[Stores] Add support for non-string values to GSM (#1237)

* [Stores] Add support for non-string values to GSM

* dry up

---------

Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <erik@cloudposse.com>
Co-authored-by: Dan Miller <miller0daniel@gmail.com>

Author: 3 people

pkg/store/google_secret_manager_store.go

@@ -2,6 +2,7 @@ package store
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"strings"
 	"time"
@@ -179,10 +180,12 @@ func (s *GSMStore) Set(stack string, component string, key string, value any) er
 	ctx, cancel := context.WithTimeout(context.Background(), gsmOperationTimeout)
 	defer cancel()
 
-	strValue, ok := value.(string)
-	if !ok {
-		return ErrValueMustBeString
+	// Convert value to JSON string
+	jsonValue, err := json.Marshal(value)
+	if err != nil {
+		return fmt.Errorf(errWrapFormat, ErrSerializeJSON, err)
 	}
+	strValue := string(jsonValue)
 
 	// Get the secret ID using getKey
 	secretID, err := s.getKey(stack, component, key)
@@ -243,5 +246,11 @@ func (s *GSMStore) Get(stack string, component string, key string) (any, error)
 		return nil, fmt.Errorf(errWrapFormat, ErrAccessSecret, err)
 	}
 
-	return string(result.Payload.Data), nil
+	var unmarshalled interface{}
+	// Intentionally ignoring JSON unmarshal error to handle legacy or 3rd-party secrets that might not be JSON-encoded
+	if err := json.Unmarshal(result.Payload.Data, &unmarshalled); err != nil {
+		// If it's not valid JSON, return the raw string value
+		return string(result.Payload.Data), nil
+	}
+	return unmarshalled, nil
 }

pkg/store/google_secret_manager_store_test.go

@@ -18,7 +18,8 @@ import (
 
 // Define test error constants.
 var (
-	ErrInternalError = errors.New("internal error")
+	ErrInternalError  = errors.New("internal error")
+	ErrTransientError = errors.New("transient error")
 )
 
 // MockGSMClient is a mock implementation of GSMClient.
@@ -76,6 +77,45 @@ func newGSMStoreWithClient(client GSMClient, options GSMStoreOptions) *GSMStore
 	return store
 }
 
