parameter store is always secureString

Signed-off-by: bruce-szalwinski-he <bruce.szalwinski@engine.com>

Author: bruce-szalwinski-he

README.rst

@@ -1211,7 +1211,6 @@ This command requires a ``.sops.yaml`` configuration file. Below is an example:
           aws_region: "us-west-2"
           path_regex: aws-secrets/*
         - aws_parameter_store_path: "/sops/"
-          aws_parameter_store_type: "SecureString" # default
           aws_region: "us-west-2"
           path_regex: aws-params/*
 
@@ -1220,8 +1219,9 @@ all files under ``gcs/*`` into the GCS bucket ``sops-secrets``, the contents of
 ``vault/*`` into Vault's KV store under the path ``secrets/sops/``, files under ``aws-secrets/*``
 into AWS Secrets Manager as JSON secrets, and files under ``aws-params/*`` into AWS Parameter Store
 as SecureString parameters. For the files that will be published to S3 and GCS, it will decrypt them 
-and re-encrypt them using the ``F69E4901EDBAD2D1753F8C67A64535C4163FB307`` pgp key. Files published to Vault,
-AWS Secrets Manager, and AWS Parameter Store will be decrypted and stored as plaintext JSON data.
+and re-encrypt them using the ``F69E4901EDBAD2D1753F8C67A64535C4163FB307`` pgp key. Files published to Vault
+will be decrypted and stored as plaintext JSON data. Files published to AWS Secrets Manager and AWS Parameter Store 
+will be decrypted and stored as JSON data encrypted by AWS KMS.
 
 You would deploy a file to S3 with a command like: ``sops publish s3/app.yaml``
 
@@ -1319,22 +1319,23 @@ Publishing to AWS Parameter Store
 **********************************
 
 AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data
-and secrets management. SOPS can publish decrypted data directly to Parameter Store as JSON parameters.
+and secrets management. SOPS can publish decrypted data directly to Parameter Store as JSON parameters encrypted by AWS KMS.
 
 There are a few settings for AWS Parameter Store that you can place in your destination rules:
 
 * ``aws_parameter_store_path`` - The parameter path in AWS Parameter Store. If it ends with ``/``, the filename will be appended. If not specified, the filename will be used as the parameter name with a leading ``/``.
-* ``aws_parameter_store_type`` - The parameter type. Can be ``String``, ``StringList``, or ``SecureString``. Defaults to ``SecureString``.
 * ``aws_region`` - The AWS region where the parameter should be stored. This is required.
 
+All parameters are stored as ``SecureString`` type for security, since SOPS files may contain sensitive data.
+
 SOPS uses the AWS SDK for Go v2, which automatically uses your configured AWS credentials from the AWS CLI,
 environment variables, or IAM roles.
 
 If the destination parameter already exists in AWS Parameter Store and contains the same data as the source
 file, it will be skipped to avoid creating unnecessary versions.
 
 Note: Recreation rules (re-encryption with different keys) are not supported for AWS Parameter Store.
-The data is decrypted from the source file and stored as JSON in the parameter.
+The data is decrypted from the source file and stored as JSON in the SecureString parameter, encrypted by AWS KMS.
 
 Below is an example of publishing to AWS Parameter Store:
 

config/config.go

@@ -547,7 +547,7 @@ func parseDestinationRuleForFile(conf *configFile, filePath string, kmsEncryptio
 		dest = publish.NewAWSSecretsManagerDestination(dRule.AWSSecretsManagerRegion, dRule.AWSSecretsManagerSecretName)
 	}
 	if dRule.AWSParameterStoreRegion != "" {
-		dest = publish.NewAWSParameterStoreDestination(dRule.AWSParameterStoreRegion, dRule.AWSParameterStorePath, dRule.AWSParameterStoreType)
+		dest = publish.NewAWSParameterStoreDestination(dRule.AWSParameterStoreRegion, dRule.AWSParameterStorePath)
 	}
 
 	config, err := configFromRule(rule, kmsEncryptionContext)

