(feat): adds publish support for aws secrets manager and parameter store

cmd/sops/subcommand/publish/publish.go

@@ -137,7 +137,8 @@ func Run(opts Opts) error {
 				return fmt.Errorf("could not read file: %s", err)
 			}
 		}
-	case *publish.VaultDestination:
+	case *publish.VaultDestination, *publish.AWSSecretsManagerDestination, *publish.AWSParameterStoreDestination:
+		// Decrypt for JSON-based storage
 		_, err = common.DecryptTree(common.DecryptTreeOpts{
 			Cipher:          opts.Cipher,
 			IgnoreMac:       false,
@@ -177,7 +178,7 @@ func Run(opts Opts) error {
 	switch dest := conf.Destination.(type) {
 	case *publish.S3Destination, *publish.GCSDestination:
 		err = dest.Upload(fileContents, destinationPath)
-	case *publish.VaultDestination:
+	case *publish.VaultDestination, *publish.AWSSecretsManagerDestination, *publish.AWSParameterStoreDestination:
 		err = dest.UploadUnencrypted(data, destinationPath)
 	}
 

config/config.go

@@ -156,17 +156,22 @@ type azureKVKey struct {
 }
 
 type destinationRule struct {
-	PathRegex        string       `yaml:"path_regex"`
-	S3Bucket         string       `yaml:"s3_bucket"`
-	S3Prefix         string       `yaml:"s3_prefix"`
-	GCSBucket        string       `yaml:"gcs_bucket"`
-	GCSPrefix        string       `yaml:"gcs_prefix"`
-	VaultPath        string       `yaml:"vault_path"`
-	VaultAddress     string       `yaml:"vault_address"`
-	VaultKVMountName string       `yaml:"vault_kv_mount_name"`
-	VaultKVVersion   int          `yaml:"vault_kv_version"`
-	RecreationRule   creationRule `yaml:"recreation_rule,omitempty"`
-	OmitExtensions   bool         `yaml:"omit_extensions"`
+	PathRegex                   string       `yaml:"path_regex"`
+	S3Bucket                    string       `yaml:"s3_bucket"`
+	S3Prefix                    string       `yaml:"s3_prefix"`
+	GCSBucket                   string       `yaml:"gcs_bucket"`
+	GCSPrefix                   string       `yaml:"gcs_prefix"`
+	VaultPath                   string       `yaml:"vault_path"`
+	VaultAddress                string       `yaml:"vault_address"`
+	VaultKVMountName            string       `yaml:"vault_kv_mount_name"`
+	VaultKVVersion              int          `yaml:"vault_kv_version"`
+	RecreationRule              creationRule `yaml:"recreation_rule,omitempty"`
+	OmitExtensions              bool         `yaml:"omit_extensions"`
+	AWSSecretsManagerRegion     string       `yaml:"aws_secrets_manager_region"`
+	AWSSecretsManagerSecretName string       `yaml:"aws_secrets_manager_secret_name"`
+	AWSParameterStoreRegion     string       `yaml:"aws_parameter_store_region"`
+	AWSParameterStorePath       string       `yaml:"aws_parameter_store_path"`
+	AWSParameterStoreType       string       `yaml:"aws_parameter_store_type"`
 }
 
 type creationRule struct {
@@ -519,6 +524,13 @@ func parseDestinationRuleForFile(conf *configFile, filePath string, kmsEncryptio
 		destinationCount++
 	}
 
+	if dRule.AWSSecretsManagerRegion != "" {
+		destinationCount++
+	}
+	if dRule.AWSParameterStoreRegion != "" {
+		destinationCount++
+	}
+
 	if destinationCount > 1 {
 		return nil, fmt.Errorf("error loading config: more than one destinations were found in a single destination rule, you can only use one per rule")
 	}
@@ -531,6 +543,12 @@ func parseDestinationRuleForFile(conf *configFile, filePath string, kmsEncryptio
 	if dRule.VaultPath != "" {
 		dest = publish.NewVaultDestination(dRule.VaultAddress, dRule.VaultPath, dRule.VaultKVMountName, dRule.VaultKVVersion)
 	}
+	if dRule.AWSSecretsManagerRegion != "" {
+		dest = publish.NewAWSSecretsManagerDestination(dRule.AWSSecretsManagerRegion, dRule.AWSSecretsManagerSecretName)
+	}
+	if dRule.AWSParameterStoreRegion != "" {
+		dest = publish.NewAWSParameterStoreDestination(dRule.AWSParameterStoreRegion, dRule.AWSParameterStorePath, dRule.AWSParameterStoreType)
+	}
 
