Merge pull request #945 from benja-M-1/feat/gcp-secrets

Add secrets deployment for GCP

docs/reference/README.md

@@ -22,6 +22,7 @@
 - [gcp/gcr](./gcp/gcr.md) - Google Container Registry
 - [gcp/gcs](./gcp/gcs.md) - Google Cloud Storage
 - [gcp/gke](./gcp/gke.md) - Google Kubernetes Engine
+- [gcp/secretmanager](./gcp/secretmanager.md) - Google Cloud Secret Manager
 - [git](./git.md) - Git operations
 - [go](./go.md) - Go build operations
 - [io](./io.md) - IO operations

stdlib/.dagger/env/google-secretmanager/.gitignore

@@ -0,0 +1,2 @@
+# dagger state
+state/**

stdlib/.dagger/env/google-secretmanager/values.yaml

@@ -0,0 +1,32 @@
+plan:
+    package: ./gcp/secretmanager/tests
+name: google-secretmanager
+inputs:
+    TestConfig.gcpConfig.project:
+        text: dagger-ci
+    TestConfig.gcpConfig.region:
+        text: us-west2
+    TestConfig.gcpConfig.serviceKey:
+        secret: ENC[AES256_GCM,data:fQKVyu3dOiRz7Ubnosa8agcKs+juarkz/RWe7puRxag1VDJTi6xU5tf6crFkzI6DvGSKe5ipe8wc1Qw+v50I3ETHkZ2XxdM2AdhfAT/zULEX5r4czv1Z/Z+oDLuZwwfRZ7KhPArYaAkFLPSQ1fCjuXfVUwmHPpbUDO7t+NgkifHQ4MIZLGl07imbjNVHUW7TknsZmgO76AcGk7RYd+ky1YCDd8NYDr+X0WznF+LPuAEBDDpJUDGRoUpXZwgXp7JjzzheNosqFUHIO460yK1M2EGMHfm7TDcgF35C7SvUWfyl3njKnyxqlKxq7UQ/Yqhv5IuL0kuMBhsptyp8aqY12hroq89DfQu2BUHXJlTMNroDfh5EsMCihpeb7uflkNkLizEKEg9mMeRHJxtAr/dESDeHvFB4g0UNoZiXwVoWDpJbleShj5VNSqYUesoHWLHnB7ssprsMisXu3zaZ9STt4U8Q33YVAsfAdsUAF2QEAIIIzSgUxyC54VIdiIHXFrdkXrppaoU/eWVeakko5TXTJkWCrITB8gtMnglDN4qjIZjQ7Njln7fJFiJBgz9odzksjpvOgsVa0I//EV7OHWOJ4oO7fHqmg6AkfN9BxfboBQtPLW5TM08OqSbZkFcOFTImh+s0ZsrwMvHTL3FSISiw7vUsfXgfRbxtLKOX7tTy62E3BTGtWxszSNTvObMFPkzYm18InhNafq8POcxVWckWjJXl2WmKHNburSCnQgey4U6YoWon9hAzcK+8DTNXIQsN10H70IxpuQm/ANxemSPfzLFGzmZlL0/ZHO6RiwjYYXpiJ5YO/e7sZAL2C9DimdY/ZfBqGrTt6XmZ7iBWVhFjETL3+W+ere3bD1X1pO0WIg/l94GcLLjUOLMBj6HzoXrATJObW81IKeLeKQfTG5AF1qWIJJPVKSZKUlr2yP6DtqMANcQTeRQ9kqjfMw6vJ4ZkZlEHboV/3qrcYfjYAqx7Q/fV1+++RFXKXhWdwIyHl5HSeSkaWEcePDgSNoL5oEwBmhyKXmh8QAEl25VRJYQJpvPOJcYCwDAbJcua72R9LEGQy/cxx/Z5E2rLkCYknZaklpjKQintDnenogBvLjzJWHg9JLHIql+4lGmTst8526loF3hDeZlYLT/iL+JAgIZGAZ2OC5bHonUhBd0QNj1f7pDxZyYxotSIKH06FVaMcFhJkyP4E4/oaqzvjEXwzYHLsdTEp05HtJb5hohoB41IP5ck8Sz+jBDgUCsIYvRXc3HBRyyMz4Ptvov72YBolZSggUCtRbluwqxVc1EPLAy3gPcxW7ig077/FXvk+KLp+sjikzNnFLg2RICD2n58Avyu+vzgqucOCuR3eF8Ir4pUrpubum3UNnnWM0X9L6K4nrvk2gmk9awj1RJSRxxwp7NviUlQjcbZF1cCxJESff1VkK1InkEDUvPGnq1WO0MW36DUcecE+ME+fVcT7/KyDpP4xtRXkpaJM4KuhNZnWOvqm5njZ3u4I6FnGAKs9vI5qDQ3PVhxeLb1qK5koPHLQlR/LZX/w297LaCX51SBr7Pajd8y7r6ATJJ3wN5Vl4vDyivarf2EteVXiGlAs4YRQXjWUlHV74