gcp-kms.yml

commands:
  get-decrypt:
    description: Decrypt Secret
    parameters:
      ciphertext-file:
        description: File name to decipher
        type: string
      plaintext-file:
        description: File name to store decipered file
        type: string
      location:
        default: global
        description: Location of kms keyring
        type: string
      keyring:
        default: KMS_KEYRING
        description: Kms keyring
        type: env_var_name
      key:
        default: KMS_KEY
        description: Kms key
        type: env_var_name
      bucket:
        default: GCS_PIPELINE_BUCKET
        description: Gcs bucket
        type: env_var_name
      object-path:
        description: Gcs object path
        type: string
    steps:
    - run:
        command: |
          gsutil cp gs://$GOOGLE_PROJECT_ID-$<<parameters.bucket>>/<<parameters.object-path>> .
          gcloud kms decrypt \
              --ciphertext-file <<parameters.ciphertext-file>> \
              --plaintext-file <<parameters.plaintext-file>> \
              --location global \
              --keyring $<<parameters.keyring>> \
              --key $<<parameters.key>>
        name: Decrypt file
    - persist_to_workspace:
          root: /root/project
          paths:
            - hub
  gcr-auth:
    description: |
      Configure gcloud cli.
    parameters:
      gcloud-service-key:
        default: GCLOUD_SERVICE_KEY
        description: The gcloud service key
        type: env_var_name
      google-compute-zone:
        default: GOOGLE_COMPUTE_ZONE
        description: |
          The Google compute zone to connect with via the gcloud CLI
        type: env_var_name
      google-project-id:
        default: GOOGLE_PROJECT_ID
        description: |
          Environment variable name for the Google project ID to connect with via the gcloud CLI
        type: env_var_name
    steps:
    - gcp-cli/install
    - gcp-cli/initialize:
        gcloud-service-key: <<parameters.gcloud-service-key>>
        google-compute-zone: <<parameters.google-compute-zone>>
        google-project-id: <<parameters.google-project-id>>
description: |
  An orb for working with Google Key Management Service (KMS). View this orb's source: https://github.com/carecloud-devops/orbs
examples:
  get-decrypt:
    description: |
      Log into Google Cloud Plaform, then get object and decrypt
    usage:
      orbs:
        gcp-kms: carecloud/gcp-kms@x.y.z
      version: 2.1
      workflows:
        get-decrypt:
          jobs:
          - gcp-kms/get-decrypt:
              context: myContext
executors:
  default:
    description: A debian-based machine executor
    docker:
      - image: google/cloud-sdk
jobs:
  get-and-decrypt:
    description: |
      Install GCP CLI, if needed, and configure. Get object and decrypt with KMS.
    executor: default
    parameters:
      gcloud-service-key:
        default: GCLOUD_SERVICE_KEY
        description: The gcloud service key
        type: env_var_name
      google-compute-zone:
        default: GOOGLE_COMPUTE_ZONE
        description: The Google compute zone to connect with via the gcloud CLI
        type: env_var_name
      google-project-id:
        default: GOOGLE_PROJECT_ID
        description: The Google project ID to connect with via the gcloud CLI
        type: env_var_name
      ciphertext-file:
        description: File name to decipher
        type: string
      plaintext-file:
        description: File name to store decipered file
        type: string
      location:
        default: global
        description: Location of kms keyring
        type: string
      keyring:
        default: KMS_KEYRING
        description: Kms keyring
        type: env_var_name
      key:
        default: KMS_KEY
        description: Kms key
        type: env_var_name
      bucket:
        description: Gcs bucket
        type: env_var_name
      object-path:
        description: Gcs object path
        type: string
    steps:
    - checkout
    - gcr-auth:
        gcloud-service-key: <<parameters.gcloud-service-key>>
        google-compute-zone: <<parameters.google-compute-zone>>
        google-project-id: <<parameters.google-project-id>>
    - get-decrypt:
        ciphertext-file: <<parameters.ciphertext-file>>
        plaintext-file: <<parameters.plaintext-file>>
        location: <<parameters.location>>
        keyring: <<parameters.keyring>>
        key: <<parameters.key>>
        bucket: <<parameters.bucket>>
        object-path: <<parameters.object-path>>
orbs:
  gcp-cli: circleci/gcp-cli@1.3.0
version: 2.1