 	config, err := configFromRule(rule, kmsEncryptionContext)
 	if err != nil {

config/config_aws_test.go

@@ -0,0 +1,123 @@
+package config
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var sampleConfigWithAWSSecretsManagerDestinationRules = []byte(`
+creation_rules:
+  - path_regex: foobar*
+    kms: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
+destination_rules:
+  - aws_secrets_manager_region: "us-east-1"
+    aws_secrets_manager_secret_name: "myapp/database"
+    path_regex: "^secrets/.*"
+  - aws_secrets_manager_region: "us-west-2"
+    path_regex: "^west-secrets/.*"
+`)
+
+var sampleConfigWithAWSParameterStoreDestinationRules = []byte(`
+creation_rules:
+  - path_regex: foobar*
+    kms: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
+destination_rules:
+  - aws_parameter_store_region: "us-east-1"
+    aws_parameter_store_path: "/myapp/config"
+    aws_parameter_store_type: "SecureString"
+    path_regex: "^parameters/.*"
+  - aws_parameter_store_region: "us-west-2"
+    aws_parameter_store_path: "/myapp/west/"
+    aws_parameter_store_type: "String"
+    path_regex: "^west-parameters/.*"
+`)
+
+var sampleConfigWithMixedAWSDestinationRules = []byte(`
+creation_rules:
+  - path_regex: foobar*
+    kms: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
+destination_rules:
+  - aws_secrets_manager_region: "us-east-1"
+    aws_secrets_manager_secret_name: "myapp/database"
+    path_regex: "^secrets/.*"
+  - aws_parameter_store_region: "us-east-1"
+    aws_parameter_store_path: "/myapp/config"
+    path_regex: "^parameters/.*"
+  - s3_bucket: "mybucket"
+    path_regex: "^s3/.*"
+`)
+
+func TestLoadConfigFileWithAWSSecretsManagerDestinationRules(t *testing.T) {
+	conf, err := parseDestinationRuleForFile(parseConfigFile(sampleConfigWithAWSSecretsManagerDestinationRules, t), "secrets/database.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	path := conf.Destination.Path("database.yaml")
+	assert.Contains(t, path, "arn:aws:secretsmanager:us-east-1:*:secret:myapp/database")
+
+	// Test with region but no specific secret name - this should match the second rule
+	conf, err = parseDestinationRuleForFile(parseConfigFile(sampleConfigWithAWSSecretsManagerDestinationRules, t), "west-secrets/api.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	path = conf.Destination.Path("api.yaml")
+	assert.Contains(t, path, "arn:aws:secretsmanager:us-west-2:*:secret:api.yaml")
+}
+
+func TestLoadConfigFileWithAWSParameterStoreDestinationRules(t *testing.T) {
+	conf, err := parseDestinationRuleForFile(parseConfigFile(sampleConfigWithAWSParameterStoreDestinationRules, t), "parameters/app.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Equal(t, "/myapp/config", conf.Destination.Path("app.yaml"))
+
+	// Test with path ending with slash
+	conf, err = parseDestinationRuleForFile(parseConfigFile(sampleConfigWithAWSParameterStoreDestinationRules, t), "west-parameters/config.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Equal(t, "/myapp/west/config.yaml", conf.Destination.Path("config.yaml"))
+}
+
+func TestLoadConfigFileWithMixedAWSDestinationRules(t *testing.T) {
+	// Test AWS Secrets Manager
+	conf, err := parseDestinationRuleForFile(parseConfigFile(sampleConfigWithMixedAWSDestinationRules, t), "secrets/database.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Contains(t, conf.Destination.Path("database.yaml"), "arn:aws:secretsmanager:us-east-1:*:secret:myapp/database")
+
+	// Test AWS Parameter Store
+	conf, err = parseDestinationRuleForFile(parseConfigFile(sampleConfigWithMixedAWSDestinationRules, t), "parameters/config.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Equal(t, "/myapp/config", conf.Destination.Path("config.yaml"))
+
+	// Test S3
+	conf, err = parseDestinationRuleForFile(parseConfigFile(sampleConfigWithMixedAWSDestinationRules, t), "s3/backup.yaml", nil)
+	assert.Nil(t, err)
+	assert.NotNil(t, conf.Destination)
+	assert.Contains(t, conf.Destination.Path("backup.yaml"), "s3://mybucket/backup.yaml")
+}
+
+func TestValidateMultipleDestinationsInRule(t *testing.T) {
+	invalidConfig := []byte(`
+destination_rules:
+  - aws_secrets_manager_region: "us-east-1"
+    aws_parameter_store_region: "us-east-1"
+    path_regex: "^invalid/.*"
+`)
+
+	_, err := parseDestinationRuleForFile(parseConfigFile(invalidConfig, t), "invalid/test.yaml", nil)
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "more than one destinations were found")
+}
+
+func TestValidateConflictingAWSDestinations(t *testing.T) {
+	invalidConfig := []byte(`
+destination_rules:
+  - aws_secrets_manager_region: "us-east-1"
+    s3_bucket: "mybucket"
+    path_regex: "^invalid/.*"
+`)
+
+	_, err := parseDestinationRuleForFile(parseConfigFile(invalidConfig, t), "invalid/test.yaml", nil)
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "more than one destinations were found")
+}

