Google secret manager store implementation

[shirkevich]

what

• Added Google Secret Manager (GSM) support as a new store type in Atmos
• Implemented two type identifiers: google-secret-manager and its alias gsm
• Added comprehensive documentation for GSM configuration and usage
• Added test coverage for GSM store implementation

why

• Expands Atmos' store capabilities to support Google Cloud Platform users
• Provides a secure way to manage secrets in GCP environments

references

• Code changes:

  • pkg/store/google_secret_manager_store.go: Main GSM store implementation
  • pkg/store/google_secret_manager_store_test.go: Test coverage
  • pkg/store/registry.go: Added GSM store type registration
  • website/docs/core-concepts/projects/configuration/stores.mdx: Added GSM documentation

• Related GCP documentation:

  • Google Secret Manager
  • Authentication Methods

Summary by CodeRabbit

• New Features

  • Introduced seamless support for Google Secret Manager as a secret store option. Users can now securely create, update, and retrieve secrets in Atmos using either the "google-secret-manager" identifier or its alias "gsm".

• Documentation

  • Updated configuration guides to outline parameters and authentication options for Google Secret Manager, detailing required values like project ID and optional settings for prefix and credentials.
  • Corrected terminology for consistency across documentation, changing stacks_delimiter to stack_delimiter.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request adds support for Google Secret Manager as a new store. It updates dependency management in go.mod, introduces a new implementation with its interface, methods, and tests in the store package, and updates the store registry to recognize the new "google-secret-manager" (aliased as "gsm"). Additionally, corresponding documentation is added to guide configuration and authentication.

Changes

File(s)	Change Summary
go.mod	Modified dependency list: Added dependencies for cloud.google.com/go/secretmanager, github.com/googleapis/gax-go/v2, and google.golang.org/api; removed golang.org/x/text and an indirect dependency for gax-go.
pkg/store/google_secret_manager_store.go pkg/store/google_secret_manager_store_test.go	Introduced a new Google Secret Manager store implementation with GSMClient, GSMStore, configuration options, and methods (Set, Get, etc.), along with a comprehensive test suite using a mocked client.
pkg/store/registry.go	Updated the store registry to handle the "google-secret-manager" store and its alias "gsm", including options parsing and store creation.
website/docs/.../stores.mdx	Added documentation on configuring Google Secret Manager, detailing required fields (e.g., project_id) and optional parameters plus authentication methods.

Suggested labels

minor, no-release

Suggested reviewers

• osterman

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between afebd17 and e605636.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Summary

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary or @auto-summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @auto-title anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (9)

pkg/store/google_secret_manager_store.go (4)

23-36: Consider environment-based credential management
Storing credentials as a JSON string in configuration risks accidental exposure. Adopting environment variables or secret references can enhance security.

---

38-76: Consider allowing caller-supplied context
Currently, a background context is used to initialize the store. Passing a custom context would allow more flexibility for cancellation and timeouts.

---

99-190: Refactor creation & versioning flow

1. Consider splitting secret creation and version addition into separate methods for clarity and improved testability.
2. Restricting values to strings might be limiting if you need to store JSON or other data.

---

192-237: Support specifying secret versions
Always retrieving "latest" can be restrictive. Consider allowing a version parameter for more advanced workflows.

pkg/store/google_secret_manager_store_test.go (3)

51-55: Remove or utilize the unused helper
Static analysis flags “newMockGSMClient” as unused. Consider removing or integrating it in tests.

🧰 Tools

🪛 golangci-lint (1.62.2)

52-52: func newMockGSMClient is unused

(unused)

---

56-272: Comprehensive sub-tests
“TestGSMStore_Set” covers multiple paths effectively. If concurrency is a concern, consider adding parallel or race tests.

---

376-429: Handling environment credentials
Providing credentials from the environment is pragmatic. You might mock environment variables for consistent CI runs.

website/docs/core-concepts/stacks/yaml-functions/store.mdx (1)

68-74: Effective Google Secret Manager Example Addition
This set of changes demonstrates the usage of Google Secret Manager for various scenarios—including direct retrieval, default values, and cross-stack access. The examples are concise and correctly use templating for dynamic stack names. One minor suggestion would be to include a brief inline note (or reference) on when to prefer using the alias “gsm” compared to “google-secret-manager” for added clarity.

website/docs/core-concepts/projects/configuration/stores.mdx (1)

204-248: Detailed GSM Options and Authentication Instructions
The expanded documentation following the configuration sample thoroughly explains the options for GSM—covering the required project_id, optional prefix and credentials, as well as the stack_delimiter. The authentication section is particularly useful, outlining Application Default Credentials, Direct Credentials, and Workload Identity methods. This level of detail greatly aids users. A small suggestion: consider emphasizing best practices for secure handling of credentials (especially when embedding JSON strings), which can further educate users on avoiding potential pitfalls.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 845aeb5 and dfab44d.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (6)

• go.mod (3 hunks)
• pkg/store/google_secret_manager_store.go (1 hunks)
• pkg/store/google_secret_manager_store_test.go (1 hunks)
• pkg/store/registry.go (1 hunks)
• website/docs/core-concepts/projects/configuration/stores.mdx (2 hunks)
• website/docs/core-concepts/stacks/yaml-functions/store.mdx (1 hunks)

🧰 Additional context used

🪛 golangci-lint (1.62.2)

pkg/store/google_secret_manager_store_test.go

52-52: func newMockGSMClient is unused

(unused)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Summary

🔇 Additional comments (13)

pkg/store/google_secret_manager_store.go (3)

1-13: Imports are well-organized
Everything looks good here.

