Fix non-interactive deployment failure when secrets exist in Secret Manager

PR firebase#9335 added a check that fails deployments in non-interactive mode
when secrets are required. However, it didn't verify whether those
secrets already exist in Secret Manager, causing deployments to fail
even when all secrets were properly configured.

This change queries Secret Manager before throwing the error to check
if each required secret exists. Only truly missing secrets will cause
the deployment to fail.

Fixes firebase#9368

Author: TorbenWetter

CHANGELOG.md

@@ -0,0 +1 @@
+- Fixed non-interactive deployment failure when secrets are already configured in Secret Manager

src/deploy/functions/params.spec.ts

@@ -3,6 +3,8 @@ import * as sinon from "sinon";
 
 import * as prompt from "../../prompt";
 import * as params from "./params";
+import * as secretManager from "../../gcp/secretManager";
+import { FirebaseError } from "../../error";
 
 const expect = chai.expect;
 const fakeConfig = {
@@ -298,4 +300,97 @@ describe("resolveParams", () => {
     input.resolves("22");
     await expect(params.resolveParams(paramsToResolve, fakeConfig, {})).to.eventually.be.rejected;
   });
+
+  describe("non-interactive mode with secrets", () => {
+    let getSecretMetadataStub: sinon.SinonStub;
+
+    beforeEach(() => {
+      getSecretMetadataStub = sinon.stub(secretManager, "getSecretMetadata");
+    });
+
+    afterEach(() => {
+      getSecretMetadataStub.restore();
+    });
+
+    it("should succeed when secrets already exist in Secret Manager", async () => {
+      const paramsToResolve: params.Param[] = [
+        {
+          name: "MY_SECRET",
+          type: "secret",
+        },
+      ];
+      getSecretMetadataStub.resolves({
+        secret: { name: "MY_SECRET" },
+        secretVersion: { name: "MY_SECRET/versions/1", state: "ENABLED" },
+      });
+
+      await expect(params.resolveParams(paramsToResolve, fakeConfig, {}, { nonInteractive: true }))
+        .to.eventually.be.fulfilled;
+    });
+
+    it("should throw error when secrets don't exist in non-interactive mode", async () => {
+      const paramsToResolve: params.Param[] = [
+        {
+          name: "MISSING_SECRET",
+          type: "secret",
+        },
+      ];
+      getSecretMetadataStub.resolves({});
+
+      await expect(
+        params.resolveParams(paramsToResolve, fakeConfig, {}, { nonInteractive: true }),
+      ).to.eventually.be.rejectedWith(
+        FirebaseError,
+        /In non-interactive mode but have no value for the following secrets: MISSING_SECRET/,
+      );
+    });
+
+    it("should only report missing secrets, not existing ones in non-interactive mode", async () => {
+      const paramsToResolve: params.Param[] = [
+        {
+          name: "EXISTING_SECRET",
+          type: "secret",
+        },
+        {
+          name: "MISSING_SECRET",
+          type: "secret",
+        },
+      ];
+      getSecretMetadataStub.callsFake((projectId: string, secretName: string) => {
+        if (secretName === "EXISTING_SECRET") {
+          return Promise.resolve({
+            secret: { name: "EXISTING_SECRET" },
+            secretVersion: { name: "EXISTING_SECRET/versions/1", state: "ENABLED" },
+          });
+        }
+        return Promise.resolve({});
+      });
+
+      try {
+        await params.resolveParams(paramsToResolve, fakeConfig, {}, { nonInteractive: true });
+        expect.fail("Should have thrown an error");
+      } catch (err: any) {
+        expect(err.message).to.include("MISSING_SECRET");
+        expect(err.message).to.not.include("EXISTING_SECRET");
+      }
+    });
+
+    it("should include format flag in error for JSON secrets", async () => {
+      const paramsToResolve: params.Param[] = [
+        {
+          name: "JSON_SECRET",
+          type: "secret",
+          format: "json",
+        },
+      ];
+      getSecretMetadataStub.resolves({});
+
+      try {
+        await params.resolveParams(paramsToResolve, fakeConfig, {}, { nonInteractive: true });
+        expect.fail("Should have thrown an error");
+      } catch (err: any) {
+        expect(err.message).to.include("--format=json --data-file <file.json>");
+      }
+    });
+  });
 });

src/deploy/functions/params.ts

@@ -397,18 +397,35 @@ export async function resolveParams(
 
   // Check for missing secrets in non-interactive mode
   if (nonInteractive && needSecret.length > 0) {
-    const secretNames = needSecret.map((p) => p.name).join(", ");
-    const commands = needSecret
-      .map(
-        (p) =>
-          `\tfirebase functions:secrets:set ${p.name}${(p as SecretParam).format === "json" ? " --format=json --data-file <file.json>" : ""}`,
-      )
-      .join("\n");
-    throw new FirebaseError(
-      `In non-interactive mode but have no value for the following secrets: ${secretNames}\n\n` +
-        "Set these secrets before deploying:\n" +
-        commands,
-    );
+    // First check which secrets actually don't exist in Secret Manager
+    const missingSecrets: SecretParam[] = [];
+    for (const param of needSecret) {
+      const secretParam = param as SecretParam;
+      const metadata = await secretManager.getSecretMetadata(
+        firebaseConfig.projectId,
+        secretParam.name,
+        "latest",
+      );
+      if (!metadata.secret) {
+        missingSecrets.push(secretParam);
+      }
+    }
+
+    // Only throw an error if there are truly missing secrets
+    if (missingSecrets.length > 0) {
+      const secretNames = missingSecrets.map((p) => p.name).join(", ");
+      const commands = missingSecrets
+        .map(
+          (p) =>
+            `\tfirebase functions:secrets:set ${p.name}${p.format === "json" ? " --format=json --data-file <file.json>" : ""}`,
+        )
+        .join("\n");
+      throw new FirebaseError(
+        `In non-interactive mode but have no value for the following secrets: ${secretNames}\n\n` +
+          "Set these secrets before deploying:\n" +
+          commands,
+      );
+    }
   }
 
   // The functions emulator will handle secrets