publish/aws_integration_test.go

@@ -35,7 +35,6 @@ var (
 	testAWSRegion     = getEnvOrDefault("SOPS_TEST_AWS_REGION", "us-east-1")
 	testSecretName    = os.Getenv("SOPS_TEST_AWS_SECRET_NAME")    // e.g., "sops-test-secret"
 	testParameterName = os.Getenv("SOPS_TEST_AWS_PARAMETER_NAME") // e.g., "/sops-test/parameter"
-	testParameterType = getEnvOrDefault("SOPS_TEST_AWS_PARAMETER_TYPE", "SecureString")
 )
 
 func getEnvOrDefault(key, defaultValue string) string {
@@ -157,7 +156,7 @@ func TestAWSParameterStoreDestination_Integration(t *testing.T) {
 	}
 
 	ctx := context.Background()
-	dest := NewAWSParameterStoreDestination(testAWSRegion, testParameterName, testParameterType)
+	dest := NewAWSParameterStoreDestination(testAWSRegion, testParameterName)
 
 	// Test data
 	testData := map[string]interface{}{
@@ -194,12 +193,8 @@ func TestAWSParameterStoreDestination_Integration(t *testing.T) {
 
 	assert.Equal(t, testData, storedData, "Stored data doesn't match original")
 
-	// Verify parameter type
-	expectedType := testParameterType
-	if expectedType == "" {
-		expectedType = "SecureString"
-	}
-	assert.Equal(t, expectedType, string(result.Parameter.Type), "Parameter type mismatch")
+	// Verify parameter type is always SecureString
+	assert.Equal(t, "SecureString", string(result.Parameter.Type), "Parameter type should always be SecureString")
 
 	// Test no-op behavior (upload same data again)
 	err = dest.UploadUnencrypted(testData, "test-config")
@@ -211,7 +206,7 @@ func TestAWSParameterStoreDestination_EncryptedFile_Integration(t *testing.T) {
 		t.Skip("Skipping integration test: SOPS_TEST_AWS_PARAMETER_NAME not set")
 	}
 
-	dest := NewAWSParameterStoreDestination(testAWSRegion, testParameterName+"-file", testParameterType)
+	dest := NewAWSParameterStoreDestination(testAWSRegion, testParameterName+"-file")
 
 	encryptedContent := []byte(`# SOPS encrypted file
 database:

publish/aws_parameter_store.go

@@ -22,29 +22,23 @@ func init() {
 	parameterLog = logging.NewLogger("PUBLISH")
 }
 
-// AWSParameterStoreDestination is the AWS Parameter Store implementation of the Destination interface
+// AWSParameterStoreDestination is the AWS Parameter Store implementation of the Destination interface.
 type AWSParameterStoreDestination struct {
 	region        string
 	parameterPath string
-	parameterType string
 }
 
-// NewAWSParameterStoreDestination is the constructor for an AWS Parameter Store Destination
-func NewAWSParameterStoreDestination(region, parameterPath, parameterType string) *AWSParameterStoreDestination {
-	// Default to SecureString if not specified
-	if parameterType == "" {
-		parameterType = "SecureString"
-	}
-
+// NewAWSParameterStoreDestination creates a new AWS Parameter Store destination.
+func NewAWSParameterStoreDestination(region, parameterPath string) *AWSParameterStoreDestination {
 	// Ensure parameter path starts with /
 	if parameterPath != "" && !strings.HasPrefix(parameterPath, "/") {
 		parameterPath = "/" + parameterPath
 	}
 
-	return &AWSParameterStoreDestination{region, parameterPath, parameterType}
+	return &AWSParameterStoreDestination{region, parameterPath}
 }
 
-// Path returns the AWS Parameter Store path
+// Path returns the AWS Parameter Store path for the given fileName.
 func (awspsd *AWSParameterStoreDestination) Path(fileName string) string {
 	if awspsd.parameterPath != "" {
 		// If path ends with /, append filename; otherwise use path as-is
@@ -60,12 +54,12 @@ func (awspsd *AWSParameterStoreDestination) Path(fileName string) string {
 	return fileName
 }
 
-// Returns NotImplementedError
+// Upload returns NotImplementedError as AWS Parameter Store does not support uploading encrypted files directly.
 func (awspsd *AWSParameterStoreDestination) Upload(fileContents []byte, fileName string) error {
 	return &NotImplementedError{"AWS Parameter Store does not support uploading encrypted sops files directly. Use UploadUnencrypted instead."}
 }
 
