vault/command/secrets_move.go

// Copyright IBM Corp. 2016, 2025
// SPDX-License-Identifier: BUSL-1.1

package command

import (
	"fmt"
	"strings"
	"time"

	"github.com/hashicorp/cli"
	"github.com/posener/complete"
)

var (
	_ cli.Command             = (*SecretsMoveCommand)(nil)
	_ cli.CommandAutocomplete = (*SecretsMoveCommand)(nil)
)

const (
	MountMigrationStatusSuccess = "success"
	MountMigrationStatusFailure = "failure"
)

type SecretsMoveCommand struct {
	*BaseCommand
}

func (c *SecretsMoveCommand) Synopsis() string {
	return "Move a secrets engine to a new path"
}

func (c *SecretsMoveCommand) Help() string {
	helpText := `
Usage: vault secrets move [options] SOURCE DESTINATION

  Moves an existing secrets engine to a new path. Any leases from the old
  secrets engine are revoked, but all configuration associated with the engine
  is preserved. It initiates the migration and intermittently polls its status,
  exiting if a final state is reached.

  This command works within or across namespaces, both source and destination paths
  can be prefixed with a namespace heirarchy relative to the current namespace.

  WARNING! Moving a secrets engine will revoke any leases from the
  old engine.

  Move the secrets engine at secret/ to generic/:

      $ vault secrets move secret/ generic/

  Move the secrets engine at ns1/secret/ across namespaces to ns2/generic/, 
  where ns1 and ns2 are child namespaces of the current namespace:

      $ vault secrets move ns1/secret/ ns2/generic/

` + c.Flags().Help()

	return strings.TrimSpace(helpText)
}

func (c *SecretsMoveCommand) Flags() *FlagSets {
	return c.flagSet(FlagSetHTTP)
}

func (c *SecretsMoveCommand) AutocompleteArgs() complete.Predictor {
	return c.PredictVaultMounts()
}

func (c *SecretsMoveCommand) AutocompleteFlags() complete.Flags {
	return c.Flags().Completions()
}

func (c *SecretsMoveCommand) Run(args []string) int {
	f := c.Flags()

	if err := f.Parse(args); err != nil {
		c.UI.Error(err.Error())
		return 1
	}

	args = f.Args()
	switch {
	case len(args) < 2:
		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 2, got %d)", len(args)))
		return 1
	case len(args) > 2:
		c.UI.Error(fmt.Sprintf("Too many arguments (expected 2, got %d)", len(args)))
		return 1
	}

	// Grab the source and destination
	source := ensureTrailingSlash(args[0])
	destination := ensureTrailingSlash(args[1])

	client, err := c.Client()
	if err != nil {
		c.UI.Error(err.Error())
		return 2
	}

	remountResp, err := client.Sys().StartRemount(source, destination)
	if err != nil {
		c.UI.Error(fmt.Sprintf("Error moving secrets engine %s to %s: %s", source, destination, err))
		return 2
	}

	c.UI.Output(fmt.Sprintf("Started moving secrets engine %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))

	// Poll the status endpoint with the returned migration ID
	// Exit if a terminal status is reached, else wait and retry
	for {
		remountStatusResp, err := client.Sys().RemountStatus(remountResp.MigrationID)
		if err != nil {
			c.UI.Error(fmt.Sprintf("Error checking migration status of secrets engine %s to %s: %s", source, destination, err))
			return 2
		}
		if remountStatusResp.MigrationInfo.MigrationStatus == MountMigrationStatusSuccess {
			c.UI.Output(fmt.Sprintf("Success! Finished moving secrets engine %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
			return 0
		}
		if remountStatusResp.MigrationInfo.MigrationStatus == MountMigrationStatusFailure {
			c.UI.Error(fmt.Sprintf("Failure! Error encountered moving secrets engine %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
			return 0
		}
		c.UI.Output(fmt.Sprintf("Waiting for terminal status in migration of secrets engine %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
		time.Sleep(10 * time.Second)
	}

	return 0
}
license: update headers to IBM Corp. (#10229) (#10233) * license: update headers to IBM Corp. * `make proto` * update offset because source file changed Signed-off-by: Ryan Cragun <me@ryan.ec> Co-authored-by: Ryan Cragun <me@ryan.ec> 2025-10-21 17:20:20 -04:00			`// Copyright IBM Corp. 2016, 2025`
[COMPLIANCE] License changes (#22290) * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License. Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUS-1.1 * Fix test that expected exact offset on hcl file --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: Sarah Thompson <sthompson@hashicorp.com> Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com> 2023-08-10 21:14:03 -04:00			`// SPDX-License-Identifier: BUSL-1.1`
adding copyright header (#19555) * adding copyright header * fix fmt and a test 2023-03-15 12:00:52 -04:00
Rename mounts to secrets engines and add the subcommand 2017-09-07 22:01:31 -04:00			`package command`

			`import (`
			`"fmt"`
			`"strings"`
remount cli changes (#14159) 2022-02-18 11:50:05 -05:00			`"time"`
Rename mounts to secrets engines and add the subcommand 2017-09-07 22:01:31 -04:00
Switch from mitchellh/cli to hashicorp/cli (#24239) @mitchellh suggested we fork `cli` and switch to that. Since we primarily use the interfaces in `cli`, and the new fork has not changed those, this is (mostly) a drop-in replacement. A small fix will be necessary for Vault Enterprise, I believe. 2023-12-04 14:05:02 -05:00			`"github.com/hashicorp/cli"`
Rename mounts to secrets engines and add the subcommand 2017-09-07 22:01:31 -04:00			`"github.com/posener/complete"`
			`)`

Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 12:43:39 -04:00			`var (`
			`_ cli.Command = (*SecretsMoveCommand)(nil)`
			`_ cli.CommandAutocomplete = (*SecretsMoveCommand)(nil)`
			`)`
Rename mounts to secrets engines and add the subcommand 2017-09-07 22:01:31 -04:00
remount cli changes (#14159) 2022-02-18 11:50:05 -05:00			`const (`
			`MountMigrationStatusSuccess = "success"`
			`MountMigrationStatusFailure = "failure"`
			`)`

Rename mounts to secrets engines and add the subcommand 2017-09-07 22:01:31 -04:00			`type SecretsMoveCommand struct {`
			`*BaseCommand`
			`}`

			`func (c *SecretsMoveCommand) Synopsis() string {`
			`return "Move a secrets engine to a new path"`
			`}`

			`func (c *SecretsMoveCommand) Help() string {`
			helpText := `
			`Usage: vault secrets move [options] SOURCE DESTINATION`

			`Moves an existing secrets engine to a new path. Any leases from the old`
			`secrets engine are revoked, but all configuration associated with the engine`
remount cli changes (#14159) 2022-02-18 11:50:05 -05:00			`is preserved. It initiates the migration and intermittently polls its status,`
			`exiting if a final state is reached.`
Rename mounts to secrets engines and add the subcommand 2017-09-07 22:01:31 -04:00
Revert "MFA (#14049)" (#14135) This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193. 2022-02-17 15:17:59 -05:00			`This command works within or across namespaces, both source and destination paths`
			`can be prefixed with a namespace heirarchy relative to the current namespace.`
Explicitly state that secrets move doesn't work across namespaces 2018-11-07 11:07:19 -05:00
remount cli changes (#14159) 2022-02-18 11:50:05 -05:00			`WARNING! Moving a secrets engine will revoke any leases from the`
Rename mounts to secrets engines and add the subcommand 2017-09-07 22:01:31 -04:00			`old engine.`

remount cli changes (#14159) 2022-02-18 11:50:05 -05:00			`Move the secrets engine at secret/ to generic/:`
Rename mounts to secrets engines and add the subcommand 2017-09-07 22:01:31 -04:00
			`$ vault secrets move secret/ generic/`

remount cli changes (#14159) 2022-02-18 11:50:05 -05:00			`Move the secrets engine at ns1/secret/ across namespaces to ns2/generic/,`
Revert "MFA (#14049)" (#14135) This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193. 2022-02-17 15:17:59 -05:00			`where ns1 and ns2 are child namespaces of the current namespace:`

			`$ vault secrets move ns1/secret/ ns2/generic/`

Rename mounts to secrets engines and add the subcommand 2017-09-07 22:01:31 -04:00			` + c.Flags().Help()

			`return strings.TrimSpace(helpText)`
			`}`

			`func (c SecretsMoveCommand) Flags() FlagSets {`
			`return c.flagSet(FlagSetHTTP)`
			`}`

			`func (c *SecretsMoveCommand) AutocompleteArgs() complete.Predictor {`
			`return c.PredictVaultMounts()`
			`}`

			`func (c *SecretsMoveCommand) AutocompleteFlags() complete.Flags {`
			`return c.Flags().Completions()`
			`}`

			`func (c *SecretsMoveCommand) Run(args []string) int {`
			`f := c.Flags()`

			`if err := f.Parse(args); err != nil {`
			`c.UI.Error(err.Error())`
			`return 1`
			`}`

			`args = f.Args()`
			`switch {`
			`case len(args) < 2:`
			`c.UI.Error(fmt.Sprintf("Not enough arguments (expected 2, got %d)", len(args)))`
			`return 1`
			`case len(args) > 2:`
			`c.UI.Error(fmt.Sprintf("Too many arguments (expected 2, got %d)", len(args)))`
			`return 1`
			`}`

			`// Grab the source and destination`
			`source := ensureTrailingSlash(args[0])`
			`destination := ensureTrailingSlash(args[1])`

			`client, err := c.Client()`
			`if err != nil {`
			`c.UI.Error(err.Error())`
			`return 2`
			`}`

Revert "MFA (#14049)" (#14135) This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193. 2022-02-17 15:17:59 -05:00			`remountResp, err := client.Sys().StartRemount(source, destination)`
			`if err != nil {`
Rename mounts to secrets engines and add the subcommand 2017-09-07 22:01:31 -04:00			`c.UI.Error(fmt.Sprintf("Error moving secrets engine %s to %s: %s", source, destination, err))`
			`return 2`
			`}`

remount cli changes (#14159) 2022-02-18 11:50:05 -05:00			`c.UI.Output(fmt.Sprintf("Started moving secrets engine %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))`

			`// Poll the status endpoint with the returned migration ID`
			`// Exit if a terminal status is reached, else wait and retry`
			`for {`
			`remountStatusResp, err := client.Sys().RemountStatus(remountResp.MigrationID)`
			`if err != nil {`
			`c.UI.Error(fmt.Sprintf("Error checking migration status of secrets engine %s to %s: %s", source, destination, err))`
			`return 2`
			`}`
			`if remountStatusResp.MigrationInfo.MigrationStatus == MountMigrationStatusSuccess {`
			`c.UI.Output(fmt.Sprintf("Success! Finished moving secrets engine %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))`
			`return 0`
			`}`
			`if remountStatusResp.MigrationInfo.MigrationStatus == MountMigrationStatusFailure {`
			`c.UI.Error(fmt.Sprintf("Failure! Error encountered moving secrets engine %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))`
			`return 0`
			`}`
			`c.UI.Output(fmt.Sprintf("Waiting for terminal status in migration of secrets engine %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))`
			`time.Sleep(10 * time.Second)`
			`}`

Rename mounts to secrets engines and add the subcommand 2017-09-07 22:01:31 -04:00			`return 0`
			`}`