Add runtime option to associate secrets to functions (#1018)

taeold · web-flow · commit 2c897ea88d0c · 2022-02-10T15:18:16.000-08:00
Google Cloud Functions (GCF) now have support for loading secrets stored in Secret Manager to securely access application secrets (e.g. Third party API keys) on function executions. See the [documentations(https://cloud.google.com/functions/docs/configuring/secrets) for more details. We propose extending the function runtime option to associate secrets. Then, the secrets can be access as an environment once deployed to GCF.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1 @@
+- Add new runtime option for setting secrets.
diff --git a/spec/v1/cloud-functions.spec.ts b/spec/v1/cloud-functions.spec.ts
@@ -107,6 +107,7 @@ describe('makeCloudFunction', () => {
         regions: ['us-central1'],
         memory: '128MB',
         serviceAccount: 'foo@google.com',
+        secrets: ['MY_SECRET'],
       },
     });
 
@@ -123,6 +124,7 @@ describe('makeCloudFunction', () => {
         },
         retry: false,
       },
+      secretEnvironmentVariables: [{ secret: 'MY_SECRET', key: 'MY_SECRET' }],
       labels: {},
     });
   });
diff --git a/spec/v1/function-builder.spec.ts b/spec/v1/function-builder.spec.ts
@@ -472,11 +472,45 @@ describe('FunctionBuilder', () => {
     ).to.throw();
   });
 
-  it('', () => {
+  it('should throw an error if private identifier is in the invoker array', () => {
     expect(() =>
       functions.runWith({
         invoker: ['service-account1', 'private', 'service-account2'],
       })
     ).to.throw();
   });
+
+  it('should allow valid secret config expressed using short form', () => {
+    const secrets = ['API_KEY'];
+    const fn = functions
+      .runWith({ secrets })
+      .auth.user()
+      .onCreate((user) => user);
+
+    expect(fn.__trigger.secrets).to.deep.equal(secrets);
+  });
+
+  it('should throw error given secrets expressed with full resource name', () => {
+    expect(() =>
+      functions.runWith({
+        secrets: ['projects/my-project/secrets/API_KEY'],
+      })
+    ).to.throw();
+  });
+
+  it('should throw error given invalid secret config', () => {
+    expect(() =>
+      functions.runWith({
+        secrets: ['ABC/efg'],
+      })
+    ).to.throw();
+  });
+
+  it('should throw error given invalid secret with versions', () => {
+    expect(() =>
+      functions.runWith({
+        secrets: ['ABC@3'],
+      })
+    ).to.throw();
+  });
 });
diff --git a/src/cloud-functions.ts b/src/cloud-functions.ts
@@ -281,6 +281,7 @@ export interface TriggerAnnotated {
     vpcConnectorEgressSettings?: string;
     serviceAccountEmail?: string;
     ingressSettings?: string;
+    secrets?: string[];
   };
 }
 
@@ -552,7 +553,8 @@ export function optionsToTrigger(options: DeploymentOptions) {
     'ingressSettings',
     'vpcConnectorEgressSettings',
     'vpcConnector',
-    'labels'
+    'labels',
+    'secrets'
   );
   convertIfPresent(
     trigger,
@@ -620,6 +622,13 @@ export function optionsToEndpoint(
     'serviceAccount',
     (sa) => sa
   );
+  convertIfPresent(
+    endpoint,
+    options,
+    'secretEnvironmentVariables',
+    'secrets',
+    (secrets) => secrets.map((secret) => ({ secret, key: secret }))
+  );
   if (options?.vpcConnector) {
     endpoint.vpc = { connector: options.vpcConnector };
     convertIfPresent(
diff --git a/src/common/manifest.ts b/src/common/manifest.ts
diff --git a/src/function-builder.ts b/src/function-builder.ts
@@ -229,6 +229,18 @@ function assertRuntimeOptionsValid(runtimeOptions: RuntimeOptions): boolean {
     }
   }
 
+  if (runtimeOptions.secrets !== undefined) {
+    const invalidSecrets = runtimeOptions.secrets.filter(
+      (s) => !/^[A-Za-z\d\-_]+$/.test(s)
+    );
+    if (invalidSecrets.length > 0) {
+      throw new Error(
+        `Invalid secrets: ${invalidSecrets.join(',')}. ` +
+          'Secret must be configured using the resource id (e.g. API_KEY)'
+      );
+    }
+  }
+
   return true;
 }
 
diff --git a/src/function-configuration.ts b/src/function-configuration.ts
@@ -165,6 +165,11 @@ export interface RuntimeOptions {
    * Allow requests with invalid App Check tokens on callable functions.
    */
   allowInvalidAppCheckToken?: boolean;
+
+  /*
+   * Secrets to bind to a function instance.
+   */
+  secrets?: string[];
 }
 
 export interface DeploymentOptions extends RuntimeOptions {
diff --git a/src/runtime/manifest.ts b/src/runtime/manifest.ts
@@ -39,6 +39,7 @@ export interface ManifestEndpoint {
   labels?: Record<string, string>;
   ingressSettings?: string;
   environmentVariables?: Record<string, string>;
+  secretEnvironmentVariables?: { key: string; secret?: string }[];
 
   httpsTrigger?: {
     invoker?: string[];

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+- Add new runtime option for setting secrets.`
Original file line number	Diff line number	Diff line change
`@@ -229,6 +229,18 @@ function assertRuntimeOptionsValid(runtimeOptions: RuntimeOptions): boolean {`
`229`	`229`	`}`
`230`	`230`	`}`
`231`	`231`
	`232`	`+ if (runtimeOptions.secrets !== undefined) {`
	`233`	`+ const invalidSecrets = runtimeOptions.secrets.filter(`
	`234`	`+ (s) => !/^[A-Za-z\d\-_]+$/.test(s)`
	`235`	`+ );`
	`236`	`+ if (invalidSecrets.length > 0) {`
	`237`	`+ throw new Error(`
	`238`	+ `Invalid secrets: ${invalidSecrets.join(',')}. ` +
	`239`	`+ 'Secret must be configured using the resource id (e.g. API_KEY)'`
	`240`	`+ );`
	`241`	`+ }`
	`242`	`+ }`
	`243`	`+`
`232`	`244`	`return true;`
`233`	`245`	`}`
`234`	`246`