Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new command (functions:secrets:set) for creating secrets to be used for CF3. #4021

Merged
merged 94 commits into from
Feb 3, 2022
Merged

Add new command (functions:secrets:set) for creating secrets to be used for CF3. #4021

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
94 commits
Select commit Hold shift + click to select a range
1f19857
WIP - broken
taeold Dec 15, 2021
efe6d57
WIP 2.
taeold Dec 16, 2021
95bfc0e
Deploy secrets on function.
taeold Dec 16, 2021
c5b75ed
Resolve secret version at deploy time.
taeold Dec 16, 2021
3a2879d
Try to grant runtime SA with accessor role.
taeold Dec 16, 2021
e2f4c4a
Fix parallel setIamPolicy issue.
taeold Dec 17, 2021
05e9c70
Nits.
taeold Dec 17, 2021
47437ff
Use regex to test for secret resource names.
taeold Dec 21, 2021
1bbe17a
Add more comments.
taeold Dec 21, 2021
28a9df0
Add basic unit tests.
taeold Dec 21, 2021
2d18072
Refactor secret manager to use apiv2.
taeold Dec 21, 2021
2d2d653
Small fixups.
taeold Dec 21, 2021
0618ada
Nit.
taeold Dec 21, 2021
fe09f62
Add unit test for prepare functions.
taeold Dec 21, 2021
052fded
Prettier.
taeold Dec 21, 2021
2cbb0ab
Correct API_VERSION for secret manager api.
taeold Dec 21, 2021
fadef0c
Add more tests.
taeold Dec 23, 2021
5c5a89a
Support version tag, add tests, nits.
taeold Dec 23, 2021
b3a924f
Various nits.
taeold Dec 28, 2021
dcbe260
Prettier
taeold Dec 28, 2021
166fb3d
Refactor logic for generating default service account for GCF.
taeold Dec 28, 2021
300152e
Rename versionId to version to unify type.
taeold Dec 30, 2021
9298f78
Fix implementation of addSecretVersion.
taeold Dec 30, 2021
cd7ae85
Fix tests.
taeold Dec 30, 2021
b064d22
Add comments, some nits.
taeold Dec 30, 2021
58ae481
Refactor
taeold Dec 31, 2021
35f4749
Merge branch 'master' of https://github.com/firebase/firebase-tools i…
taeold Jan 1, 2022
2c44547
Add more comments.
taeold Jan 1, 2022
4a2aee4
Merge branch 'master' into dl-cf3-secrets
taeold Jan 4, 2022
55cbf77
Merge branch 'master' into dl-cf3-secrets
taeold Jan 4, 2022
3c766d6
Support parsing secret resource name.
taeold Jan 4, 2022
c602b12
Merge branch 'dl-cf3-secrets' of https://github.com/firebase/firebase…
taeold Jan 5, 2022
cdc4bb1
Merge branch 'master' into dl-cf3-secrets
taeold Jan 5, 2022
92efaee
Move functions around for better organizations.
taeold Jan 5, 2022
63cf42e
Eslint.
taeold Jan 5, 2022
468ffc6
Merge branch 'dl-cf3-secrets' of https://github.com/firebase/firebase…
taeold Jan 5, 2022
d4157e6
Merge branch 'master' into dl-cf3-secrets
taeold Jan 5, 2022
d9f0959
Merge branch 'master' into dl-cf3-secrets
taeold Jan 13, 2022
71c25ad
Merge branch 'master' into dl-cf3-secrets
taeold Jan 13, 2022
04b630f
Merge branch 'dl-cf3-secrets' of https://github.com/firebase/firebase…
taeold Jan 13, 2022
1c9d5af
Cleanup imports.
taeold Jan 13, 2022
96de58b
Cleanup typing a bit more.
taeold Jan 13, 2022
c28a7f1
WIP.
taeold Jan 13, 2022
e571956
Cleanup typing a bit more.
taeold Jan 13, 2022
4469005
Implementation done, pending refactoring.
taeold Jan 13, 2022
4ea6de3
Add missing trailing comma.
taeold Jan 14, 2022
eeb153d
Assume secrets are configured w/o version or w/ full resource name.
taeold Jan 14, 2022
3701719
Strongly assume that version info will not be filled in by the user.
taeold Jan 14, 2022
7f16c96
Remove unnecessary tests.
taeold Jan 14, 2022
d71cb26
Merge branch 'master' into dl-cf3-secrets
taeold Jan 14, 2022
127cb8d
Refactor to have helper functions live in its own file.
taeold Jan 14, 2022
4e025d5
Add test and fix implementation issues while running tests.
taeold Jan 15, 2022
fbc7d44
Fix prettier.
taeold Jan 18, 2022
1953194
Rename command.
taeold Jan 18, 2022
