add support for available_secrets to google_cloudbuild_trigger (Googl…

…eCloudPlatform#4977)
betsy-lichtenberg · Apr 25, 2022 · 417cf34 · 417cf34
1 parent c905200
commit 417cf34
Show file tree

Hide file tree

Showing 3 changed files with 112 additions and 2 deletions.
diff --git a/mmv1/products/cloudbuild/api.yaml b/mmv1/products/cloudbuild/api.yaml
@@ -447,6 +447,30 @@ objects:
                     Secret environment variables must be unique across all of a build's secrets, 
                     and must be used by at least one build step. Values can be at most 64 KB in size. 
                     There can be at most 100 secret values across all of a build's secrets.
+          - !ruby/object:Api::Type::NestedObject
+            name: 'availableSecrets'
+            description: |
+              Secrets and secret environment variables.
+            properties:
+              - !ruby/object:Api::Type::Array
+                name: 'secretManager'
+                required: true
+                description: |
+                  Pairs a secret environment variable with a SecretVersion in Secret Manager.
+                item_type: !ruby/object:Api::Type::NestedObject
+                  properties:
+                    - !ruby/object:Api::Type::String
+                      name: 'versionName'
+                      required: true
+                      description: |
+                        Resource name of the SecretVersion. In format: projects/*/secrets/*/versions/*
+                    - !ruby/object:Api::Type::String
+                      name: 'env'
+                      required: true
+                      description: |
+                        Environment variable name to associate with the secret. Secret environment
+                        variables must be unique across all of a build's secrets, and must be used
+                        by at least one build step.
           - !ruby/object:Api::Type::Array
             name: 'steps'
             required: true

diff --git a/mmv1/templates/terraform/examples/cloudbuild_trigger_build.tf.erb b/mmv1/templates/terraform/examples/cloudbuild_trigger_build.tf.erb
@@ -3,12 +3,13 @@ resource "google_cloudbuild_trigger" "<%= ctx[:primary_resource_id] %>" {
     branch_name = "master"
     repo_name   = "my-repo"
   }
-  
+
   build {
     step {
       name = "gcr.io/cloud-builders/gsutil"
       args = ["cp", "gs://mybucket/remotefile.zip", "localfile.zip"]
       timeout = "120s"
+      secret_env = ["MY_SECRET"]
     }
 
     source {
@@ -30,6 +31,12 @@ resource "google_cloudbuild_trigger" "<%= ctx[:primary_resource_id] %>" {
         PASSWORD = "ZW5jcnlwdGVkLXBhc3N3b3JkCg=="
       }
     }
+    available_secrets {
+      secret_manager {
+        env          = "MY_SECRET"
+        version_name = "projects/myProject/secrets/mySecret/versions/latest"
+      }
+    }
     artifacts {
       images = ["gcr.io/$PROJECT_ID/$REPO_NAME:$COMMIT_SHA"]
       objects {
@@ -54,5 +61,5 @@ resource "google_cloudbuild_trigger" "<%= ctx[:primary_resource_id] %>" {
         path = "v1"
       }
     }
-  }  
+  }
 }
diff --git a/mmv1/third_party/terraform/tests/resource_cloudbuild_trigger_test.go b/mmv1/third_party/terraform/tests/resource_cloudbuild_trigger_test.go
@@ -37,6 +37,35 @@ func TestAccCloudBuildTrigger_basic(t *testing.T) {
 	})
 }
 
+func TestAccCloudBuildTrigger_available_secrets_config(t *testing.T) {
+	t.Parallel()
+	name := fmt.Sprintf("tf-test-%d", randInt(t))
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudBuildTriggerDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudBuildTrigger_available_secrets_config(name),
+			},
+			{
+				ResourceName:      "google_cloudbuild_trigger.build_trigger",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccCloudBuildTrigger_available_secrets_config_update(name),
+			},
+			{
+				ResourceName:      "google_cloudbuild_trigger.build_trigger",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccCloudBuildTrigger_pubsub_config(t *testing.T) {
 	t.Parallel()
 	name := fmt.Sprintf("tf-test-%d", randInt(t))
@@ -339,6 +368,56 @@ resource "google_cloudbuild_trigger" "build_trigger" {
   `, name)
 }
 
+func testAccCloudBuildTrigger_available_secrets_config(name string) string {
+	return fmt.Sprintf(`
+resource "google_cloudbuild_trigger" "build_trigger" {
+  name        = "%s"
+  description = "acceptance test build trigger"
+  trigger_template {
+    branch_name = "master"
+    repo_name   = "some-repo"
+  }
+  build {
+    tags   = ["team-a", "service-b"]
+    timeout = "1800s"
+    step {
+      name = "gcr.io/cloud-builders/gsutil"
+      args = ["cp", "gs://mybucket/remotefile.zip", "localfile.zip"]
+      timeout = "300s"
+    }
+    available_secrets {
+      secret_manager {
+        env          = "MY_SECRET"
+        version_name = "projects/myProject/secrets/mySecret/versions/latest"
+      }
+    }
+  }
+}
+`, name)
+}
+
+func testAccCloudBuildTrigger_available_secrets_config_update(name string) string {
+	return fmt.Sprintf(`
+resource "google_cloudbuild_trigger" "build_trigger" {
+  name        = "%s"
+  description = "acceptance test build trigger updated"
+  trigger_template {
+    branch_name = "master"
+    repo_name   = "some-repo"
+  }
+  build {
+    tags   = ["team-a", "service-b"]
+    timeout = "1800s"
+    step {
+      name = "gcr.io/cloud-builders/gsutil"
+      args = ["cp", "gs://mybucket/remotefile.zip", "localfile.zip"]
+      timeout = "300s"
+    }
+  }
+}
+`, name)
+}
+
 func testAccCloudBuildTrigger_pubsub_config(name string) string {
 	return fmt.Sprintf(`
 resource "google_pubsub_topic" "build-trigger" {