From 3bca5aecbd4f406d17fb5690335fe6004514abe2 Mon Sep 17 00:00:00 2001 From: Pyronewbic Date: Wed, 20 May 2026 21:46:26 +0530 Subject: [PATCH 1/3] fix: import existing KMS/attestor resources, add public key PEM --- terraform/binary-auth.tf | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/terraform/binary-auth.tf b/terraform/binary-auth.tf index 38e66a0..44ed23c 100644 --- a/terraform/binary-auth.tf +++ b/terraform/binary-auth.tf @@ -1,3 +1,8 @@ +import { + to = google_kms_key_ring.binary_auth + id = "projects/casecomp-495718/locations/global/keyRings/binary-auth" +} + resource "google_kms_key_ring" "binary_auth" { name = "binary-auth" location = "global" @@ -5,6 +10,11 @@ resource "google_kms_key_ring" "binary_auth" { depends_on = [google_project_service.cloudkms] } +import { + to = google_kms_crypto_key.attestor_key + id = "projects/casecomp-495718/locations/global/keyRings/binary-auth/cryptoKeys/attestor-key" +} + resource "google_kms_crypto_key" "attestor_key" { name = "attestor-key" key_ring = google_kms_key_ring.binary_auth.id @@ -16,6 +26,11 @@ resource "google_kms_crypto_key" "attestor_key" { } } +import { + to = google_container_analysis_note.deploy_attestor + id = "projects/casecomp-495718/notes/deploy-attestor" +} + resource "google_container_analysis_note" "deploy_attestor" { name = "deploy-attestor" @@ -28,6 +43,11 @@ resource "google_container_analysis_note" "deploy_attestor" { depends_on = [google_project_service.containeranalysis] } +import { + to = google_binary_authorization_attestor.deploy + id = "projects/casecomp-495718/attestors/deploy-attestor" +} + resource "google_binary_authorization_attestor" "deploy" { name = "deploy-attestor" @@ -35,7 +55,17 @@ resource "google_binary_authorization_attestor" "deploy" { note_reference = google_container_analysis_note.deploy_attestor.name public_keys { - id = "${google_kms_crypto_key.attestor_key.id}/cryptoKeyVersions/1" + id = "//cloudkms.googleapis.com/v1/projects/casecomp-495718/locations/global/keyRings/binary-auth/cryptoKeys/attestor-key/cryptoKeyVersions/1" + + pkix_public_key { + public_key_pem = <<-EOT +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEz1M4jt+Io7Na86SpMNZkIG+yUEn+ +7N/9tVN7BfbH2jZ76A1zm02/5qC4oPbk/+i0SFcUuKMUCqkv+tv4hORMzA== +-----END PUBLIC KEY----- +EOT + signature_algorithm = "ECDSA_P256_SHA256" + } } } From ba2d24146289e43b83e1ed8048a16303d472f306 Mon Sep 17 00:00:00 2001 From: Pyronewbic Date: Wed, 20 May 2026 21:49:41 +0530 Subject: [PATCH 2/3] style: terraform fmt alignment in binary-auth.tf --- terraform/binary-auth.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/binary-auth.tf b/terraform/binary-auth.tf index 44ed23c..3d90bed 100644 --- a/terraform/binary-auth.tf +++ b/terraform/binary-auth.tf @@ -58,7 +58,7 @@ resource "google_binary_authorization_attestor" "deploy" { id = "//cloudkms.googleapis.com/v1/projects/casecomp-495718/locations/global/keyRings/binary-auth/cryptoKeys/attestor-key/cryptoKeyVersions/1" pkix_public_key { - public_key_pem = <<-EOT + public_key_pem = <<-EOT -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEz1M4jt+Io7Na86SpMNZkIG+yUEn+ 7N/9tVN7BfbH2jZ76A1zm02/5qC4oPbk/+i0SFcUuKMUCqkv+tv4hORMzA== From 35f563b479b5cb704d71e7c97ab62101e62ccd90 Mon Sep 17 00:00:00 2001 From: Pyronewbic Date: Wed, 20 May 2026 22:01:27 +0530 Subject: [PATCH 3/3] fix: add --quiet to gcloud beta binauthz attestation command --- .github/workflows/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 8a87fae..4487520 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -75,7 +75,7 @@ jobs: - name: Create Binary Auth attestation run: | - gcloud beta container binauthz attestations sign-and-create \ + gcloud beta container binauthz attestations sign-and-create --quiet \ --artifact-url="${{ env.IMAGE }}@${{ steps.digest.outputs.digest }}" \ --attestor="projects/${{ env.PROJECT_ID }}/attestors/deploy-attestor" \ --keyversion="projects/${{ env.PROJECT_ID }}/locations/global/keyRings/binary-auth/cryptoKeys/attestor-key/cryptoKeyVersions/1"