+func gsmClientSecretCreationMock(parent string, secretId string, secretPayload string, err error) func(m *MockGSMClient) {
+	return func(m *MockGSMClient) {
+		m.On("CreateSecret", mock.Anything, mock.MatchedBy(func(req *secretmanagerpb.CreateSecretRequest) bool {
+			expectedReq := &secretmanagerpb.CreateSecretRequest{
+				Parent:   parent,
+				SecretId: secretId,
+				Secret: &secretmanagerpb.Secret{
+					Replication: &secretmanagerpb.Replication{
+						Replication: &secretmanagerpb.Replication_Automatic_{
+							Automatic: &secretmanagerpb.Replication_Automatic{},
+						},
+					},
+				},
+			}
+			return req.Parent == expectedReq.Parent &&
+				req.SecretId == expectedReq.SecretId &&
+				req.Secret.GetReplication().GetAutomatic() != nil
+		})).Return(&secretmanagerpb.Secret{
+			Name: fmt.Sprintf("%s/secrets/%s", parent, secretId),
+		}, nil)
+
+		var ret *secretmanagerpb.SecretVersion
+		if err == nil {
+			ret = &secretmanagerpb.SecretVersion{}
+		}
+
+		m.On("AddSecretVersion", mock.Anything, mock.MatchedBy(func(req *secretmanagerpb.AddSecretVersionRequest) bool {
+			expectedReq := &secretmanagerpb.AddSecretVersionRequest{
+				Parent: fmt.Sprintf("%s/secrets/%s", parent, secretId),
+				Payload: &secretmanagerpb.SecretPayload{
+					Data: []byte(secretPayload),
+				},
+			}
+			return req.Parent == expectedReq.Parent &&
+				string(req.Payload.Data) == string(expectedReq.Payload.Data)
+		})).Return(ret, err)
+	}
+}
+
 func TestGSMStore_Set(t *testing.T) {
 	testPrefix := "test-prefix"
 	testDelimiter := "-"
@@ -95,37 +135,12 @@ func TestGSMStore_Set(t *testing.T) {
 			component: "app/service",
 			key:       "config-key",
 			value:     "test-value",
-			mockFn: func(m *MockGSMClient) {
-				m.On("CreateSecret", mock.Anything, mock.MatchedBy(func(req *secretmanagerpb.CreateSecretRequest) bool {
-					expectedReq := &secretmanagerpb.CreateSecretRequest{
-						Parent:   "projects/test-project",
-						SecretId: "test-prefix_dev_usw2_app_service_config-key",
-						Secret: &secretmanagerpb.Secret{
-							Replication: &secretmanagerpb.Replication{
-								Replication: &secretmanagerpb.Replication_Automatic_{
-									Automatic: &secretmanagerpb.Replication_Automatic{},
-								},
-							},
-						},
-					}
-					return req.Parent == expectedReq.Parent &&
-						req.SecretId == expectedReq.SecretId &&
-						req.Secret.GetReplication().GetAutomatic() != nil
-				})).Return(&secretmanagerpb.Secret{
-					Name: "projects/test-project/secrets/test-prefix_dev_usw2_app_service_config-key",
-				}, nil)
-
-				m.On("AddSecretVersion", mock.Anything, mock.MatchedBy(func(req *secretmanagerpb.AddSecretVersionRequest) bool {
-					expectedReq := &secretmanagerpb.AddSecretVersionRequest{
-						Parent: "projects/test-project/secrets/test-prefix_dev_usw2_app_service_config-key",
-						Payload: &secretmanagerpb.SecretPayload{
-							Data: []byte("test-value"),
-						},
-					}
-					return req.Parent == expectedReq.Parent &&
-						string(req.Payload.Data) == string(expectedReq.Payload.Data)
-				})).Return(&secretmanagerpb.SecretVersion{}, nil)
-			},
+			mockFn: gsmClientSecretCreationMock(
+				"projects/test-project",
+				"test-prefix_dev_usw2_app_service_config-key",
+				`"test-value"`,
+				nil,
+			),
 			wantErr: false,
 		},
 		{
@@ -134,35 +149,12 @@ func TestGSMStore_Set(t *testing.T) {
 			component: "app/service",
 			key:       "config-key",
 			value:     "test-value",
-			mockFn: func(m *MockGSMClient) {
-				m.On("CreateSecret", mock.Anything, mock.MatchedBy(func(req *secretmanagerpb.CreateSecretRequest) bool {
-					expectedReq := &secretmanagerpb.CreateSecretRequest{
-						Parent:   "projects/test-project",
-						SecretId: "test-prefix_dev_usw2_app_service_config-key",
-						Secret: &secretmanagerpb.Secret{
-							Replication: &secretmanagerpb.Replication{
-								Replication: &secretmanagerpb.Replication_Automatic_{
-									Automatic: &secretmanagerpb.Replication_Automatic{},
-								},
-							},
-						},
-					}
-					return req.Parent == expectedReq.Parent &&
-						req.SecretId == expectedReq.SecretId &&
-						req.Secret.GetReplication().GetAutomatic() != nil
-				})).Return(nil, status.Error(codes.AlreadyExists, "secret already exists"))
-
-				m.On("AddSecretVersion", mock.Anything, mock.MatchedBy(func(req *secretmanagerpb.AddSecretVersionRequest) bool {
-					expectedReq := &secretmanagerpb.AddSecretVersionRequest{
-						Parent: "projects/test-project/secrets/test-prefix_dev_usw2_app_service_config-key",
-						Payload: &secretmanagerpb.SecretPayload{
-							Data: []byte("test-value"),
-						},
-					}
-					return req.Parent == expectedReq.Parent &&
-						string(req.Payload.Data) == string(expectedReq.Payload.Data)
-				})).Return(&secretmanagerpb.SecretVersion{}, nil)
-			},
+			mockFn: gsmClientSecretCreationMock(
+				"projects/test-project",
+				"test-prefix_dev_usw2_app_service_config-key",
+				`"test-value"`,
+				nil,
+			),
 			wantErr: false,
 		},
 		{
@@ -171,24 +163,26 @@ func TestGSMStore_Set(t *testing.T) {
 			component: "app/service",
 			key:       "config-key",
 			value:     "test-value",
-			mockFn: func(m *MockGSMClient) {
-				m.On("CreateSecret", mock.Anything, mock.MatchedBy(func(req *secretmanagerpb.CreateSecretRequest) bool {
-					expectedReq := &secretmanagerpb.CreateSecretRequest{
