@puls-atlas/cli/dist/cmd/search/runtimeSecrets.js

The Puls Atlas CLI tool for managing Atlas projects

import { resolveSearchCloudRunDeployConfig, resolveSearchProviderSecretReference, resolveSearchRuntimeContract } from './planning.js';
const SECRET_MANAGER_SECRET_ACCESSOR_ROLE = 'roles/secretmanager.secretAccessor';
const createSecretResourceName = (projectId, secretName) => `projects/${projectId}/secrets/${secretName}`;
const resolveSearchRuntimeSecretNames = (runtimeContract, providerSecretReference) => [...new Set(runtimeContract.requiredSecretEnvironmentVariables.map(secretReference => secretReference?.secretName).concat(providerSecretReference?.secretName).filter(Boolean))].sort((leftSecretName, rightSecretName) => leftSecretName.localeCompare(rightSecretName));
export const resolveSearchRuntimeSecretAccessContract = context => {
  const cloudRunConfig = resolveSearchCloudRunDeployConfig(context);
  const runtimeContract = resolveSearchRuntimeContract(context);
  const providerSecretReference = resolveSearchProviderSecretReference(context);
  const {
    serviceAccountEmail
  } = cloudRunConfig;
  const secretNames = resolveSearchRuntimeSecretNames(runtimeContract, providerSecretReference);
  const emptyResult = {
    existingServiceAccountEmails: [],
    secretAccess: [],
    serviceAccountEmail: null,
    serviceAccountEmails: [],
    warnings: []
  };
  if (!serviceAccountEmail) {
    return emptyResult;
  }
  return {
    ...emptyResult,
    secretAccess: secretNames.map(secretName => ({
      role: SECRET_MANAGER_SECRET_ACCESSOR_ROLE,
      secretName,
      secretResource: createSecretResourceName(context.projectId, secretName),
      serviceAccountEmail,
      status: 'terraform-managed'
    })),
    serviceAccountEmail,
    serviceAccountEmails: [serviceAccountEmail]
  };
};