Search code examples
google-cloud-platformpulumi

In Pulumi, when defining a GCP CloudBuild Trigger, what do I use as kmsKeyName for a managed secret?

My goal is to create a GCP CloudBuild Trigger using Pulumi. I'm using the Typescript client.

When creating a Google-managed secret (as opposed to customer-managed) I don't use KMS. What would I put into the required (!) variable build.secrets[0].kmsKeyName? This is trivial when using KMS, but I found no "default" or "global" KMS name that would work when running the trigger with a Google-managed secret. I can create the trigger with a "fake" KMS name, but it doesn't run, complaining with: Failed to trigger build: generic::invalid_argument: invalid build: invalid secrets: kmsKeyName "?WHAT TO PUT HERE?" is not a valid KMS key resource.

Thank you in advance for any suggestions.

import * as gcp from "@pulumi/gcp";

const ghToken = new gcp.secretmanager.Secret("gh-token", {
    secretId: "gh-token",
    replication: {
        automatic: true,
    },
})

const ghTokenSecretVersion = new gcp.secretmanager.SecretVersion("secret-version", {
    secret: ghToken.id,
    secretData: "the-secret-token",
});

const cloudBuild = new gcp.cloudbuild.Trigger("trigger-name", {
    github: {
        owner: "the-org",
        name: "repo-name",
        push: {
            branch: "^main$"
        }
    },
    build: {
        substitutions: {
            "_SERVICE_NAME": "service-name",
            "_DEPLOY_REGION": "deploy-region",
            "_GCR_HOSTNAME": "gcr.io",
        },
        steps: [
            {
                id: "Build",
                name: "gcr.io/cloud-builders/docker",
                entrypoint: "bash",
                args: [
                    "-c",
                    `docker build --no-cache
                    -t $_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA
                    --build-arg GH_TOKEN=$$GH_TOKEN
                    .
                    -f Dockerfile
                    `,
                ],
                secretEnvs: ["GH_TOKEN"],
            },
        ],
        tags: ["my-tag"],
        secrets: [
            {
                kmsKeyName: "?WHAT TO PUT HERE?",
                secretEnv: {
                    "GH_TOKEN": ghTokenSecretVersion.secretData
                }
            }
        ]
    },
})
Solution

  • I don't think you can use a SecretManager secret with cloud build through Pulumi. I solved it by creating a kms key and encrypting my data using gcp.kms.Ciphertext. Here's what it looks like:

    import * as gcp from "@pulumi/gcp";
import * as pulumi from "@pulumi/pulumi";

export const keyRing = new gcp.kms.KeyRing("keyring", {
  location: "global",
}, {protect: true});

export const secretsEncryptionKey = new gcp.kms.CryptoKey("secrets-key", {
  keyRing: keyRing.id,
  rotationPeriod: "100000s",
}, { protect: true });

const config = new pulumi.Config();

export const githubTokenCiphertext = new gcp.kms.SecretCiphertext("github-token", {
  cryptoKey: secretsEncryptionKey.id,
  plaintext: config.requireSecret("github-token"),
});

const cloudBuild = new gcp.cloudbuild.Trigger("trigger-name", {
  github: {...},
  build: {
    ...,
    secrets: [
      {
        kmsKeyName: githubTokenCiphertext.cryptoKey,
        secretEnv: {
          "GH_TOKEN": githubTokenCiphertext.ciphertext,
        }
      }
    ]
  },
})