Add secrets deployment for GCP

Signed-off-by: Benjamin Grandfond <benjamin.grandfond@gmail.com>

docs/reference/README.md

@@ -21,6 +21,7 @@
 - [gcp/gcr](./gcp/gcr.md) - Google Container Registry
 - [gcp/gcs](./gcp/gcs.md) - Google Cloud Storage
 - [gcp/gke](./gcp/gke.md) - Google Kubernetes Engine
+- [gcp/secretmanager](./gcp/secretmanager.md) - Google Cloud Secret Manager
 - [git](./git.md) - Git operations
 - [go](./go.md) - Go build operations
 - [io](./io.md) - IO operations

stdlib/.dagger/env/google-secretmanager/.gitignore

@@ -0,0 +1,2 @@
+# dagger state
+state/**

stdlib/.dagger/env/google-secretmanager/values.yaml

@@ -0,0 +1,32 @@
+plan:
+    package: ./gcp/secretmanager/tests
+name: google-secretmanager
+inputs:
+    TestConfig.gcpConfig.project:
+        text: dagger-ci-324421
+    TestConfig.gcpConfig.region:
+        text: us-west2
+    TestConfig.gcpConfig.serviceKey:
+        secret: ENC[AES256_GCM,data:/8H0KaL2vHzKcinRtBpwnheo49WiFjN0kTnQ3ur82LF/8/GLOyW91tDEketPBhUJ7boeLWZoh0uashHeiySJ6uBBq7fi6ChJUrIgpE16VAFPlTTcyTSRGF/nynoyBe0loksAO2j32m4sBqZwjXvYc01a+A1IM5z5VRVmDqSfIHSIrsE/1zq67enoCOin6uLTmggrRFIu60WhNqD98JB2LC+M6GbchoaZh+3UI7IbUXYPepCYXwDLq8Qpcr5YxRbNfDsQaQx+Om8oc+KgJ2W7acz5uok8/sJG1w4GXvDFrLOz0WXMNxujru2ZvUOuMApaxeOVl/ahX3gtevOVmgQKMKAKf/Mcn1d4YNQbKIan7eQ/w/Hgt3W28DYLh6oI3k0A5a8q1oOwB//+Wl5lYOWMvqqjOW0y/Ms/JpHwFy6vfmK5t/1iiYzb6aPoY4ILz/ptcGCFsRuvhdX3NxnjL4O5niNjq6XD+GE7hLz1GsuzbPO5QLZ35bcl1PIjX+f/gNcxmX/TgYkyrAyjPpwp8EDVf4G/+2scwYYg0HjrrPzcS1NCRXL+vxDkt0EShaFY1Mx+n2pZBS7om5eUTVLp241l3qZqC0kUSXW18MT6JZ+gHoxsxm/jBaudBRtcvP5ynyTV5XO758UBAupZ/lPyzoBok9un1KLHJYHMG6fpzvduQBdhBnTrIfhOO9cK+FuJGgPUJtJfeuc/9zAsD+jTad5tdHlTIl0Wmx6T2RnC+ofcuvn0Vzr4Zzh5eYab+ybraiYD64pu6Aj1c74W8tAOxTnnHFho5eO8OlnnGa6UBcw/XJIK2jRktZLk1yawuXQh3vlHKyf1YhW0JxiruRx+jQXeRqFLDc0pwOF5oSJJih9ajZ0e8uRVuMO8LxwZ0XIkjQt94NiWKTDkDZ5qkD+2kcclcTjturnMaetb6cPeYlSmhGZ9FRqboYU9MSAKmNMZ6UhNIpL/z0rSKmFMDl2x5eCF4uM2WnHBsgqPFTKIF8i/mX7mbWCv4p+I1diY8AIF/+6+lHrC/ILjEw+rthxSzPKcKw4lzX2njJxFEn2JQhdaSP5a8QG6/q8vZhkvnsq3RcIWT3J9x16BS3vNC/2smDrpGt+3N2Ty8kcoG5CTgZpYxD1Q2GMHe5djjlcOuLcx5lb/Ns1zA9+cfysqqCxK057IJWdRexz1AB/pwsYoXqSp+tsQK0xsQtylhfYRgUhsgq6WX0AAlDt0N0IDZ9Xbh6KOTvDo+OeHVikKqKfZd9rLxIN62VySPAR8btdr4q+lzOEXGkCbcDrqc9EoW+jbxBKAdOdzHkEJ4L4jdui9FSP1TmMzzEbKEzTQpVh4THK7q36x2D9kvAsUYZUpplX/gw7C/5/XJomXyNRlw8AQUP3SoRYyDXYGCZTBNEXx9js/CPkjtNvVoXgeaUK7q9YnfeqsViH+dKRQkrmux+9q1kCywIvDyH64LOREYjd5nGzplpqhgNTyB7TYwbjQDN2Lp1IKRp/34oqJDj1mQMrjqgQrEnRkTIVgT9w5bxHf3py5a4iW6uHxWMuiEy/xPPQBeexR2tC0KSidBip/W8W7WAqCD/To8d755X8U+hcoF55bZ39C1vIjjRszyZJlHpLynXtCCcccBDUUaJVORuXghMgY1w1VHCs4VvaM2WLcdFrS57+i3+