-// UploadUnencrypted uploads unencrypted data to AWS Parameter Store as JSON
+// UploadUnencrypted uploads unencrypted data to AWS Parameter Store as JSON.
 func (awspsd *AWSParameterStoreDestination) UploadUnencrypted(data map[string]interface{}, fileName string) error {
 	ctx := context.TODO()
 
@@ -110,18 +104,8 @@ func (awspsd *AWSParameterStoreDestination) UploadUnencrypted(data map[string]in
 		}
 	}
 
-	// Determine parameter type
-	var paramType types.ParameterType
-	switch strings.ToLower(awspsd.parameterType) {
-	case "string":
-		paramType = types.ParameterTypeString
-	case "stringlist":
-		paramType = types.ParameterTypeStringList
-	case "securestring":
-		paramType = types.ParameterTypeSecureString
-	default:
-		paramType = types.ParameterTypeSecureString
-	}
+	// Always use SecureString for security - SOPS files may contain secrets
+	paramType := types.ParameterTypeSecureString
 
 	// Put parameter (creates or updates)
 	_, err = client.PutParameter(ctx, &ssm.PutParameterInput{

publish/aws_parameter_store_test.go

@@ -7,45 +7,40 @@ import (
 )
 
 func TestNewAWSParameterStoreDestination(t *testing.T) {
-	dest := NewAWSParameterStoreDestination("us-east-1", "/myapp/config", "SecureString")
+	dest := NewAWSParameterStoreDestination("us-east-1", "/myapp/config")
 	assert.NotNil(t, dest)
 	assert.Equal(t, "us-east-1", dest.region)
 	assert.Equal(t, "/myapp/config", dest.parameterPath)
-	assert.Equal(t, "SecureString", dest.parameterType)
-
-	// Test with empty parameter type (should default to SecureString)
-	dest = NewAWSParameterStoreDestination("us-east-1", "/myapp/config", "")
-	assert.Equal(t, "SecureString", dest.parameterType)
 
 	// Test path normalization (should add leading slash)
-	dest = NewAWSParameterStoreDestination("us-east-1", "myapp/config", "String")
+	dest = NewAWSParameterStoreDestination("us-east-1", "myapp/config")
 	assert.Equal(t, "/myapp/config", dest.parameterPath)
 }
 
 func TestAWSParameterStoreDestination_Path(t *testing.T) {
 	// Test with specific parameter path (no trailing slash)
-	dest := NewAWSParameterStoreDestination("us-east-1", "/myapp/database", "SecureString")
+	dest := NewAWSParameterStoreDestination("us-east-1", "/myapp/database")
 	path := dest.Path("config.yaml")
 	assert.Equal(t, "/myapp/database", path)
 
 	// Test with parameter path ending with slash
-	dest = NewAWSParameterStoreDestination("us-east-1", "/myapp/configs/", "SecureString")
+	dest = NewAWSParameterStoreDestination("us-east-1", "/myapp/configs/")
 	path = dest.Path("api.yaml")
 	assert.Equal(t, "/myapp/configs/api.yaml", path)
 
 	// Test with empty parameter path (uses filename)
-	dest = NewAWSParameterStoreDestination("us-east-1", "", "SecureString")
+	dest = NewAWSParameterStoreDestination("us-east-1", "")
 	path = dest.Path("standalone.yaml")
 	assert.Equal(t, "/standalone.yaml", path)
 
 	// Test with filename that already has leading slash
-	dest = NewAWSParameterStoreDestination("us-east-1", "", "SecureString")
+	dest = NewAWSParameterStoreDestination("us-east-1", "")
 	path = dest.Path("/already-prefixed.yaml")
 	assert.Equal(t, "/already-prefixed.yaml", path)
 }
 
 func TestAWSParameterStoreDestination_Upload(t *testing.T) {
-	dest := NewAWSParameterStoreDestination("us-east-1", "/test-parameter", "SecureString")
+	dest := NewAWSParameterStoreDestination("us-east-1", "/test-parameter")
 	err := dest.Upload([]byte("test content"), "test.yaml")
 
 	assert.NotNil(t, err)