Adding support for specifying secrets using a list of strings.

README.md

@@ -41,6 +41,23 @@ provider:
     MYSECRET: /path/to/ssm/secret
 ```
 
+Alternatively, if you would like to reference the secrets by their name in the
+parameter store you can specify the secrets as a list of strings.
+
+```
+provider:
+  environmentSecrets:
+    - MYSECRET
+```
+
+Which is equivalent to:
+
+```
+provider:
+  environmentSecrets:
+    MY_SECRET: MY_SECRET
+```
+
 The plugin will create a json file with all the secrets. In the above example the ciphertext and ARN of the secret located at `path/to/ssm/secret` will be stored in the file under the key `MYSECRET`.
 See example code in [examples](/examples) folder for reference.
 

index.js

@@ -25,12 +25,38 @@ class ServerlessSecretBaker {
     this.serverless = serverless;
   }
 
+  getSecretsConfig() {
+      const environmentSecrets = this.serverless.service.provider.environmentSecrets || [];
+
+      if (Array.isArray(environmentSecrets)) {
+          return environmentSecrets.map((item) => {
+              if (typeof item === 'string') {
+                  return {
+                      name: item,
+                      path: item
+                  }
+              } else {
+                  return item
+              }
+          })
+      } else if (typeof environmentSecrets === 'object') {
+          return Object.entries(environmentSecrets).map(([name, path]) => ({
+              name,
+              path
+          }));
+      }
+      throw new this.serverless.classes.Error(
+          "`environmentSecrets` contained an unexpected value."
+      );
+  }
+
   async writeEnvironmentSecretToFile() {
-    const providerSecrets = this.serverless.service.provider.environmentSecrets || {};
+    const providerSecrets = this.getSecretsConfig()
     const secrets = {};
 
-    for (const name of Object.keys(providerSecrets)) {
-      const param = await this.getParameterFromSsm(providerSecrets[name]);
+
+    for (const {name, path} of providerSecrets) {
+      const param = await this.getParameterFromSsm(path);
 
       if (!param) {
         throw Error(`Unable to load Secret ${name}`);

package.json

@@ -1,6 +1,6 @@
 {
   "name": "serverless-secret-baker",
-  "version": "1.0.3",
+  "version": "1.1.0",
   "description": "Serverless Plugin to store encrypted secrets from SSM as a packaged file availble to your lambdas.",
   "main": "index.js",
   "scripts": {

tests/index.test.js

@@ -85,7 +85,22 @@ describe("ServerlessSecretBaker", () => {
     });
   });
 
-  describe("With Secrets", () => {
+  describe("With secrets in unexpected format", () => {
+    let serverless;
+    let bakedGoods;
+
+    beforeEach(() => {
+      serverless = makeServerless();
+      serverless.service.provider.environmentSecrets = 5;
+      bakedGoods = new ServerlessSecretBaker(serverless);
+    });
+
+    it('should write an empty json object to the output file.', async () => {
+      expect(bakedGoods.writeEnvironmentSecretToFile()).to.be.rejected;
+    });
+  })
+
+  describe("With Secrets Object", () => {
     const expectedSecretName = "MY_SECRET";
     const expectedParameterStoreKey = "PARAMETER STORE KEY";
     const expectedCiphertext = "SECRET VALUE CIPHERTEXT";
@@ -139,6 +154,117 @@ describe("ServerlessSecretBaker", () => {
     });
   });
 
+  describe("With Secrets String Array", () => {
+    const expectedSecretName = "MY_SECRET";
+    const expectedCiphertext = "SECRET VALUE CIPHERTEXT";
+    const expectedArn = "SECRET VALUE CIPHERTEXT";
+
+    let serverless;
+    let bakedGoods;
+
+    beforeEach(() => {
+      serverless = makeServerless();
+      serverless.service.provider.environmentSecrets = [
