tvl-depot/tools/kms_pass/default.nix

# This tool mimics a subset of the interface of 'pass', but uses
# Google Cloud KMS for encryption.
#
# It is intended to be compatible with how 'kontemplate' invokes
# 'pass.'
#
# Only the 'show' and 'insert' commands are supported.

{ google-cloud-sdk, tree, writeShellScriptBin
, project, region, keyring, key }:

writeShellScriptBin "pass" ''
  set -eo pipefail

  CMD="$1"
  readonly SECRET=$2
  readonly SECRET_PATH="$SECRETS_DIR/$SECRET"

  function secret_check {
    if [[ -z $SECRET ]]; then
      echo 'Secret must be specified'
      exit 1
    fi
  }

  if [[ -z $CMD ]]; then
    CMD="ls"
  fi

  case "$CMD" in
    ls)
       ${tree}/bin/tree $SECRETS_DIR
       ;;
    show)
      secret_check
      ${google-cloud-sdk}/bin/gcloud kms decrypt \
        --project ${project} \
        --location ${region} \
        --keyring ${keyring} \
        --key ${key} \
        --ciphertext-file $SECRET_PATH \
        --plaintext-file -
      ;;
    insert)
      secret_check
      ${google-cloud-sdk}/bin/gcloud kms encrypt \
        --project ${project} \
        --location ${region} \
        --keyring ${keyring} \
        --key ${key} \
        --ciphertext-file $SECRET_PATH \
        --plaintext-file -
      echo "Inserted secret '$SECRET'"
      ;;
    *)
      echo "Usage: pass show/insert <secret>"
      exit 1
      ;;
  esac
''
feat(tools): Introduce pass-compatible wrapper using Cloud KMS Adds a shell script that supports a subset of the 'pass' interface for compatibility with kontemplate, and wraps kontemplate in a script that places this version on the PATH. This makes it possible to use Cloud KMS encrypted secrets with kontemplate. 2019-09-03 16:56:31 +02:00			`# This tool mimics a subset of the interface of 'pass', but uses`
			`# Google Cloud KMS for encryption.`
			`#`
			`# It is intended to be compatible with how 'kontemplate' invokes`
			`# 'pass.'`
			`#`
			`# Only the 'show' and 'insert' commands are supported.`

			`{ google-cloud-sdk, tree, writeShellScriptBin`
			`, project, region, keyring, key }:`

			`writeShellScriptBin "pass" ''`
			`set -eo pipefail`

			`CMD="$1"`
			`readonly SECRET=$2`
			`readonly SECRET_PATH="$SECRETS_DIR/$SECRET"`

			`function secret_check {`
			`if [[ -z $SECRET ]]; then`
			`echo 'Secret must be specified'`
			`exit 1`
			`fi`
			`}`

			`if [[ -z $CMD ]]; then`
			`CMD="ls"`
			`fi`

			`case "$CMD" in`
			`ls)`
			`${tree}/bin/tree $SECRETS_DIR`
			`;;`
			`show)`
			`secret_check`
			`${google-cloud-sdk}/bin/gcloud kms decrypt \`
			`--project ${project} \`
			`--location ${region} \`
			`--keyring ${keyring} \`
			`--key ${key} \`
			`--ciphertext-file $SECRET_PATH \`
			`--plaintext-file -`
			`;;`
			`insert)`
			`secret_check`
			`${google-cloud-sdk}/bin/gcloud kms encrypt \`
			`--project ${project} \`
			`--location ${region} \`
			`--keyring ${keyring} \`
			`--key ${key} \`
			`--ciphertext-file $SECRET_PATH \`
			`--plaintext-file -`
			`echo "Inserted secret '$SECRET'"`
			`;;`
			`*)`
			`echo "Usage: pass show/insert <secret>"`
			`exit 1`
			`;;`
			`esac`
			`''`