Wol9LEc1jMa24Lf2WaGG1dS1EH5HsoeOzDdjaz4TXjIIC7BrXgs/tRsnQINKv6qGrB3izBvR5a5z5He6RZA8eMVIXMtwLqOzbPWFjaXm4TYVq89JSMclz75q7KjCrji2zuE+4ImLQntm6Dib+piytCRiXWF8rkEMRyzcrz9MzjoK/pdFSfD7BFtOwJd6Jk0jd4JVzBUsaKcVMU41WNCBM7sfeIEtoFdyv+osgQsJGoB0zDeYj9sO/AdIJIUy8wJyH1+JOpI/+hLrVJUSFQ6ZPSquMaN/TRNcxiSvBNqP36uoB0ffVAfQ4JVc+2XEU88KzPYbX6Rw9ftK78kXDM7aYQ77OUpexx096OCX6GGRX5XdiMwepfMeRzvhpioXfHQk/djtPvrfTFtsU6Npy/rbcLqCpW8MWCZ4efx/Cu8qefB7Gj6h4GUk72e6lsp3+AIq/Y4mdi0v2uZlHJZj2c7D+hboey/YbO6nHM9KbUpjgZ+AyTziBk3IYbiAmN5km8z9jKL4OiHtx7Vyildv0HEmGl1CVkJQJ2s7SLgVKmeOscqvJ1Xd3FiY78nyyTlPPAha6K9nbdTog2qiROYgwjz1dAN17+c4/VxLHNbvPijsMtYLb3yckE0E25sQvVN7cu4yncnSU0fC+7BDhyOChl7zGlgb9YWWU5bFn8pQGWo7MeIHHI6PZfDqHKE+23d19Z5uBNGe5EOfTogt75GBtqylfb+fEOiitzaQnkVxj7JdkjKVPKYF3XqOneLkfdUVAFGslByii6Tpi1QEYyYAKvlgRu2IWrazJVniYm/Sl80xEgwF17gFREGh97HcmCQh4801fbT5H+RPXDEkkcm28nuNduNiVqKhnf/adJWwaav0gPOgcS6V0DPFtP/zErC/WNRebJMbn4BJE6aVLPRR2z87iTG4o7+7XDAq0b57vTfHxdihDD0wyQRS/VRy3tb3VX7B6GQwDO0akGUdPUucuCK/fjbXiUPwh6ZF6u9zr/oNCj+FjseOAklMKmfprQDcAohr2lDvjilvanUfZyizB1ugcV3DxB6MJjgUJ+4vCncxNylv3dNXdA67uiFkeXfcNTzy2caRHTEA8p2OReNmKGK5Gk41Zk7M15RvN18YXCvL2haDjEn4LOletqv/QXbWGzfNWH7uSoBMukFE08e+yFWw9jKiO9DIeF67O+y6PUSk9JVH/YnAiyscN4YzwfFGm0A8rQdkKcA3MABbCMF4bR/j/FvprwBAs4Fnv/y7sAq1qMDgOTdEJsGNMw6VgvtkwhL47ZuE1lYLQPHlzitqjy2Mbo0ozONI6Nh3/QvNTqHEpIwcfuy1tCiQtrX+OCQxmYk/Ypra4yvPgD97gmwWJCorDSCENFvhMG5/xNX0Ks9pUGG1DN9qjS8EW6zje2hSbXvWyP1JtJVdhS/7dBrFABqcsZvsWn6wOGhUcDNdRnBLSFcgs=,iv:9zRiKDjj3+9EuxGHKB12jPwtXlgywxZyX7ICqMhhvi4=,tag:COyZPIEfsgOau2EOUX1vHg==,type:str]
+    TestSecrets.secret.secrets.databasePassword:
+        secret: ENC[AES256_GCM,data:DxIcSy5UGvpDnQ==,iv:N7FD6qr51mRyie0UE/2c4IBONT82hzLUYHnz9zMiQVM=,tag:rAx37nTySZckFIV2vwWk1A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhenNyZzhOL3pwU2Y2SGsv
+            NGh1QTR0U1FMNUhlRUl2cGQ2amxYSk9tNFVvCjMrbm1WMkdiSEJ1KytlQU9Nelpn
+            ZmZIUVMxSWo4aVFrQ1MxekM2ZzNhS1kKLS0tIG5IeFNOdGJWN2hoeFMvSHJkYU1a
+            QTN1MDlNNzNIQVZ2ZXZjUlV1QU1va1EK/R4z69dd8mpiez6qQVgHXnvybc5qjZcC
+            p5GXZhUP2Y0/9rfRXy+Nwb7dT4LnhPuXLNFFZqTzm0V+aM+AkckrLg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2021-09-06T14:44:22Z"
+    mac: ENC[AES256_GCM,data:wA4G51q9aEBX7ra0bVI9EMOBWEwYxpq6ysnJg52pM8hyK3XFS2xczPv5pFCsylNcrmf03TaTDvK+nj5GTu2TJ+3+LQgPj36eocbK5b2PtvNAzIrbr+r9IXSFCvBEePKpfcIltTnUE1vfGBRIeQIwuv7hNjH3FW9K3+ank5h8m0M=,iv:e86qrZ4uf9bSRv3diMW8b0jG31AeNmPkX2r4BGHRdQY=,tag:fpnL1/Q6DwGi9Ys/z/Gv2A==,type:str]
+    pgp: []
+    encrypted_suffix: secret
+    version: 3.7.1

