imgproxy/env/gcp.go

package env

import (
	"context"
	"errors"
	"fmt"
	"time"

	secretmanager "cloud.google.com/go/secretmanager/apiv1"
	"cloud.google.com/go/secretmanager/apiv1/secretmanagerpb"
	"google.golang.org/api/option"
)

var (
	IMGPROXY_ENV_GCP_SECRET_ID         = Describe("IMGPROXY_ENV_GCP_SECRET_ID", "string")
	IMGPROXY_ENV_GCP_SECRET_VERSION_ID = Describe("IMGPROXY_ENV_GCP_SECRET_VERSION_ID", "string")
	IMGPROXY_ENV_GCP_SECRET_PROJECT_ID = Describe("IMGPROXY_ENV_GCP_SECRET_PROJECT_ID", "string")
	IMGPROXY_ENV_GCP_KEY               = Describe("IMGPROXY_ENV_GCP_KEY", "JSON string")
)

func loadGCPSecret(ctx context.Context) error {
	var secretID, secretVersion, secretProject, secretKey string

	String(&secretID, IMGPROXY_ENV_GCP_SECRET_ID)
	String(&secretVersion, IMGPROXY_ENV_GCP_SECRET_VERSION_ID)
	String(&secretProject, IMGPROXY_ENV_GCP_SECRET_PROJECT_ID)
	String(&secretKey, IMGPROXY_ENV_GCP_KEY)

	if len(secretID) == 0 {
		return nil
	}

	if len(secretVersion) == 0 {
		secretVersion = "latest"
	}

	var (
		client *secretmanager.Client
		err    error
	)

	ctx, ctxcancel := context.WithTimeout(ctx, time.Minute)
	defer ctxcancel()

	opts := []option.ClientOption{}

	if len(secretKey) > 0 {
		opts = append(opts, option.WithCredentialsJSON([]byte(secretKey)))
	}

	client, err = secretmanager.NewClient(ctx, opts...)

	if err != nil {
		return fmt.Errorf("can't create Google Cloud Secret Manager client: %s", err)
	}

	req := secretmanagerpb.AccessSecretVersionRequest{
		Name: fmt.Sprintf("projects/%s/secrets/%s/versions/%s", secretProject, secretID, secretVersion),
	}

	resp, err := client.AccessSecretVersion(ctx, &req)
	if err != nil {
		return fmt.Errorf("can't get Google Cloud Secret Manager secret: %s", err)
	}

	payload := resp.GetPayload()
	if payload == nil {
		return errors.New("can't get Google Cloud Secret Manager secret: payload is empty")
	}

	data := payload.GetData()

	if len(data) == 0 {
		return nil
	}

	return unmarshalEnv(string(data), "GCP Secret Manager")
}