firebase · taeold · Oct 18, 2025 · Oct 19, 2025 · Oct 20, 2025 · Oct 20, 2025
diff --git a/src/commands/functions-config-export.ts b/src/commands/functions-config-export.ts
@@ -1,151 +1,142 @@
-import * as path from "path";
-
 import * as clc from "colorette";
 
-import requireInteractive from "../requireInteractive";
+import * as functionsConfig from "../functionsConfig";
 import { Command } from "../command";
 import { FirebaseError } from "../error";
-import { testIamPermissions } from "../gcp/iam";
-import { logger } from "../logger";
-import { input, confirm } from "../prompt";
+import { input } from "../prompt";
 import { requirePermissions } from "../requirePermissions";
-import { logBullet, logWarning } from "../utils";
-import { zip } from "../functional";
-import * as configExport from "../functions/runtimeConfigExport";
+import { logBullet, logWarning, logSuccess } from "../utils";
 import { requireConfig } from "../requireConfig";
+import { ensureValidKey, ensureSecret } from "../functions/secrets";
+import { addVersion, toSecretVersionResourceName } from "../gcp/secretManager";
+import { needProjectId } from "../projectUtils";
+import { requireAuth } from "../requireAuth";
+import { ensureApi } from "../gcp/secretManager";
 
 import type { Options } from "../options";
-import { normalizeAndValidate, resolveConfigDir } from "../functions/projectConfig";
 
-const REQUIRED_PERMISSIONS = [
+const RUNTIME_CONFIG_PERMISSIONS = [
   "runtimeconfig.configs.list",
   "runtimeconfig.configs.get",
   "runtimeconfig.variables.list",
   "runtimeconfig.variables.get",
 ];
 
-const RESERVED_PROJECT_ALIAS = ["local"];
-const MAX_ATTEMPTS = 3;
+const SECRET_MANAGER_PERMISSIONS = [
+  "secretmanager.secrets.create",
+  "secretmanager.secrets.get",
+  "secretmanager.secrets.update",
+  "secretmanager.versions.add",
+];
 
-function checkReservedAliases(pInfos: configExport.ProjectConfigInfo[]): void {
-  for (const pInfo of pInfos) {
-    if (pInfo.alias && RESERVED_PROJECT_ALIAS.includes(pInfo.alias)) {
-      logWarning(
-        `Project alias (${clc.bold(pInfo.alias)}) is reserved for internal use. ` +
-          `Saving exported config in .env.${pInfo.projectId} instead.`,
-      );
-      delete pInfo.alias;
-    }
-  }
-}
-
-/* For projects where we failed to fetch the runtime config, find out what permissions are missing in the project. */
-async function checkRequiredPermission(pInfos: configExport.ProjectConfigInfo[]): Promise<void> {
-  pInfos = pInfos.filter((pInfo) => !pInfo.config);
-  const testPermissions = pInfos.map((pInfo) =>
-    testIamPermissions(pInfo.projectId, REQUIRED_PERMISSIONS),
-  );
-  const results = await Promise.all(testPermissions);
-  for (const [pInfo, result] of zip(pInfos, results)) {
-    if (result.passed) {
-      // We should've been able to fetch the config but couldn't. Ask the user to try export command again.
+export const command = new Command("functions:config:export")
+  .description("export environment config as a JSON secret to store in Cloud Secret Manager")
+  .option("--secret <name>", "name of the secret to create (default: RUNTIME_CONFIG)")
+  .withForce("use default secret name without prompting")
+  .before(requireAuth)
+  .before(ensureApi)
+  .before(requirePermissions, [...RUNTIME_CONFIG_PERMISSIONS, ...SECRET_MANAGER_PERMISSIONS])
+  .before(requireConfig)
+  .action(async (options: Options) => {
+    const projectId = needProjectId(options);
+
+    logBullet(
+      "This command retrieves your Runtime Config values (accessed via " +
+        clc.bold("functions.config()") +
+        ") and exports them as a Secret Manager secret.",
+    );
+    console.log("");
+
+    logBullet(`Fetching your existing functions.config() from ${clc.bold(projectId)}...`);
+
+    let configJson: Record<string, unknown>;
+    try {
+      configJson = await functionsConfig.materializeAll(projectId);
+    } catch (err: any) {
       throw new FirebaseError(
-        `Unexpectedly failed to fetch runtime config for project ${pInfo.projectId}`,
+        `Failed to fetch runtime config for project ${projectId}. ` +
+          "Ensure you have the required permissions:\n\t" +
+          RUNTIME_CONFIG_PERMISSIONS.join("\n\t"),
+        { original: err },
       );
     }
-    logWarning(
-      "You are missing the following permissions to read functions config on project " +
-        `${clc.bold(pInfo.projectId)}:\n\t${result.missing.join("\n\t")}`,
-    );
-
-    const confirmed = await confirm({
-      message: `Continue without importing configs from project ${pInfo.projectId}?`,
-      default: true,
-    });
 
-    if (!confirmed) {
-      throw new FirebaseError("Command aborted!");
+    if (Object.keys(configJson).length === 0) {
+      logSuccess("Your functions.config() is empty. Nothing to do.");
+      return;
     }
-  }
-}
-
-async function promptForPrefix(errMsg: string): Promise<string> {
-  logWarning("The following configs keys could not be exported as environment variables:\n");
-  logWarning(errMsg);
-  return await input({
-    default: "CONFIG_",
-    message: "Enter a PREFIX to rename invalid environment variable keys:",
-  });
-}
 
-function fromEntries<V>(itr: Iterable<[string, V]>): Record<string, V> {
-  const obj: Record<string, V> = {};
-  for (const [k, v] of itr) {
-    obj[k] = v;
-  }
-  return obj;
-}
+    logSuccess("Fetched your existing functions.config().");
+    console.log("");
 
