在 Pulumi 中,在定义 GCP CloudBuild 触发器时,我将什么用作托管密钥的 kmsKeyName?

In Pulumi, when defining a GCP CloudBuild Trigger, what do I use as kmsKeyName for a managed secret?

我的目标是使用 Pulumi 创建一个 GCP CloudBuild 触发器。我正在使用 Typescript 客户端。

创建 Google 管理的机密(与客户管理的相反)时,我不使用 KMS。 我会在所需的 (!) 变量 build.secrets[0].kmsKeyName 中输入什么?这在使用 KMS 时是微不足道的,但我发现没有“默认”或“全局”KMS 名称可以在 运行 使用 Google 管理的秘密触发时使用。我可以使用“假”KMS 名称创建触发器,但它不会 运行,抱怨: Failed to trigger build: generic::invalid_argument: invalid build: invalid secrets: kmsKeyName "?WHAT TO PUT HERE?" is not a valid KMS key resource.

提前感谢您的任何建议。

import * as gcp from "@pulumi/gcp";

const ghToken = new gcp.secretmanager.Secret("gh-token", {
    secretId: "gh-token",
    replication: {
        automatic: true,
    },
})

const ghTokenSecretVersion = new gcp.secretmanager.SecretVersion("secret-version", {
    secret: ghToken.id,
    secretData: "the-secret-token",
});

const cloudBuild = new gcp.cloudbuild.Trigger("trigger-name", {
    github: {
        owner: "the-org",
        name: "repo-name",
        push: {
            branch: "^main$"
        }
    },
    build: {
        substitutions: {
            "_SERVICE_NAME": "service-name",
            "_DEPLOY_REGION": "deploy-region",
            "_GCR_HOSTNAME": "gcr.io",
        },
        steps: [
            {
                id: "Build",
                name: "gcr.io/cloud-builders/docker",
                entrypoint: "bash",
                args: [
                    "-c",
                    `docker build --no-cache
                    -t $_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA
                    --build-arg GH_TOKEN=$$GH_TOKEN
                    .
                    -f Dockerfile
                    `,
                ],
                secretEnvs: ["GH_TOKEN"],
            },
        ],
        tags: ["my-tag"],
        secrets: [
            {
                kmsKeyName: "?WHAT TO PUT HERE?",
                secretEnv: {
                    "GH_TOKEN": ghTokenSecretVersion.secretData
                }
            }
        ]
    },
})

我认为您不能通过 Pulumi 将 SecretManager 秘密用于云构建。我通过创建一个 kms 密钥并使用 gcp.kms.Ciphertext 加密我的数据来解决它。这是它的样子:

import * as gcp from "@pulumi/gcp";
import * as pulumi from "@pulumi/pulumi";

export const keyRing = new gcp.kms.KeyRing("keyring", {
  location: "global",
}, {protect: true});

export const secretsEncryptionKey = new gcp.kms.CryptoKey("secrets-key", {
  keyRing: keyRing.id,
  rotationPeriod: "100000s",
}, { protect: true });

const config = new pulumi.Config();

export const githubTokenCiphertext = new gcp.kms.SecretCiphertext("github-token", {
  cryptoKey: secretsEncryptionKey.id,
  plaintext: config.requireSecret("github-token"),
});

const cloudBuild = new gcp.cloudbuild.Trigger("trigger-name", {
  github: {...},
  build: {
    ...,
    secrets: [
      {
        kmsKeyName: githubTokenCiphertext.cryptoKey,
        secretEnv: {
          "GH_TOKEN": githubTokenCiphertext.ciphertext,
        }
      }
    ]
  },
})