config/config_test.go

@@ -879,3 +879,114 @@ destination_rules:
 	assert.NotNil(t, conf.Destination)
 	assert.Contains(t, conf.Destination.Path("secrets.yaml"), "https://vault.example.com/v1/secret/data/secret/sops/secrets.yaml")
 }
+
+func TestDestinationValidationAWSSecretsManagerConflicts(t *testing.T) {
+	testCases := []struct {
+		name   string
+		config []byte
+	}{
+		{
+			name: "AWS Secrets Manager + GCS conflict",
+			config: []byte(`
+destination_rules:
+  - aws_secrets_manager_region: "us-east-1"
+    gcs_bucket: "my-gcs-bucket"
+    path_regex: "^test/.*"
+`),
+		},
+		{
+			name: "AWS Secrets Manager + Vault conflict",
+			config: []byte(`
+destination_rules:
+  - aws_secrets_manager_region: "us-east-1"
+    vault_path: "secret/sops"
+    vault_address: "https://vault.example.com"
+    path_regex: "^test/.*"
+`),
+		},
+		{
+			name: "AWS Secrets Manager + AWS Parameter Store conflict",
+			config: []byte(`
+destination_rules:
+  - aws_secrets_manager_region: "us-east-1"
+    aws_parameter_store_region: "us-east-1"
+    path_regex: "^test/.*"
+`),
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := parseDestinationRuleForFile(parseConfigFile(tc.config, t), "test/secrets.yaml", nil)
+			assert.NotNil(t, err, "Expected error for %s", tc.name)
+			if err != nil {
+				assert.Contains(t, err.Error(), "more than one destinations were found")
+			}
+		})
+	}
+}
+
+func TestDestinationValidationAWSParameterStoreConflicts(t *testing.T) {
+	testCases := []struct {
+		name   string
+		config []byte
+	}{
+		{
+			name: "AWS Parameter Store + S3 conflict",
+			config: []byte(`
+destination_rules:
+  - aws_parameter_store_region: "us-east-1"
+    s3_bucket: "my-s3-bucket"
+    path_regex: "^test/.*"
+`),
+		},
+		{
+			name: "AWS Parameter Store + GCS conflict",
+			config: []byte(`
+destination_rules:
+  - aws_parameter_store_region: "us-east-1"
+    gcs_bucket: "my-gcs-bucket"
+    path_regex: "^test/.*"
+`),
+		},
+		{
+			name: "AWS Parameter Store + Vault conflict",
+			config: []byte(`
+destination_rules:
+  - aws_parameter_store_region: "us-east-1"
+    vault_path: "secret/sops"
+    vault_address: "https://vault.example.com"
+    path_regex: "^test/.*"
+`),
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := parseDestinationRuleForFile(parseConfigFile(tc.config, t), "test/secrets.yaml", nil)
+			assert.NotNil(t, err, "Expected error for %s", tc.name)
+			if err != nil {
+				assert.Contains(t, err.Error(), "more than one destinations were found")
+			}
+		})
+	}
+}
+
+func TestDestinationValidationAllFiveDestinationsConflict(t *testing.T) {
+	invalidConfig := []byte(`
+destination_rules:
+  - aws_secrets_manager_region: "us-east-1"
+    aws_parameter_store_region: "us-east-1"
+    s3_bucket: "my-s3-bucket"
+    gcs_bucket: "my-gcs-bucket"
+    vault_path: "secret/sops"
+    vault_address: "https://vault.example.com"
+    path_regex: "^test/.*"
+`)
+
+	_, err := parseDestinationRuleForFile(parseConfigFile(invalidConfig, t), "test/secrets.yaml", nil)
+	assert.NotNil(t, err, "Expected error when all five destinations are specified")
+	if err != nil {
+		assert.Contains(t, err.Error(), "more than one destinations were found")
+	}
+}

go.mod

@@ -10,13 +10,16 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0
 	github.com/ProtonMail/go-crypto v1.3.0
-	github.com/aws/aws-sdk-go-v2 v1.38.1
+	github.com/aws/aws-sdk-go-v2 v1.38.3
 	github.com/aws/aws-sdk-go-v2/config v1.31.2
 	github.com/aws/aws-sdk-go-v2/credentials v1.18.6
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.19.0
 	github.com/aws/aws-sdk-go-v2/service/kms v1.44.2
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.87.1
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.39.2
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.64.2
 	github.com/aws/aws-sdk-go-v2/service/sts v1.38.0
+	github.com/aws/smithy-go v1.23.0
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/fatih/color v1.18.0
 	github.com/getsops/gopgagent v0.0.0-20241224165529-7044f28e491e
@@ -68,8 +71,8 @@ require (
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.0 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.4 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.4 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.6 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.6 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 // indirect
@@ -78,7 +81,6 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.28.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.2 // indirect
-	github.com/aws/smithy-go v1.22.5 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect