feat: add --all flag to remove all secrets in sandbox (#2423)

fossamagna · web-flow · commit cf79696e18e0 · 2025-03-12T18:03:48.000+01:00
* feat: enhance sandbox secret removal command to support removing all secrets

* feat: add removeSecrets method to SecretClient and update related tests

* chore: update changeset

* fix: improve error handling in SandboxSecretRemoveCommand and update tests
diff --git a/.changeset/slow-yaks-matter.md b/.changeset/slow-yaks-matter.md
@@ -0,0 +1,6 @@
+---
+'@aws-amplify/backend-cli': minor
+'@aws-amplify/backend-secret': minor
+---
+
+feat: add --all flag to remove all secrets in sandbox
diff --git a/packages/backend-secret/API.md b/packages/backend-secret/API.md
@@ -26,6 +26,7 @@ export type SecretClient = {
     listSecrets: (backendIdentifier: BackendIdentifier | AppId) => Promise<SecretListItem[]>;
     setSecret: (backendIdentifier: BackendIdentifier | AppId, secretName: string, secretValue: string) => Promise<SecretIdentifier>;
     removeSecret: (backendIdentifier: BackendIdentifier | AppId, secretName: string) => Promise<void>;
+    removeSecrets: (backendIdentifier: BackendIdentifier | AppId, secretNames: string[]) => Promise<void>;
 };
 
 // @public
diff --git a/packages/backend-secret/src/secret.ts b/packages/backend-secret/src/secret.ts
@@ -62,6 +62,14 @@ export type SecretClient = {
     backendIdentifier: BackendIdentifier | AppId,
     secretName: string
   ) => Promise<void>;
+
+  /**
+   * Remove secrets.
+   */
+  removeSecrets: (
+    backendIdentifier: BackendIdentifier | AppId,
+    secretNames: string[]
+  ) => Promise<void>;
 };
 
 /**
diff --git a/packages/backend-secret/src/ssm_secret.test.ts b/packages/backend-secret/src/ssm_secret.test.ts
@@ -262,6 +262,82 @@ void describe('SSMSecret', () => {
     });
   });
 
+  void describe('removeSecrets', () => {
+    const ssmClient = new SSM();
+    const ssmSecretClient = new SSMSecretClient(ssmClient);
+    const testSecretName2 = 'testSecretName2';
+    const testSecretFullNamePath2 = `${testBranchPath}/${testSecretName2}`;
+    const testSharedSecretFullNamePath2 = `${testSharedPath}/${testSecretName2}`;
+
+    void it('removes branch secrets', async () => {
+      const mockDeleteParameters = mock.method(
+        ssmClient,
+        'deleteParameters',
+        () =>
+          Promise.resolve({
+            DeletedParameters: [
+              testBranchSecretFullNamePath,
+              testSecretFullNamePath2,
+            ],
+          })
+      );
+
+      await ssmSecretClient.removeSecrets(testBackendIdentifier, [
+        testSecretName,
+        testSecretName2,
+      ]);
+      assert.deepStrictEqual(mockDeleteParameters.mock.calls[0].arguments[0], {
+        Names: [testBranchSecretFullNamePath, testSecretFullNamePath2],
+      });
+    });
+
+    void it('removes shared secrets', async () => {
+      const mockDeleteParameters = mock.method(
+        ssmClient,
+        'deleteParameters',
+        () =>
+          Promise.resolve({
+            DeletedParameters: [
+              testBranchSecretFullNamePath,
+              testSecretFullNamePath2,
+            ],
+          })
+      );
+
+      await ssmSecretClient.removeSecrets(testBackendId, [
+        testSecretName,
+        testSecretName2,
+      ]);
+      assert.deepStrictEqual(mockDeleteParameters.mock.calls[0].arguments[0], {
+        Names: [testSharedSecretFullNamePath, testSharedSecretFullNamePath2],
+      });
+    });
+
+    void it('does not remove invalid secrets', async () => {
+      const mockDeleteParameters = mock.method(
+        ssmClient,
+        'deleteParameters',
+        () =>
+          Promise.resolve({
+            DeletedParameters: [testBranchSecretFullNamePath],
+            InvalidParameters: [testSecretFullNamePath2],
+          })
+      );
+
+      await assert.rejects(
+        () =>
+          ssmSecretClient.removeSecrets(testBackendIdentifier, [
+            testSecretName,
+            testSecretName2,
+          ]),
+        new SecretError(`Failed to remove secrets: ${testSecretFullNamePath2}`)
+      );
+      assert.deepStrictEqual(mockDeleteParameters.mock.calls[0].arguments[0], {
+        Names: [testBranchSecretFullNamePath, testSecretFullNamePath2],
+      });
+    });
+  });
+
   void describe('listSecrets', () => {
     const ssmClient = new SSM();
     const ssmSecretClient = new SSMSecretClient(ssmClient);
diff --git a/packages/backend-secret/src/ssm_secret.ts b/packages/backend-secret/src/ssm_secret.ts
@@ -145,4 +145,34 @@ export class SSMSecretClient implements SecretClient {
       throw SecretError.createInstance(err as Error);
     }
   };
+
+  /**
+   * Remove secrets from SSM parameter store.
+   */
+  public removeSecrets = async (
+    backendIdentifier: BackendIdentifier | AppId,
+    secretNames: string[]
+  ) => {
+    const names = secretNames.map((secretName) =>
+      ParameterPathConversions.toParameterFullPath(
+        backendIdentifier,
+        secretName
+      )
+    );
+    try {
+      const resp = await this.ssmClient.deleteParameters({
+        Names: names,
+      });
+      if (resp.InvalidParameters && resp.InvalidParameters.length > 0) {
+        throw new SecretError(
+          `Failed to remove secrets: ${resp.InvalidParameters.join(', ')}`
+        );
+      }
+    } catch (err) {
+      if (err instanceof SecretError) {
+        throw err;
+      }
+      throw SecretError.createInstance(err as Error);
+    }
+  };
 }
diff --git a/packages/backend-secret/src/ssm_secret_with_amplify_error_handling.ts b/packages/backend-secret/src/ssm_secret_with_amplify_error_handling.ts
@@ -73,6 +73,23 @@ export class SSMSecretClientWithAmplifyErrorHandling implements SecretClient {
     }
   };
 
+  /**
+   * Remove secrets from SSM parameter store.
+   */
+  public removeSecrets = async (
+    backendIdentifier: BackendIdentifier | AppId,
+    secretNames: string[]
+  ) => {
+    try {
+      return await this.secretClient.removeSecrets(
+        backendIdentifier,
+        secretNames
+      );
+    } catch (e) {
+      throw this.translateToAmplifyError(e, 'Remove');
+    }
+  };
+
   private translateToAmplifyError = (
     error: unknown,
     apiName: string,
diff --git a/packages/cli/src/commands/sandbox/sandbox-secret/sandbox_secret_remove_command.test.ts b/packages/cli/src/commands/sandbox/sandbox-secret/sandbox_secret_remove_command.test.ts
@@ -8,6 +8,7 @@ import { SandboxSecretRemoveCommand } from './sandbox_secret_remove_command.js';
 import { printer } from '@aws-amplify/cli-core';
 
 const testSecretName = 'testSecretName';
+const testSecretName2 = 'testSecretName2';
 const testBackendId = 'testBackendId';
 const testSandboxName = 'testSandboxName';
 
@@ -18,6 +19,14 @@ void describe('sandbox secret remove command', () => {
     'removeSecret',
     (): Promise<void> => Promise.resolve()
   );
+  const secretsRemoveMock = mock.method(
+    secretClient,
+    'removeSecrets',
+    (): Promise<void> => Promise.resolve()
+  );
+  const listSecretsMock = mock.method(secretClient, 'listSecrets', () =>
+    Promise.resolve([{ name: testSecretName }, { name: testSecretName2 }])
+  );
   const printMock = mock.method(printer, 'print');
 
   const sandboxIdResolver: SandboxBackendIdResolver = {
@@ -77,13 +86,49 @@ void describe('sandbox secret remove command', () => {
     ]);
   });
 
+  void it('remove all secrets', async () => {
+    await commandRunner.runCommand('remove --all');
+    assert.equal(listSecretsMock.mock.callCount(), 1);
+    assert.deepStrictEqual(listSecretsMock.mock.calls[0].arguments, [
+      {
+        type: 'sandbox',
+        namespace: testBackendId,
+        name: testSandboxName,
+      },
+    ]);
+
+    assert.equal(secretsRemoveMock.mock.callCount(), 1);
+    assert.deepStrictEqual(secretsRemoveMock.mock.calls[0].arguments, [
+      {
+        type: 'sandbox',
+        namespace: testBackendId,
+        name: testSandboxName,
+      },
+      [testSecretName, testSecretName2],
+    ]);
+    assert.equal(
+      printMock.mock.calls[0].arguments,
+      'Successfully removed all secrets'
+    );
+  });
+
   void it('show --help', async () => {
     const output = await commandRunner.runCommand('remove --help');
     assert.match(output, /Remove a sandbox secret/);
   });
 