stdlib/gcp/secretmanager/secrets.cue

@@ -0,0 +1,76 @@
+// Google Cloud Secret Manager
+package secretmanager
+
+import (
+	"alpha.dagger.io/dagger"
+	"alpha.dagger.io/dagger/op"
+	"alpha.dagger.io/gcp"
+	"alpha.dagger.io/os"
+)
+
+#Secrets: {
+	// GCP Config
+	config: gcp.#Config
+
+	// Map of secrets
+	secrets: [name=string]: dagger.#Secret
+
+	// Deploy encrypted secrets
+	deployment: os.#Container & {
+		image: gcp.#GCloud & {"config": config}
+		shell: path: "/bin/bash"
+		always: true
+
+		for name, s in secrets {
+			secret: "/tmp/secrets/\(name)": s
+		}
+
+		command: #"""
+			    # Loop on all files, including hidden files
+			    shopt -s dotglob
+			    echo "{}" > /tmp/output.json
+			    for FILE in /tmp/secrets/*; do
+			        BOOL=0 # Boolean
+			        gcloud secrets describe "${FILE##*/}" 2>/dev/null > /dev/null
+			        status=$?
+
+			        # If secret not found
+			        if [[ ! "${status}" -eq 0 ]]; then
+			            (\
+			                RES=$(gcloud secrets create "${FILE##*/}" --replication-policy automatic --data-file "${FILE}" --format='value(name)' | sed -n '1!p') \
+			                && cat <<< $(cat /tmp/output.json | jq ".|.\"${FILE##*/}\"=\"$RES\"") > /tmp/output.json \
+			            ) || (echo "Error while creating secret ${FILE##*/}" >&2 && exit 1)
+			            BOOL=1
+			        else
+									(\
+											RES=$(gcloud secrets versions add "${FILE##*/}" --data-file "${FILE}" --format='value(name)' | sed -n '1!p') \
+											&& cat <<< $(cat /tmp/output.json | jq ".|.\"${FILE##*/}\"=\"$RES\"") > /tmp/output.json \
+									) || (echo "Error while updating secret ${FILE##*/}" >&2 && exit 1)
+									BOOL=1
+			        fi
+			        if [ $BOOL -eq 0 ]; then
+			            (\
+			                RES=$(gcloud secrets describe "${FILE##*/}" --format='value(name)') \
+			                && cat <<< $(cat /tmp/output.json | jq ".|.\"${FILE##*/}\"=\"$RES\"") > /tmp/output.json \
+			            ) || (echo "Error while retrieving secret ${FILE##*/}" >&2 && exit 1)
+			        fi
+			    done
+			"""#
+	}
+
+	// dynamic references
+	references: {
+		[string]: string
+	}
+
+	references: #up: [
+		op.#Load & {
+			from: deployment
+		},
+
+		op.#Export & {
+			source: "/tmp/output.json"
+			format: "json"
+		},
+	]
+}

stdlib/gcp/secretmanager/tests/secrets.cue

@@ -0,0 +1,33 @@
+package secretmanager
+
+import (
+	"alpha.dagger.io/dagger"
+	"alpha.dagger.io/gcp"
+	"alpha.dagger.io/gcp/secretmanager"
+	"alpha.dagger.io/os"
+)
+
+TestConfig: gcpConfig: gcp.#Config
+
+TestSecrets: {
+	secret: secretmanager.#Secrets & {
+		config: TestConfig.gcpConfig
+		secrets: {
+			databasePassword: dagger.#Secret @dagger(input)
+		}
+	}
+
+	if len(secret.references) > 0 {
+		cleanup: os.#Container & {
+			image: gcp.#GCloud & {
+				config: TestConfig.gcpConfig
+			}
+			shell: path: "/bin/bash"
+			always: true
+
+			command: #"""
+					gcloud -q secrets delete databasePassword
+				"""#
+		}
+	}
+}

stdlib/universe.bats

@@ -172,6 +172,16 @@ setup() {
   dagger -e google-gke up
 }
 
+@test "google cloud: secretmanager" {
+    run dagger -e google-secretmanager up
+    assert_success
+
+    # ensure the secret has been created
+    run dagger query -e google-secretmanager TestSecrets.secret.references.databasePassword -f text
+    assert_success
+    assert_output --regexp '^projects\/[0-9]+\/secrets\/databasePassword'
+}
+
 @test "google cloud: cloudrun" {
   dagger -e google-cloudrun up
 }