pmpd2mWzNWVgo/VxANLeKuQpISYkOjb4ULUNBiEcuhfKRY/IeRDj9+SMc/3iUKF/dkx7HgvLNgzxefJ8HuAsetawIxN2wVbmecskGnu4IHW0klULUCo64wUgJQEWs1EbWqtYtgUJPhb/NK0g4/LlcqVG0bkVByYgjnatQZkcI3Tm9sZ3i43BoiYFghVsY6M1bXv2T3/SdQq2ExCRHzJQLmKblp4QDuxawb0sT0FC2Pz5RkROwNDOEyb9iYpxnSg5PqEY+iiBjRElCBjnF1eRRB54ict8lVe9uBMdHFrwMzXVgT5CO4nzjPTyW/iw2uH+SHNkhphlraG2ybeB+iibupUQClubR4c/owZxMJnzdzqjVufAMDpf0jQ6S+rWtdfiGTZGAbHp6mpn7iofYa9PzO3++RqBLvWPwgbXYu4VjutJKdIcz3ksU01uvC89kXOwSutJ0u310ihhPM7oWvcBjEW1etoP3WkvUGxY7ZSjlxI/kWi6sW5UydqrUG5UCKiXorTSGGRo4lDbQKX/5v9yKbh/pztG8cKZxCDe1vu59XiH5IQKGaxhoLN39+UauJO2hdA5g0eSqmUSYa5X9wnVjPOnaMxBhUW3H06rW/V6Jq8T9EISLxEbs0wKTq2n6BYI/cZwtxWejAe5+NlmZTm8sCXgSdt7qM31ILowXi2+/kvw5wauzVS5w7/pYmIRvc/jfnVzqb0KlRJ5U1f36R+cWHCuUut+cOpjzb5DFYMbkGDe+T1lFvMDDf98Ls7pyfTOS0DVqlYnD77zSC9sRAHEm356uvEwkuiE4vE4+oRPj7t6FUXP2HX0FsFeHtykYnA67S4+ooJZPaO+QHEKvGAKKwFwSi51rBTv8kBu9kbw503YIkOmPMM8SJ8DiBl2MGO16KTI2zvs75FpdAyVanAJmIvV5nLpUpyxEdNnStc+bhSURMpP4Mee7PsZOmAiZ9tw+7LkwN0PnHJ3CbxKQesw6zmkQ4sAyGQwGSJbo3ej87W/8f2EurGuHyn+3UhsNhzYNT/8HQz1UdwROBd46hmG8TiQYsFzSydFaL9fN4P3yoJC1VXnofmgxYaM5cFodP9k6iX1zzOe5ZWTZP/lsTDyl6UnaqdSSzfSkQA28XVj9TtRp62GnRwNgl4UkdNVItjjaAzb160x1WDJfbrVjEu58unlG/DPqvIzrbnstLBe5iVvCNqhTZUQUOPeOWGC0AIO083yoRT58fsTW3Lc2FUeNISnmvAUCcN4YNu+z3GcexmUH7ne9mYbfxLRwiIVpo0zXLYYRSQ/42n38TTqSDBMsbfujylO8zaaEd9/Vyzl2PMT1u8H1QGL0KgRcjC+OkNtRNoZ64qJVS7GVmg8iHyTsKWuqZhJC69OqS5L1QY3hqd38GVRzgOuy7JILWieFMLkX7AIzX616SEsU=,iv:m+Qoz57df2gJCv7sNbTLnaRrtv0d8ykzoJqeiCBP3Vw=,tag:clDEYDs9bq4G/2yw5bqKRg==,type:str]
+    TestSecrets.secret.secrets.databasePassword:
+        secret: ENC[AES256_GCM,data:hQcppp1Pj5k=,iv:91IMRRCRytEQ8WRSGRQIcKVnPJ9rIyikhAe8sxNNSKo=,tag:qnzIAoeHe0cDAm7xJtVOuQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1rjf5lcyh8g06d4l0ujty40jjqm075pd2hrz24wm3hgdw6zkawgdqep02wa
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldUNYQTlPeG1tK2IwZ1RR
+            L2lQZlRoNDM4MXRaRWVwUFRZVUloaUJPM25RClczUkZYT3VYbHhFck1FK0Y4bnAr
+            Zi9oUWZEcVgzdGdtS1RWU3J1RytTbEUKLS0tIDQwd2dxSXJGMWtjdVJkY3VOOGgx
+            cE9kYkVxZU1IbDlMOVVjVFhRT0RtN0UK/xqmdQCPXmUFIzm1rW2EGNOjGR0fYjIR
+            GsbeEnNhIso1eW48/LeNVlmypyRm05qV6uI5pTn4ecVTeYl9jWzCnA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2021-09-05T14:40:55Z"
+    mac: ENC[AES256_GCM,data:ukt19jzNMVS7FlKqagUbPb5d82yRWKXzU6Nwrm/bj4Yr4Fix8YujPmEPna32+EyPNCTwY9Wgoxvy7/QF3EootTcTl6FFH2l6v4aVJDIh4iGQo6HpFH1lYyBtDiDNVvLMOxxfqpahoRBpY0fNFOloEh/+Fr77WFwO+E2ksciYEXE=,iv:3yKQAXtTcmjyWfS5JCIOjhxj4JcdhMZnyMBc/6Tvc2A=,tag:aJPd868CiZ6+hcwIkCLK4w==,type:str]
+    pgp: []
+    encrypted_suffix: secret
+    version: 3.7.1

