Skip to content

Instantly share code, notes, and snippets.

@marcinantkiewicz
Created November 14, 2023 05:18
Show Gist options
  • Save marcinantkiewicz/307a7473ecc96275b91ef5be201787b0 to your computer and use it in GitHub Desktop.
Save marcinantkiewicz/307a7473ecc96275b91ef5be201787b0 to your computer and use it in GitHub Desktop.
#! /usr/bin/env sh
while getopts sf:p ARG
do
case "${ARG}" in
s) SHORT_LIST=1;;
f) FILEPATH=${OPTARG};;
p) PULL=1;;
*) echo "\nReads GCP cloudbuild config, lists secrets contained in the file\n\nUsage: $(basename $0) [-s] -f filename\n -s short output, do not display google secrets path\n -f cloudbuild config to read\n -p list values for the secrets from GCP, in a format ready to be exported into bash\n\n" && exit 1;
esac
done
function check_file {
FILE=$1; shift;
set -e
test -r "$FILE" -a -f "$FILE" || \
(>&2 echo "Error: file \"$FILE\" not found or unreadable"; exit 255);
}
# - list from the cloudbuild file
# one output shows just the list of defined secrets
# the other one appends path in GCP secrets manager for that entry
function list_secrets {
MANIFEST=$1; shift;
check_file "$MANIFEST"
set -o pipefail
PROJECT_ID=$(gcloud projects list --filter $(gcloud config get project) --format="value(PROJECT_NUMBER)")
test -n "${SHORT_LIST}" -a test -z ${PULL} && \
SECRETS=$(cat "${MANIFEST}" | jq -r '.availableSecrets.secretManager[] | .env') || \
SECRETS=$(cat "${MANIFEST}" | jq -r '.availableSecrets.secretManager[] | .env + "=" + .versionName');
SECRETS="${SECRETS//\$PROJECT_ID/$PROJECT_ID}";
echo "$SECRETS"
}
# - copies secrets into statements that can be used to import them into shell env ("export NAME="whatever"), this is meant to pull dev values for local development
function pull_secrets {
MANIFEST=$1; shift;
check_file "$MANIFEST"
PROJECT_ID=$(gcloud projects list --filter $(gcloud config get project) --format="value(PROJECT_NUMBER)")
set -o pipefail
for SECRET in $(list_secrets $MANIFEST); do
SECRET_ENV=$(echo "$SECRET" | cut -d '=' -f 1);
SECRET_PATH=$(echo "$SECRET" | cut -d '=' -f 2);
SECRET_NAME=$(echo "$SECRET_PATH" | cut -d '/' -f 4);
echo "export ${SECRET_ENV}=\"$(gcloud secrets versions access latest --secret=$SECRET_NAME --project=$PROJECT_ID)\"";
done
}
if test -n ${PULL}
then
pull_secrets "$FILEPATH"
else
list_secrets "$FILEPATH";
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment