1"""Defines a rule that serializes a cosign key into the Bazel graph"""
2
3load("//hack/build/rules/container/sign:cosign_key.bzl", "CosignKeyInfo")
4
5def _gcp_kms_key(ctx):
6 key_file = ctx.actions.declare_file("{0}.txt".format(ctx.label.name))
7 key_template = "gcpkms://projects/{project}/locations/{location}/keyRings/{keyring}/cryptoKeys/{key}"
8 key_value = key_template.format(
9 project = ctx.attr.project,
10 location = ctx.attr.location,
11 keyring = ctx.attr.keyring,
12 key = ctx.attr.key,
13 )
14 if ctx.attr.version:
15 key_value = "{key_value}/versions/{version}".format(
16 key_value = key_value,
17 version = ctx.attr.version,
18 )
19 ctx.actions.write(
20 output = key_file,
21 content = key_value,
22 )
23
24 return [
25 DefaultInfo(
26 files = depset([key_file]),
27 ),
28 CosignKeyInfo(
29 key_name = ctx.label.name,
30 key_file = key_file,
31 ),
32 ]
33
34gcp_kms_key = rule(
35 doc = """
36 A GCP KMS Key Rule that can be used to sign containers. Creates a file target containing a valid GCP KMS path i.e. gcpkms://projects/[PROJECT]/locations/global/keyRings/[KEYRING]/cryptoKeys/[KEY]
37 Optionally provide a version number to specify a specific version. Otherwise the latest version is accessed.
38 """,
39 implementation = _gcp_kms_key,
40 attrs = {
41 "key": attr.string(
42 doc = "The name of the key",
43 mandatory = True,
44 ),
45 "keyring": attr.string(
46 doc = "The name of the keyring",
47 mandatory = True,
48 ),
49 "location": attr.string(
50 doc = "The location of the keyring and key",
51 mandatory = True,
52 ),
53 "project": attr.string(
54 doc = "The GCP project containing the keyring and key",
55 mandatory = True,
56 ),
57 "version": attr.int(
58 doc = "The version of the key to use",
59 ),
60 },
61)
View as plain text