fe0de86
Wording.
taeold Jan 18, 2022
66c29ef
Merge branch 'dl-cf3-secrets' into dl-cf3-secrets-cmds
taeold Jan 19, 2022
d91bd3e
Better throw on invalid secret keys.
taeold Jan 21, 2022
217d0cd
Merge remote-tracking branch 'origin/master' into dl-cf3-secrets-cmds
taeold Jan 21, 2022
f799246
Merge branch 'dl-cf3-secrets-cmds' of https://github.com/firebase/fir…
taeold Jan 21, 2022
58e3cb6
Cut support for cross-project secrets.
taeold Jan 21, 2022
b7ba847
Skip calling IAM if SA is already bound to a secret.
taeold Jan 22, 2022
de93fda
Prefer module.function over named imports.
taeold Jan 22, 2022
6e650d6
Cleanup regex.
taeold Jan 22, 2022
54c10ea
Rename setIamPolicyBinding to just setIamPolicy. It's cleaner.
taeold Jan 24, 2022
c3df734
Fix test.
taeold Jan 25, 2022
b24bc3d
Reduce number of alls to Secret Manager to resolve versions.
taeold Jan 25, 2022
3087236
Prettier.
taeold Jan 25, 2022
937a0df
Complete renaming.
taeold Jan 25, 2022
b44f195
Merge branch 'master' into dl-cf3-secrets
taeold Jan 26, 2022
1305b78
Use isatty to determine interactice sessions.
taeold Jan 31, 2022
08c928c
Merge branch 'cf3-secrets' of https://github.com/firebase/firebase-to…
taeold Jan 31, 2022
596a5e3
Correctly generate default service account for all supported platforms.
taeold Feb 1, 2022
94e4f13
Merge branch 'dl-cf3-secrets' into dl-cf3-secrets-cmds
taeold Feb 1, 2022
fcbd3bc
Rename fn names for clarity.
taeold Feb 1, 2022
a391ac4
Fix merge gone wrong.
taeold Feb 1, 2022
01b7867
Collect feedbacks from another PR.
taeold Feb 1, 2022
3403bb9
Find better home for defaultServiceAccount fn.
taeold Feb 1, 2022
ef000ac
Fix refactor gone wrong.
taeold Feb 1, 2022
c85794b
Add comment to clarify that version is used internally.
taeold Feb 1, 2022
1a5fe0e
Dont regress on a fixed bug.
taeold Feb 1, 2022
3ad2cd2
Whoops this shouldn't be renamed.
taeold Feb 1, 2022
ea86738
Prettier.
taeold Feb 1, 2022
4266e33
Merge branch 'dl-cf3-secrets' into dl-cf3-secrets-cmds
taeold Feb 1, 2022
922ebf6
Fix broken tests.
taeold Feb 1, 2022
dd45182
Merge branch 'dl-cf3-secrets' into dl-cf3-secrets-cmds
taeold Feb 1, 2022
19f8516
Merge branch 'dl-cf3-secrets' into dl-cf3-secrets-cmds
taeold Feb 2, 2022
aaa2d6b
Merge branch 'dl-cf3-secrets-cmds' of https://github.com/firebase/fir…
taeold Feb 2, 2022
185b890
Add missing docstring + fix API deviation.
taeold Feb 2, 2022
3588ca9
Merge branch 'dl-cf3-secrets' into dl-cf3-secrets-cmds
taeold Feb 2, 2022
e2ba5c2
Add missing docstring
taeold Feb 2, 2022
d4b8004
Fix refactor gone wrong.
taeold Feb 2, 2022
6d1881a
Merge branch 'dl-cf3-secrets' into dl-cf3-secrets-cmds
taeold Feb 2, 2022
2d330a5
Fix refactor gone wrong.
taeold Feb 2, 2022
4f02489
Merge branch 'cf3-secrets' of https://github.com/firebase/firebase-to…
taeold Feb 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Find better home for defaultServiceAccount fn.
  • Loading branch information
@taeold
taeold committed Feb 1, 2022
commit 3403bb9de7cc61910fa319866b66322f462833bc
21 changes: 19 additions & 2 deletions src/deploy/functions/ensure.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,32 @@ import { ensure } from "../../ensureApiEnabled";
import { FirebaseError, isBillingError } from "../../error";
import { logLabeledBullet, logLabeledSuccess } from "../../utils";
import { ensureServiceAgentRole } from "../../gcp/secretManager";
import { defaultServiceAccount } from "../../gcp/cloudfunctions";
import { previews } from "../../previews";
import { getFirebaseProject } from "../../management/projects";
import { assertExhaustive } from "../../functional";
import * as track from "../../track";
import * as backend from "./backend";
import * as ensureApiEnabled from "../../ensureApiEnabled";