-  void it('throws error if no secret name argument', async () => {
-    const output = await commandRunner.runCommand('remove');
-    assert.match(output, /Not enough non-option arguments/);
+  void it('throws error if no secret name argument and all flag', async () => {
+    const output = await commandRunner.runCommand(`remove`);
+    [
+      /InvalidCommandInputError: Either secret-name or all flag must be provided/,
+      /Resolution: Provide either secret-name or all flag/,
+    ].forEach((cmd) => assert.match(output, new RegExp(cmd)));
+  });
+
+  void it('throws error if both --all flag and secret-name argument', async () => {
+    assert.match(
+      await commandRunner.runCommand(`remove ${testSecretName} --all`),
+      /Arguments all and secret-name are mutually exclusive/
+    );
   });
 });
diff --git a/packages/cli/src/commands/sandbox/sandbox-secret/sandbox_secret_remove_command.ts b/packages/cli/src/commands/sandbox/sandbox-secret/sandbox_secret_remove_command.ts
@@ -4,6 +4,7 @@ import { SandboxBackendIdResolver } from '../sandbox_id_resolver.js';
 import { ArgumentsKebabCase } from '../../../kebab_case.js';
 import { SandboxCommandGlobalOptions } from '../option_types.js';
 import { printer } from '@aws-amplify/cli-core';
+import { AmplifyUserError } from '@aws-amplify/platform-core';
 
 /**
  * Command to remove sandbox secret.
@@ -28,7 +29,7 @@ export class SandboxSecretRemoveCommand
     private readonly sandboxIdResolver: SandboxBackendIdResolver,
     private readonly secretClient: SecretClient
   ) {
-    this.command = 'remove <secret-name>';
+    this.command = 'remove [secret-name]';
     this.describe = 'Remove a sandbox secret';
   }
 
@@ -41,28 +42,55 @@ export class SandboxSecretRemoveCommand
     const sandboxBackendIdentifier = await this.sandboxIdResolver.resolve(
       args.identifier
     );
-    await this.secretClient.removeSecret(
-      sandboxBackendIdentifier,
-      args.secretName
-    );
-
-    printer.print(`Successfully removed secret ${args.secretName}`);
+    if (args.secretName) {
+      await this.secretClient.removeSecret(
+        sandboxBackendIdentifier,
+        args.secretName
+      );
+      printer.print(`Successfully removed secret ${args.secretName}`);
+    } else if (args.all) {
+      const secrets = await this.secretClient.listSecrets(
+        sandboxBackendIdentifier
+      );
+      const names = secrets.map((secret) => secret.name);
+      await this.secretClient.removeSecrets(sandboxBackendIdentifier, names);
+      printer.print('Successfully removed all secrets');
+    }
   };
 
   /**
    * @inheritDoc
    */
   builder = (yargs: Argv): Argv<SecretRemoveCommandOptionsKebabCase> => {
-    return yargs.positional('secret-name', {
-      describe: 'Name of the secret to remove',
-      type: 'string',
-      demandOption: true,
-    });
+    return yargs
+      .option('all', {
+        describe: 'Remove all secrets',
+        type: 'boolean',
+        conflicts: ['secret-name'],
+      })
+      .positional('secret-name', {
+        describe: 'Name of the secret to remove',
+        type: 'string',
+        demandOption: false,
+      })
+      .check((argv) => {
+        if (!argv.all && !argv['secret-name']) {
+          throw new AmplifyUserError('InvalidCommandInputError', {
+            message: 'Either secret-name or all flag must be provided',
+            resolution: 'Provide either secret-name or all flag',
+          });
+        }
+        return true;
+      });
   };
 }
 
 type SecretRemoveCommandOptionsKebabCase = ArgumentsKebabCase<
   {
-    secretName: string;
+    secretName: string | undefined;
+    /**
+     * Optional flag to remove all secrets.
+     */
+    all?: boolean;
   } & SandboxCommandGlobalOptions
 >;
