From 9806fab880275161e648f8656c661fa5e5f5be08 Mon Sep 17 00:00:00 2001 From: Weimin Yu Date: Fri, 24 Jul 2020 15:32:01 -0400 Subject: [PATCH] Use rearranged sql credentials in flyway task (#712) * Use rearranged sql credentials in flyway task Let the flyway tasks use the sql credential files set up for BEAM pipelines. Credential files have been created for each environment in GCS at gs://${project}-beam/cloudsql/admin_credential.enc. All project editors have access to this file, including the Dataflow control service account. Alpha and crash use the 'nomulus-tools-key' in their own project to decrypt the credential file. Sandbox and production use the 'nomulus-tools-key' in domain-registry-dev to decrypt the credential file. Note that this setup is temporary. It will become obsolete once we migrate to Cloud Secret Manager for secret storage. --- db/build.gradle | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/db/build.gradle b/db/build.gradle index 4ae0cc011..f9d7b3e82 100644 --- a/db/build.gradle +++ b/db/build.gradle @@ -36,6 +36,7 @@ ext { } getAccessInfoByHostPort = { hostAndPort -> + println "Database set to ${hostAndPort}." return [ url: "jdbc:postgresql://${hostAndPort}/${dbName}", user: findProperty('dbUser'), @@ -45,6 +46,7 @@ ext { getSocketFactoryAccessInfo = { env -> def cred = getCloudSqlCredential(env, 'admin').split(' ') def sqlInstance = cred[0] + println "Database set to Cloud SQL instance ${sqlInstance}." return [ url: """\ jdbc:postgresql://google/${dbName}?cloudSqlInstance= @@ -73,14 +75,17 @@ ext { getCloudSqlCredential = { env, role -> def devProject = project.hasProperty('devProject') ? project.getProperty('devProject') : rootProject.devProject + def gcpProject = project.hasProperty('gcpProject') + ? project.getProperty('gcpProject') : rootProject.gcpProject + def keyProject = env in restrictedDbEnv? devProject : gcpProject def command = """gsutil cp \ - gs://${devProject}-deploy/cloudsql-credentials/${env}/${role}_credential.enc - | \ + gs://${gcpProject}-beam/cloudsql/${role}_credential.enc - | \ base64 -d | \ gcloud kms decrypt --location global --keyring nomulus-tool-keyring \ --key nomulus-tool-key --plaintext-file=- \ --ciphertext-file=- \ - --project=${devProject}""" + --project=${keyProject}""" return execInBash(command, '/tmp') }