const FAQ_URL = "https://firebase.google.com/support/faq#functions-runtime";
const CLOUD_BUILD_API = "cloudbuild.googleapis.com";

/**
* By default:
* 1. GCFv1 uses App Engine default service account.
* 2. GCFv2 (Cloud Run) uses Compute Engine default service account.
*/
export async function defaultServiceAccount(e: backend.Endpoint): Promise<string> {
const metadata = await getFirebaseProject(e.project);
if (e.platform === "gcfv1") {
return `${metadata.projectId}@appspot.gserviceaccount.com`;
} else if (e.platform === "gcfv2") {
return `${metadata.projectNumber}[email protected]`;
}
assertExhaustive(e.platform);
}


function nodeBillingError(projectId: string): FirebaseError {
track("functions_runtime_notices", "nodejs10_billing_error");
return new FirebaseError(
Expand Down Expand Up @@ -88,7 +105,7 @@ export async function maybeEnableAR(projectId: string): Promise<boolean> {
async function secretsToServiceAccounts(b: backend.Backend): Promise<Record<string, Set<string>>> {
const secretsToSa: Record<string, Set<string>> = {};
for (const e of backend.allEndpoints(b)) {
const sa = e.serviceAccountEmail || (await defaultServiceAccount(e));
const sa = e.serviceAccountEmail || (await module.exports.defaultServiceAccount(e));
for (const s of e.secretEnvironmentVariables! || []) {
const serviceAccounts = secretsToSa[s.secret] || new Set();
serviceAccounts.add(sa);
Expand Down
2 changes: 1 addition & 1 deletion src/deploy/functions/prepare.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ export async function prepare(
await promptForFailurePolicies(options, matchingBackend, haveBackend);
await promptForMinInstances(options, matchingBackend, haveBackend);
await backend.checkAvailability(context, wantBackend);
await validate.secretsAreValid(projectId, matchingBackend, haveBackend);
await validate.secretsAreValid(projectId, matchingBackend);
await ensure.secretAccess(projectId, matchingBackend, haveBackend);
}

Expand Down
15 changes: 0 additions & 15 deletions src/gcp/cloudfunctions.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -593,18 +593,3 @@ export function functionFromEndpoint(

return gcfFunction;
}

/**
* By default:
* 1. GCFv1 uses App Engine default service account.
* 2. GCFv2 (Cloud Run) uses Compute Engine default service account.
*/
export async function defaultServiceAccount(e: backend.Endpoint): Promise<string> {
const metadata = await getFirebaseProject(e.project);
if (e.platform === "gcfv1") {
return `${metadata.projectId}@appspot.gserviceaccount.com`;
} else if (e.platform === "gcfv2") {
return `${metadata.projectNumber}[email protected]`;
}
assertExhaustive(e.platform);
}
3 changes: 1 addition & 2 deletions src/test/deploy/functions/ensure.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ import * as api from "../../../api";
import * as backend from "../../../deploy/functions/backend";
import * as ensure from "../../../deploy/functions/ensure";
import * as secretManager from "../../../gcp/secretManager";
import * as cloudfunctions from "../../../gcp/cloudfunctions";

describe("ensureCloudBuildEnabled()", () => {
let restoreInterval: number;
Expand Down Expand Up @@ -174,7 +173,7 @@ describe("ensureSecretAccess", () => {

beforeEach(() => {
defaultServiceAccountStub = sinon
.stub(cloudfunctions, "defaultServiceAccount")
.stub(ensure, "defaultServiceAccount")
.resolves(DEFAULT_SA);
secretManagerMock = sinon.mock(secretManager);
});
Expand Down