels: {}, replication: {} });
     });
   });
 
@@ -37,7 +37,10 @@ describe("secretManager", () => {
         secretManager.parseSecretVersionResourceName(
           "projects/my-project/secrets/my-secret/versions/7",
         ),
-      ).to.deep.equal({ secret: { projectId: "my-project", name: "my-secret" }, versionId: "7" });
+      ).to.deep.equal({
+        secret: { projectId: "my-project", name: "my-secret", labels: {}, replication: {} },
+        versionId: "7",
+      });
     });
 
     it("throws given invalid resource name", () => {
@@ -59,7 +62,7 @@ describe("secretManager", () => {
 
   describe("ensureServiceAgentRole", () => {
     const projectId = "my-project";
-    const secret: secretManager.Secret = { projectId, name: "my-secret" };
+    const secret = { projectId, name: "my-secret" };
     const role = "test-role";
 
     let getIamPolicyStub: sinon.SinonStub;

src/test/init/apphosting/secrets.spec.ts

@@ -55,7 +55,7 @@ describe("manageSecrets", () => {
 
       await grantSecretAccess(secretName, location, backendId, projectId, projectNumber);
 
-      const secret: secretManager.Secret = {
+      const secret = {
         projectId: projectId,
         name: secretName,
       };