在 Pulumi 中,在定义 GCP CloudBuild 触发器时,我将什么用作托管密钥的 kmsKeyName?
In Pulumi, when defining a GCP CloudBuild Trigger, what do I use as kmsKeyName for a managed secret?
我的目标是使用 Pulumi 创建一个 GCP CloudBuild 触发器。我正在使用 Typescript 客户端。
创建 Google 管理的机密(与客户管理的相反)时,我不使用 KMS。
我会在所需的 (!) 变量 build.secrets[0].kmsKeyName 中输入什么?这在使用 KMS 时是微不足道的,但我发现没有“默认”或“全局”KMS 名称可以在 运行 使用 Google 管理的秘密触发时使用。我可以使用“假”KMS 名称创建触发器,但它不会 运行,抱怨:
Failed to trigger build: generic::invalid_argument: invalid build: invalid secrets: kmsKeyName "?WHAT TO PUT HERE?" is not a valid KMS key resource.
提前感谢您的任何建议。
import * as gcp from "@pulumi/gcp";
const ghToken = new gcp.secretmanager.Secret("gh-token", {
secretId: "gh-token",
replication: {
automatic: true,
},
})
const ghTokenSecretVersion = new gcp.secretmanager.SecretVersion("secret-version", {
secret: ghToken.id,
secretData: "the-secret-token",
});
const cloudBuild = new gcp.cloudbuild.Trigger("trigger-name", {
github: {
owner: "the-org",
name: "repo-name",
push: {
branch: "^main$"
}
},
build: {
substitutions: {
"_SERVICE_NAME": "service-name",
"_DEPLOY_REGION": "deploy-region",
"_GCR_HOSTNAME": "gcr.io",
},
steps: [
{
id: "Build",
name: "gcr.io/cloud-builders/docker",
entrypoint: "bash",
args: [
"-c",
`docker build --no-cache
-t $_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA
--build-arg GH_TOKEN=$$GH_TOKEN
.
-f Dockerfile
`,
],
secretEnvs: ["GH_TOKEN"],
},
],
tags: ["my-tag"],
secrets: [
{
kmsKeyName: "?WHAT TO PUT HERE?",
secretEnv: {
"GH_TOKEN": ghTokenSecretVersion.secretData
}
}
]
},
})
我认为您不能通过 Pulumi 将 SecretManager 秘密用于云构建。我通过创建一个 kms 密钥并使用 gcp.kms.Ciphertext 加密我的数据来解决它。这是它的样子:
import * as gcp from "@pulumi/gcp";
import * as pulumi from "@pulumi/pulumi";
export const keyRing = new gcp.kms.KeyRing("keyring", {
location: "global",
}, {protect: true});
export const secretsEncryptionKey = new gcp.kms.CryptoKey("secrets-key", {
keyRing: keyRing.id,
rotationPeriod: "100000s",
}, { protect: true });
const config = new pulumi.Config();
export const githubTokenCiphertext = new gcp.kms.SecretCiphertext("github-token", {
cryptoKey: secretsEncryptionKey.id,
plaintext: config.requireSecret("github-token"),
});
const cloudBuild = new gcp.cloudbuild.Trigger("trigger-name", {
github: {...},
build: {
...,
secrets: [
{
kmsKeyName: githubTokenCiphertext.cryptoKey,
secretEnv: {
"GH_TOKEN": githubTokenCiphertext.ciphertext,
}
}
]
},
})
我的目标是使用 Pulumi 创建一个 GCP CloudBuild 触发器。我正在使用 Typescript 客户端。
创建 Google 管理的机密(与客户管理的相反)时,我不使用 KMS。
我会在所需的 (!) 变量 build.secrets[0].kmsKeyName 中输入什么?这在使用 KMS 时是微不足道的,但我发现没有“默认”或“全局”KMS 名称可以在 运行 使用 Google 管理的秘密触发时使用。我可以使用“假”KMS 名称创建触发器,但它不会 运行,抱怨:
Failed to trigger build: generic::invalid_argument: invalid build: invalid secrets: kmsKeyName "?WHAT TO PUT HERE?" is not a valid KMS key resource.
提前感谢您的任何建议。
import * as gcp from "@pulumi/gcp";
const ghToken = new gcp.secretmanager.Secret("gh-token", {
secretId: "gh-token",
replication: {
automatic: true,
},
})
const ghTokenSecretVersion = new gcp.secretmanager.SecretVersion("secret-version", {
secret: ghToken.id,
secretData: "the-secret-token",
});
const cloudBuild = new gcp.cloudbuild.Trigger("trigger-name", {
github: {
owner: "the-org",
name: "repo-name",
push: {
branch: "^main$"
}
},
build: {
substitutions: {
"_SERVICE_NAME": "service-name",
"_DEPLOY_REGION": "deploy-region",
"_GCR_HOSTNAME": "gcr.io",
},
steps: [
{
id: "Build",
name: "gcr.io/cloud-builders/docker",
entrypoint: "bash",
args: [
"-c",
`docker build --no-cache
-t $_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA
--build-arg GH_TOKEN=$$GH_TOKEN
.
-f Dockerfile
`,
],
secretEnvs: ["GH_TOKEN"],
},
],
tags: ["my-tag"],
secrets: [
{
kmsKeyName: "?WHAT TO PUT HERE?",
secretEnv: {
"GH_TOKEN": ghTokenSecretVersion.secretData
}
}
]
},
})
我认为您不能通过 Pulumi 将 SecretManager 秘密用于云构建。我通过创建一个 kms 密钥并使用 gcp.kms.Ciphertext 加密我的数据来解决它。这是它的样子:
import * as gcp from "@pulumi/gcp";
import * as pulumi from "@pulumi/pulumi";
export const keyRing = new gcp.kms.KeyRing("keyring", {
location: "global",
}, {protect: true});
export const secretsEncryptionKey = new gcp.kms.CryptoKey("secrets-key", {
keyRing: keyRing.id,
rotationPeriod: "100000s",
}, { protect: true });
const config = new pulumi.Config();
export const githubTokenCiphertext = new gcp.kms.SecretCiphertext("github-token", {
cryptoKey: secretsEncryptionKey.id,
plaintext: config.requireSecret("github-token"),
});
const cloudBuild = new gcp.cloudbuild.Trigger("trigger-name", {
github: {...},
build: {
...,
secrets: [
{
kmsKeyName: githubTokenCiphertext.cryptoKey,
secretEnv: {
"GH_TOKEN": githubTokenCiphertext.ciphertext,
}
}
]
},
})