-export const command = new Command("functions:config:export")
-  .description("export environment config as environment variables in dotenv format")
-  .before(requirePermissions, [
-    "runtimeconfig.configs.list",
-    "runtimeconfig.configs.get",
-    "runtimeconfig.variables.list",
-    "runtimeconfig.variables.get",
-  ])
-  .before(requireConfig)
-  .before(requireInteractive)
-  .action(async (options: Options) => {
-    const config = normalizeAndValidate(options.config.src.functions)[0];
-    const configDir = resolveConfigDir(config);
-    if (!configDir) {
+    // Display config in interactive mode
+    if (!options.nonInteractive) {
+      logBullet(clc.bold("Configuration to be exported:"));
+      logWarning("This may contain sensitive data. Do not share this output.");
+      console.log("");
+      console.log(JSON.stringify(configJson, null, 2));
+      console.log("");
+    }
+
+    const defaultSecretName = "RUNTIME_CONFIG";
+    const secretName =
+      (options.secret as string) ||
+      (await input({
+        message: "What would you like to name the new secret for your configuration?",
+        default: defaultSecretName,
+        nonInteractive: options.nonInteractive,
+        force: options.force,
+      }));
+
+    const key = await ensureValidKey(secretName, options);
+    await ensureSecret(projectId, key, options);
+
+    const secretValue = JSON.stringify(configJson, null, 2);
+
+    // Check size limit (64KB)
+    const sizeInBytes = Buffer.byteLength(secretValue, "utf8");
+    const maxSize = 64 * 1024; // 64KB
+    if (sizeInBytes > maxSize) {
       throw new FirebaseError(
-        "functions:config:export requires a local env directory. Set functions[].configDir in firebase.json when using remoteSource.",
+        `Configuration size (${sizeInBytes} bytes) exceeds the 64KB limit for JSON secrets. ` +
+          "Please reduce the size of your configuration or split it into multiple secrets.",
       );
     }
 
-    let pInfos = configExport.getProjectInfos(options);
-    checkReservedAliases(pInfos);
-
+    const secretVersion = await addVersion(projectId, key, secretValue);
+    console.log("");
+
+    logSuccess(`Created new secret version ${toSecretVersionResourceName(secretVersion)}`);
+    console.log("");
+    logBullet(clc.bold("To complete the migration, update your code:"));
+    console.log("");
+    console.log(clc.gray("  // Before:"));
+    console.log(clc.gray(`  const functions = require('firebase-functions');`));
+    console.log(clc.gray(`  `));
+    console.log(clc.gray(`  exports.myFunction = functions.https.onRequest((req, res) => {`));
+    console.log(clc.gray(`    const apiKey = functions.config().service.key;`));
+    console.log(clc.gray(`    // ...`));
+    console.log(clc.gray(`  });`));
+    console.log("");
+    console.log(clc.gray("  // After:"));
+    console.log(clc.gray(`  const functions = require('firebase-functions');`));
+    console.log(clc.gray(`  const { defineJsonSecret } = require('firebase-functions/params');`));
+    console.log(clc.gray(`  `));
+    console.log(clc.gray(`  const config = defineJsonSecret("${key}");`));
+    console.log(clc.gray(`  `));
+    console.log(clc.gray(`  exports.myFunction = functions`));
+    console.log(clc.gray(`    .runWith({ secrets: [config] })  // Bind secret here`));
+    console.log(clc.gray(`    .https.onRequest((req, res) => {`));
+    console.log(clc.gray(`      const apiKey = config.value().service.key;`));
+    console.log(clc.gray(`      // ...`));
+    console.log(clc.gray(`    });`));
+    console.log("");
     logBullet(
-      "Importing functions configs from projects [" +
-        pInfos.map(({ projectId }) => `${clc.bold(projectId)}`).join(", ") +
-        "]",
+      clc.bold("Note: ") +
+        "defineJsonSecret requires firebase-functions v6.6.0 or later. " +
+        "Update your package.json if needed.",
     );
+    logBullet("Then deploy your functions:\n  " + clc.bold("firebase deploy --only functions"));
 
-    await configExport.hydrateConfigs(pInfos);
-    await checkRequiredPermission(pInfos);
-    pInfos = pInfos.filter((pInfo) => pInfo.config);
-
-    logger.debug(`Loaded function configs: ${JSON.stringify(pInfos)}`);
-    logBullet(`Importing configs from projects: [${pInfos.map((p) => p.projectId).join(", ")}]`);
-
-    let attempts = 0;
-    let prefix = "";
-    while (true) {
-      if (attempts >= MAX_ATTEMPTS) {
-        throw new FirebaseError("Exceeded max attempts to fix invalid config keys.");
-      }
-
-      const errMsg = configExport.hydrateEnvs(pInfos, prefix);
-      if (errMsg.length === 0) {
-        break;
-      }
-      prefix = await promptForPrefix(errMsg);
-      attempts += 1;
-    }
-
-    const header = `# Exported firebase functions:config:export command on ${new Date().toLocaleDateString()}`;
-    const dotEnvs = pInfos.map((pInfo) => configExport.toDotenvFormat(pInfo.envs!, header));
-    const filenames = pInfos.map(configExport.generateDotenvFilename);
-    const filesToWrite = fromEntries(zip(filenames, dotEnvs));
-    filesToWrite[".env.local"] =
-      `${header}\n# .env.local file contains environment variables for the Functions Emulator.\n`;
-    filesToWrite[".env"] =
-      `${header}# .env file contains environment variables that applies to all projects.\n`;
-
-    for (const [filename, content] of Object.entries(filesToWrite)) {
-      await options.config.askWriteProjectFile(path.join(configDir, filename), content);
-    }
+    return secretName;
   });