-						Parent:   "projects/test-project",
-						SecretId: "test-prefix_dev_usw2_app_service_config-key",
-						Secret: &secretmanagerpb.Secret{
-							Replication: &secretmanagerpb.Replication{
-								Replication: &secretmanagerpb.Replication_Automatic_{
-									Automatic: &secretmanagerpb.Replication_Automatic{},
-								},
-							},
-						},
-					}
-					return req.Parent == expectedReq.Parent &&
-						req.SecretId == expectedReq.SecretId &&
-						req.Secret.GetReplication().GetAutomatic() != nil
-				})).Return(nil, fmt.Errorf("internal error: %w", ErrInternalError))
-			},
+			mockFn: gsmClientSecretCreationMock(
+				"projects/test-project",
+				"test-prefix_dev_usw2_app_service_config-key",
+				`"test-value"`,
+				fmt.Errorf("internal error: %w", ErrInternalError)),
+			wantErr: true,
+		},
+
+		{
+			name:      "create secret - transient error",
+			stack:     "dev-usw2",
+			component: "app/service",
+			key:       "config-key",
+			value:     "test-value",
+			mockFn: gsmClientSecretCreationMock(
+				"projects/test-project",
+				"test-prefix_dev_usw2_app_service_config-key",
+				`"test-value"`,
+				fmt.Errorf("transient error: %w", ErrTransientError),
+			),
 			wantErr: true,
 		},
 		{
@@ -197,47 +191,54 @@ func TestGSMStore_Set(t *testing.T) {
 			component: "app/service",
 			key:       "config-key",
 			value:     "test-value",
-			mockFn: func(m *MockGSMClient) {
-				m.On("CreateSecret", mock.Anything, mock.MatchedBy(func(req *secretmanagerpb.CreateSecretRequest) bool {
-					expectedReq := &secretmanagerpb.CreateSecretRequest{
-						Parent:   "projects/test-project",
-						SecretId: "test-prefix_dev_usw2_app_service_config-key",
-						Secret: &secretmanagerpb.Secret{
-							Replication: &secretmanagerpb.Replication{
-								Replication: &secretmanagerpb.Replication_Automatic_{
-									Automatic: &secretmanagerpb.Replication_Automatic{},
-								},
-							},
-						},
-					}
-					return req.Parent == expectedReq.Parent &&
-						req.SecretId == expectedReq.SecretId &&
-						req.Secret.GetReplication().GetAutomatic() != nil
-				})).Return(&secretmanagerpb.Secret{
-					Name: "projects/test-project/secrets/test-prefix_dev_usw2_app_service_config-key",
-				}, nil)
-
-				m.On("AddSecretVersion", mock.Anything, mock.MatchedBy(func(req *secretmanagerpb.AddSecretVersionRequest) bool {
-					expectedReq := &secretmanagerpb.AddSecretVersionRequest{
-						Parent: "projects/test-project/secrets/test-prefix_dev_usw2_app_service_config-key",
-						Payload: &secretmanagerpb.SecretPayload{
-							Data: []byte("test-value"),
-						},
-					}
-					return req.Parent == expectedReq.Parent &&
-						string(req.Payload.Data) == string(expectedReq.Payload.Data)
-				})).Return(nil, fmt.Errorf("internal error: %w", ErrInternalError))
-			},
+			mockFn: gsmClientSecretCreationMock(
+				"projects/test-project",
+				"test-prefix_dev_usw2_app_service_config-key",
+				`"test-value"`,
+				fmt.Errorf("internal error: %w", ErrInternalError),
+			),
 			wantErr: true,
 		},
 		{
-			name:      "invalid value type",
+			name:      "successful set with int",
 			stack:     "dev-usw2",
 			component: "app/service",
 			key:       "config-key",
-			value:     123, // Not a string
-			mockFn:    func(m *MockGSMClient) {},
-			wantErr:   true,
+			value:     123,
+			mockFn: gsmClientSecretCreationMock(
+				"projects/test-project",
+				"test-prefix_dev_usw2_app_service_config-key",
+				`123`,
+				nil,
+			),
+			wantErr: false,
+		},
+		{
+			name:      "successful_set_with_slice",
+			stack:     "dev_usw2",
+			component: "app/service",
+			key:       "slice-key",
+			value:     []string{"value1", "value2", "value3"},
+			mockFn: gsmClientSecretCreationMock(
+				"projects/test-project",
+				"test-prefix_dev_usw2_app_service_slice-key",
+				`["value1","value2","value3"]`,
+				nil,
+			),
+		},
+		{
+			name:      "successful_set_with_map",
+			stack:     "dev_usw2",
+			component: "app/service",
+			key:       "map-key",
+			value:     map[string]interface{}{"key1": "value1", "key2": 42, "key3": true},
+
+			mockFn: gsmClientSecretCreationMock(
+				"projects/test-project",
+				"test-prefix_dev_usw2_app_service_map-key",
+				`{"key1":"value1","key2":42,"key3":true}`,
+				nil,
+			),
 		},
 		{
 			name:      "empty stack",
@@ -319,7 +320,27 @@ func TestGSMStore_Get(t *testing.T) {
 					return req.Name == expectedReq.Name
 				})).Return(&secretmanagerpb.AccessSecretVersionResponse{
 					Payload: &secretmanagerpb.SecretPayload{
-						Data: []byte("test-value"),
+						Data: []byte(`"test-value"`),
+					},
+				}, nil)
+			},
+			want:    "test-value",
+			wantErr: false,
+		},
+		{
+			name:      "successful get - legacy value without json",
+			stack:     "dev-usw2",
+			component: "app/service",
+			key:       "config-key",
+			mockFn: func(m *MockGSMClient) {
+				m.On("AccessSecretVersion", mock.Anything, mock.MatchedBy(func(req *secretmanagerpb.AccessSecretVersionRequest) bool {
+					expectedReq := &secretmanagerpb.AccessSecretVersionRequest{
+						Name: "projects/test-project/secrets/test-prefix_dev_usw2_app_service_config-key/versions/latest",
+					}
+					return req.Name == expectedReq.Name
+				})).Return(&secretmanagerpb.AccessSecretVersionResponse{
+					Payload: &secretmanagerpb.SecretPayload{
+						Data: []byte(`test-value`),
 					},
 				}, nil)
 			},