+        expectedSecretName
+      ];
+      bakedGoods = new ServerlessSecretBaker(serverless);
+      sinon.stub(bakedGoods, "getParameterFromSsm");
+      bakedGoods.getParameterFromSsm.resolves({
+        Value: expectedCiphertext,
+        ARN: expectedArn
+      });
+    });
+
+    it("should write ciphertext for secret to secrets file on package", async () => {
+      await bakedGoods.writeEnvironmentSecretToFile();
+      const secretsJson = fs.writeFileAsync.firstCall.args[1];
+      const secrets = JSON.parse(secretsJson);
+
+      expect(secrets[expectedSecretName].ciphertext).to.equal(
+        expectedCiphertext
+      );
+    });
+
+    it("should write ARN from secret to secrets file on package", async () => {
+      await bakedGoods.writeEnvironmentSecretToFile();
+      const secretsJson = fs.writeFileAsync.firstCall.args[1];
+      const secrets = JSON.parse(secretsJson);
+
+      expect(secrets[expectedSecretName].arn).to.equal(expectedArn);
+    });
+
+    it("should throw an error if the parameter cannot be retrieved", async () => {
+      bakedGoods.getParameterFromSsm.reset();
+      bakedGoods.getParameterFromSsm.resolves(undefined);
+      expect(bakedGoods.writeEnvironmentSecretToFile()).to.be.rejected;
+    });
+
+    it("should call getParameterFromSsm with the correct parameter key", async () => {
+      await bakedGoods.writeEnvironmentSecretToFile();
+      expect(bakedGoods.getParameterFromSsm).to.have.been.calledWith(
+          expectedSecretName
+      );
+    });
+  });
+
+  describe("With Secrets Object Array", () => {
+    const expectedSecretName = "MY_SECRET";
+    const expectedParameterStoreKey = "MY_PARAMETER_STORE_KEY"
+    const expectedCiphertext = "SECRET VALUE CIPHERTEXT";
+    const expectedArn = "SECRET VALUE CIPHERTEXT";
+
+    let serverless;
+    let bakedGoods;
+
+    beforeEach(() => {
+      serverless = makeServerless();
+      serverless.service.provider.environmentSecrets = [
+          {
+              name: expectedSecretName,
+              path: expectedParameterStoreKey
+          }
+
+      ];
+      bakedGoods = new ServerlessSecretBaker(serverless);
+      sinon.stub(bakedGoods, "getParameterFromSsm");
+      bakedGoods.getParameterFromSsm.resolves({
+        Value: expectedCiphertext,
+        ARN: expectedArn
+      });
+    });
+
+    it("should write ciphertext for secret to secrets file on package", async () => {
+      await bakedGoods.writeEnvironmentSecretToFile();
+      const secretsJson = fs.writeFileAsync.firstCall.args[1];
+      const secrets = JSON.parse(secretsJson);
+
+      expect(secrets[expectedSecretName].ciphertext).to.equal(
+        expectedCiphertext
+      );
+    });
+
+    it("should write ARN from secret to secrets file on package", async () => {
+      await bakedGoods.writeEnvironmentSecretToFile();
+      const secretsJson = fs.writeFileAsync.firstCall.args[1];
+      const secrets = JSON.parse(secretsJson);
+
+      expect(secrets[expectedSecretName].arn).to.equal(expectedArn);
+    });
+
+    it("should throw an error if the parameter cannot be retrieved", async () => {
+      bakedGoods.getParameterFromSsm.reset();
+      bakedGoods.getParameterFromSsm.resolves(undefined);
+      expect(bakedGoods.writeEnvironmentSecretToFile()).to.be.rejected;
+    });
+
+    it("should call getParameterFromSsm with the correct parameter key", async () => {
+      await bakedGoods.writeEnvironmentSecretToFile();
+      expect(bakedGoods.getParameterFromSsm).to.have.been.calledWith(
+          expectedParameterStoreKey
+      );
+    });
+  });
+
   describe("getParameterFromSsm", () => {
     let bakedGoods;
     let getProviderStub;