---

15-21: Interface definition is clean
No immediate concerns with concurrency usage or naming in the GSMClient interface.

---

78-97: Key transformation collisions
Replacing slashes with underscores may cause collisions (e.g., multiple slash segments). Confirm that potential collisions are acceptable or consider a unique delimiter.

pkg/store/registry.go (1)

37-48: Registration logic is consistent
Storing the parsed GSM options in the registry matches patterns used for other store types.

pkg/store/google_secret_manager_store_test.go (3)

1-15: Imports and initial setup
All included packages appear necessary and relevant.

---

17-49: Mock implementation looks solid
Neatly uses the testify/mock framework for mocking GSM client methods.

---

274-374: Sufficient coverage for Get method
Tests multiple outcome scenarios, including error handling. Implementation looks thorough.

website/docs/core-concepts/stacks/yaml-functions/store.mdx (1)

63-67: Clear AWS SSM Example in YAML Block
The newly added lines neatly illustrate how to retrieve security group IDs via AWS SSM Parameter Store. The indentation and labeling are clear, adding value to the documentation.

website/docs/core-concepts/projects/configuration/stores.mdx (2)

15-15: Support for Google Secret Manager Added to Stores List
Including Google Secret Manager in the list of supported stores is a welcome update. The link provided directs users to the official documentation, ensuring they can obtain more details if needed.

---

184-203: Comprehensive GSM YAML Configuration Sample
The YAML configuration block for the Google Secret Manager is clear and well-structured. It illustrates both the direct type (“google-secret-manager”) and its alias (“gsm”) for production configurations, along with key options such as project_id, prefix, and credentials. This practical example will help users correctly integrate GSM with their atmos.yaml configurations.

go.mod (3)

6-6: New Dependency for GSM Functionality
The addition of the cloud.google.com/go/secretmanager v1.11.5 dependency is well justified by the new GSM store implementation. It’s important to ensure that this version is compatible with other Google Cloud dependencies in the project.

---

31-31: Direct Requirement for GAX Library
Noting the appearance of github.com/googleapis/gax-go/v2 v2.12.3 as a direct dependency now—this update signals a cleaner dependency graph. Please verify that this change doesn’t introduce any conflicts with transitive dependencies elsewhere in the codebase.

---

63-63: Explicit Inclusion of google.golang.org/api
The explicit requirement of google.golang.org/api v0.171.0 ensures stability for GSM interactions. Like the GAX update, confirm that making this dependency direct meets your project’s overall dependency management strategy.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

pkg/store/google_secret_manager_store.go (1)

99-190: Add context timeout for GSM operations.

Using context.Background() without a timeout could lead to hanging operations. Consider adding a reasonable timeout.

Apply this diff:

 func (s *GSMStore) Set(stack string, component string, key string, value interface{}) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
-	ctx := context.Background()

pkg/store/google_secret_manager_store_test.go (1)

376-429: Add test case for client cleanup.

Consider adding a test case to verify that the client is properly closed when an error occurs during initialization.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dfab44d and 6e490f9.

📒 Files selected for processing (2)

• pkg/store/google_secret_manager_store.go (1 hunks)
• pkg/store/google_secret_manager_store_test.go (1 hunks)

🧰 Additional context used

🪛 golangci-lint (1.62.2)

pkg/store/google_secret_manager_store_test.go

52-52: func newMockGSMClient is unused

(unused)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Summary

🔇 Additional comments (4)

pkg/store/google_secret_manager_store.go (2)

15-36: LGTM! Well-structured interface and struct declarations.

The GSMClient interface is well-designed for mocking, and the GSMStore struct with its options provides a clean configuration structure.

---

192-237: Add context timeout for GSM operations.

Similar to the Set method, add a timeout to prevent hanging operations.

pkg/store/google_secret_manager_store_test.go (2)

56-272: LGTM! Comprehensive test coverage.

The test cases thoroughly cover success scenarios, error handling, and input validation.

---

274-374: LGTM! Well-structured test cases.

The test cases provide good coverage of both success and error scenarios.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/store/google_secret_manager_store.go (1)

108-200: Potential concurrency considerations
If multiple calls to Set() operate on the same key concurrently, consider version sprawl and race conditions. Also, storing large secrets might require additional checks.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6e490f9 and 21051e7.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• go.mod (3 hunks)
• pkg/store/google_secret_manager_store.go (1 hunks)
• pkg/store/google_secret_manager_store_test.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/store/google_secret_manager_store_test.go
• go.mod

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Summary

🔇 Additional comments (7)

pkg/store/google_secret_manager_store.go (7)

1-19: Great package structure
The imports and the gsmOperationTimeout constant form a clean foundation. The 30-second timeout is a sensible default.

---

20-26: Neat interface
The GSMClient interface neatly captures the required Secret Manager methods.

---

28-34: Straightforward store struct
All essential fields (client, project ID, prefix, delimiter) are logically grouped.

---

36-41: Flexible options
Allowing optional credentials, prefix, and delimiter is convenient for diverse configurations.

---

46-85: Robust constructor
Resource cleanup on error is carefully handled, preventing leaks. Everything else looks solid.

---

87-106: Comprehensive key transformation
Stripping slashes and extraneous underscores ensures secret IDs remain valid in Google Secret Manager.

---

202-248: String-based retrieval
Returning string data is fine but limits storing binary or structured data. This is acceptable for most use cases.

[mcalhoun]

Thanks for this contribution, @shirkevich! Overall, it looks really good, just left a few small comments.

[mergify]

💥 This pull request now has conflicts. Could you fix it @shirkevich? 🙏

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 21051e7 and 5c5213c.

📒 Files selected for processing (2)

• website/docs/core-concepts/projects/configuration/stores.mdx (2 hunks)
• website/docs/core-concepts/stacks/yaml-functions/store.mdx (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• website/docs/core-concepts/stacks/yaml-functions/store.mdx

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Summary

🔇 Additional comments (3)

website/docs/core-concepts/projects/configuration/stores.mdx (3)

18-21: LGTM! The list is already alphabetized.

The list of supported stores is properly organized in alphabetical order, which aligns with the documentation's structure and improves readability.

---

135-150: LGTM! Comprehensive examples covering key configurations.

The examples effectively demonstrate:

• Both store type identifiers (google-secret-manager and gsm)
• Different authentication methods
• Optional configuration parameters

---

180-197: LGTM! Comprehensive authentication documentation.

The authentication section effectively covers all supported methods with clear setup instructions and security best practices.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

website/docs/core-concepts/projects/configuration/stores.mdx (1)

195-195: Add a comma after "GCP" for better readability.

-When running in GCP you can use Workload Identity which automatically handles authentication
+When running in GCP, you can use Workload Identity which automatically handles authentication

🧰 Tools

🪛 LanguageTool

[uncategorized] ~195-~195: Possible missing comma found.
Context: ...en running in GCP, you can use Workload Identity which automatically handles authenticat...

(AI_HYDRA_LEO_MISSING_COMMA)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a594edb and afebd17.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod (3 hunks)
• website/docs/core-concepts/projects/configuration/stores.mdx (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

🧰 Additional context used

🧠 Learnings (1)

website/docs/core-concepts/projects/configuration/stores.mdx (1)

Learnt from: shirkevich
PR: cloudposse/atmos#1034
File: website/docs/core-concepts/projects/configuration/stores.mdx:173-177
Timestamp: 2025-02-11T08:21:33.143Z
Learning: The parameter for configuring stack path delimiter in store configurations is consistently named `stack_delimiter` (not `stacks_delimiter`) across all store types in Atmos.

🪛 LanguageTool

website/docs/core-concepts/projects/configuration/stores.mdx

[uncategorized] ~195-~195: Possible missing comma found.
Context: ...en running in GCP, you can use Workload Identity which automatically handles authenticat...

(AI_HYDRA_LEO_MISSING_COMMA)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Build (windows-latest, windows)
• GitHub Check: Summary

🔇 Additional comments (4)

website/docs/core-concepts/projects/configuration/stores.mdx (4)

18-21: Alphabetize the list of supported stores.

For better readability and consistency, please alphabetize the list of supported stores.

- - [Artifactory](https://jfrog.com/artifactory/)
- - [AWS SSM Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html)
- - [Google Secret Manager](https://cloud.google.com/secret-manager)
- - [Redis](https://redis.io/)
+ - [Artifactory](https://jfrog.com/artifactory/)
+ - [AWS SSM Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html)
+ - [Google Secret Manager](https://cloud.google.com/secret-manager)
+ - [Redis](https://redis.io/)

---

135-150: LGTM! Clear and concise configuration examples.

The configuration examples effectively demonstrate both the full type name and its alias, along with different authentication methods.

---

152-178: LGTM! Well-structured documentation of store options.

The documentation clearly describes all available options and their usage.

---

180-197: LGTM! Comprehensive authentication documentation.

The authentication section effectively covers all three methods (ADC, Direct Credentials, and Workload Identity) with clear setup instructions.

🧰 Tools

🪛 LanguageTool

[uncategorized] ~195-~195: Possible missing comma found.
Context: ...en running in GCP, you can use Workload Identity which automatically handles authenticat...

(AI_HYDRA_LEO_MISSING_COMMA)