fix: add retained secrets to syncSecretDeltas (#13300)

* fix: add retained secrets to syncSecretDeltas

* test: add e2e test

* chore: revert yarn bump

Author: rtpascual

packages/amplify-category-function/src/provider-utils/awscloudformation/secrets/functionSecretsStateManager.ts

@@ -100,7 +100,11 @@ export class FunctionSecretsStateManager {
       return;
     }
     const cloudSecretNames = await this.getCloudFunctionSecretNames(functionName);
-    const addedSecrets = localSecretNames.filter((name) => !cloudSecretNames.includes(name));
+    const retainedSecrets: string[] = [];
+    const addedSecrets: string[] = [];
+
+    localSecretNames.forEach((name) => (cloudSecretNames.includes(name) ? retainedSecrets.push(name) : addedSecrets.push(name)));
+
     if (!addedSecrets.length) {
       return;
     }
@@ -118,8 +122,12 @@ export class FunctionSecretsStateManager {
         link: 'https://docs.amplify.aws/cli/reference/ssm-parameter-store/#manually-creating-parameters',
       });
     }
+
+    const current = secretNamesToSecretDeltas(retainedSecrets);
     const delta = await prePushMissingSecretsWalkthrough(functionName, addedSecrets);
-    await this.syncSecretDeltas(delta, functionName);
+    const secretDeltas = { ...current, ...delta };
+
+    await this.syncSecretDeltas(secretDeltas, functionName);
   };
 
   /**

packages/amplify-e2e-core/src/categories/lambda-function.ts

@@ -116,15 +116,26 @@ const updateFunctionCore = (cwd: string, chain: ExecutionContext, settings: Core
     }
   }
   if (settings.secretsConfig) {
-    if (settings.secretsConfig.operation === 'add') {
-      throw new Error('Secrets update walkthrough only supports update and delete');
-    }
-    // this walkthrough assumes 1 existing secret is configured for the function
     const actions = ['Add a secret', 'Update a secret', 'Remove secrets', "I'm done"];
-    const action = settings.secretsConfig.operation === 'delete' ? actions[2] : actions[1];
+    const operation = settings.secretsConfig.operation;
+    let action: string;
+    if (operation === 'add') {
+      action = actions[0];
+    } else if (operation === 'delete') {
+      action = actions[2];
+    } else {
+      action = actions[1];
+    }
     chain.wait('What do you want to do?');
     singleSelect(chain, action, actions);
-    switch (settings.secretsConfig.operation) {
+    switch (operation) {
+      case 'add': {
+        chain.wait('Enter a secret name');
+        chain.sendLine(settings.secretsConfig.name);
+        chain.wait('Enter the value for');
+        chain.sendLine(settings.secretsConfig.value);
+        break;
+      }
       case 'delete': {
         chain.wait('Select the secrets to delete:');
         chain.sendLine(' '); // assumes one secret
@@ -137,8 +148,17 @@ const updateFunctionCore = (cwd: string, chain: ExecutionContext, settings: Core
         break;
       }
     }
+
     chain.wait('What do you want to do?');
     chain.sendCarriageReturn(); // "I'm done"
+
+    if (operation === 'add') {
+      // assumes function is already pushed to the cloud
+      chain.wait('This will immediately update secret values in the cloud');
+      chain.sendCarriageReturn(); // "Yes"
+      chain.wait('Do you want to edit the local lambda function now');
+      chain.sendCarriageReturn(); // "No"
+    }
   }
 };
 

packages/amplify-e2e-tests/src/__tests__/function_7.test.ts

@@ -16,7 +16,7 @@ import {
   setCategoryParameters,
   updateFunction,
 } from '@aws-amplify/amplify-e2e-core';
-import { addEnvironmentYes, removeEnvironment } from '../environment/env';
+import { addEnvironmentYes, checkoutEnvironment, removeEnvironment } from '../environment/env';
 
 describe('function secret value', () => {
   let projRoot: string;
@@ -279,6 +279,60 @@ describe('function secret value', () => {
     // check that old value is removed and new one is added
     await expectParams([{ name: 'A_NEW_SECRET', value: 'anewtestsecretvalue' }], ['TEST_SECRET'], region, appId, 'integtest', funcName);
   });
+
+  it('keeps old secrets when pushing secrets added in another env', async () => {
+    // add func w/ secret
+    const envName = 'enva';
+    await initJSProjectWithProfile(projRoot, { envName, disableAmplifyAppCreation: false });
+    const funcName = `secretsTest${generateRandomShortId()}`;
+    const funcSecretName = 'TEST_SECRET';
+    await addFunction(
+      projRoot,
+      {
+        functionTemplate: 'Hello World',
+        name: funcName,
+        secretsConfig: {
+          operation: 'add',
+          name: funcSecretName,
+          value: 'testsecretvalue',
+        },
+      },
+      'nodejs',
+    );
+
+    await amplifyPushAuth(projRoot);
+
+    // add new env and add new secret to func
+    await addEnvironmentYes(projRoot, { envName: 'envb' });
+    await amplifyPushAuth(projRoot);
+    const newFuncSecretName = 'NEW_TEST_SECRET';
+    await updateFunction(
+      projRoot,
+      {
+        secretsConfig: {
+          operation: 'add',
+          name: newFuncSecretName,
+          value: 'testsecretvalue',
+        },
+      },
+      'nodejs',
+    );
+
+    // push updated func w/ new secret
+    await amplifyPushAuth(projRoot);
+
+    await checkoutEnvironment(projRoot, { envName });
+
+    // check contents of function-parameters.json for new secret
+    const expectedFuncSecrets = [funcSecretName, newFuncSecretName];
+    const funcParams = getCategoryParameters(projRoot, 'function', funcName);
+    expect(funcParams.secretNames).toEqual(expectedFuncSecrets);
+
+    // push with original env and assert all secrets are in function-parameters.json
+    await amplifyPushMissingFuncSecret(projRoot, 'anewtestsecretvalue');
+    const funcParamsPostPush = getCategoryParameters(projRoot, 'function', funcName);
+    expect(funcParamsPostPush.secretNames).toEqual(expectedFuncSecrets);
+  });
 });
 
 const expectParams = async (