stdlib/gcp/secretmanager/secrets.cue

@@ -0,0 +1,76 @@
+// Google Cloud Secret Manager
+package secretmanager
+
+import (
+	"alpha.dagger.io/dagger"
+	"alpha.dagger.io/dagger/op"
+	"alpha.dagger.io/gcp"
+	"alpha.dagger.io/os"
+)
+
+#Secrets: {
+	// GCP Config
+	config: gcp.#Config
+
+	// Map of secrets
+	secrets: [name=string]: dagger.#Secret
+
+	// Deploy encrypted secrets
+	deployment: os.#Container & {
+		image: gcp.#GCloud & {"config": config}
+		shell: path: "/bin/bash"
+		always: true
+
+		for name, s in secrets {
+			secret: "/tmp/secrets/\(name)": s
+		}
+
+		command: #"""
+			    # Loop on all files, including hidden files
+			    shopt -s dotglob
+			    echo "{}" > /tmp/output.json
+			    for FILE in /tmp/secrets/*; do
+			        BOOL=0 # Boolean
+			        gcloud secrets describe "${FILE##*/}" 2>/dev/null > /dev/null
+			        status=$?
+
+			        # If secret not found
+			        if [[ ! "${status}" -eq 0 ]]; then
+			            (\
+			                RES=$(gcloud secrets create "${FILE##*/}" --replication-policy automatic --data-file "${FILE}" --format='value(name)' | sed -n '1!p') \
+			                && cat <<< $(cat /tmp/output.json | jq ".|.\"${FILE##*/}\"=\"$RES\"") > /tmp/output.json \
+			            ) || (echo "Error while creating secret ${FILE##*/}" >&2 && exit 1)
+			            BOOL=1
+			        else
+									(\
+											RES=$(gcloud secrets versions add "${FILE##*/}" --data-file "${FILE}" --format='value(name)' | sed -n '1!p') \
+											&& cat <<< $(cat /tmp/output.json | jq ".|.\"${FILE##*/}\"=\"$RES\"") > /tmp/output.json \
+									) || (echo "Error while updating secret ${FILE##*/}" >&2 && exit 1)
+									BOOL=1
+			        fi
+			        if [ $BOOL -eq 0 ]; then
+			            (\
+			                RES=$(gcloud secrets describe "${FILE##*/}" --format='value(name)') \
+			                && cat <<< $(cat /tmp/output.json | jq ".|.\"${FILE##*/}\"=\"$RES\"") > /tmp/output.json \
+			            ) || (echo "Error while retrieving secret ${FILE##*/}" >&2 && exit 1)
+			        fi
+			    done
+			"""#
+	}
+
+	// dynamic references
+	references: {
+		[string]: string
+	}
+
+	references: #up: [
+		op.#Load & {
+			from: deployment
+		},
+
+		op.#Export & {
+			source: "/tmp/output.json"
+			format: "json"
+		},
+	]
+}

stdlib/gcp/secretmanager/tests/secrets.cue

@@ -0,0 +1,33 @@
+package secretmanager
+
+import (
+	"alpha.dagger.io/dagger"
+	"alpha.dagger.io/gcp"
+	"alpha.dagger.io/gcp/secretmanager"
+	"alpha.dagger.io/os"
+)
+
+TestConfig: gcpConfig: gcp.#Config
+
+TestSecrets: {
+	secret: secretmanager.#Secrets & {
+		config: TestConfig.gcpConfig
+		secrets: {
+			databasePassword: dagger.#Secret @dagger(input)
+		}
+	}
+
+	if len(secret.references) > 0 {
+		cleanup: os.#Container & {
+			image: gcp.#GCloud & {
+				config: TestConfig.gcpConfig
+			}
+			shell: path: "/bin/bash"
+			always: true
+
+			command: #"""
+					gcloud -q secrets delete databasePassword
+				"""#
+		}
+	}
+}

stdlib/universe.bats

@@ -172,6 +172,16 @@ setup() {
     dagger -e google-gke up
 }
 
+@test "google cloud: secretmanager" {
+    run dagger -e google-secretmanager up
+    assert_success
+
+    # ensure the secret has been created
+    run dagger query -e google-secretmanager TestSecrets.secret.references.databasePassword -f text
+    assert_success
+    assert_output --regexp '^projects\/[0-9]+\/secrets\/databasePassword'
+}
+
 @test "google cloud: cloudrun" {
     dagger -e google-cloudrun up
 }