Add support for secrets manager environment variables

Closes #286

Author: christophersjchow

package/lib/compileFunctions.js

@@ -49,6 +49,8 @@ module.exports = {
         _.get(funcObject, 'timeout') || _.get(this, 'serverless.service.provider.timeout') || '60s';
       funcTemplate.properties.environmentVariables =
         this.provider.getConfiguredEnvironment(funcObject);
+      funcTemplate.properties.secretEnvironmentVariables =
+        this.provider.getConfiguredSecrets(funcObject);
 
       if (!funcTemplate.properties.serviceAccountEmail) {
         delete funcTemplate.properties.serviceAccountEmail;
@@ -80,6 +82,9 @@ module.exports = {
       if (!_.size(funcTemplate.properties.environmentVariables)) {
         delete funcTemplate.properties.environmentVariables;
       }
+      if (!_.size(funcTemplate.properties.secretEnvironmentVariables)) {
+        delete funcTemplate.properties.secretEnvironmentVariables;
+      }
 
       funcTemplate.properties.labels = _.assign(
         {},

package/lib/compileFunctions.test.js

@@ -507,6 +507,99 @@ describe('CompileFunctions', () => {
       });
     });
 
+    it('should set the secret environment variables based on the function configuration', () => {
+      googlePackage.serverless.service.functions = {
+        func1: {
+          handler: 'func1',
+          secrets: {
+            TEST_SECRET: 'secret:latest',
+          },
+          events: [{ http: 'foo' }],
+        },
+      };
+
+      const compiledResources = [
+        {
+          type: 'gcp-types/cloudfunctions-v1:projects.locations.functions',
+          name: 'my-service-dev-func1',
+          properties: {
+            parent: 'projects/myProject/locations/us-central1',
+            runtime: 'nodejs10',
+            function: 'my-service-dev-func1',
+            entryPoint: 'func1',
+            availableMemoryMb: 256,
+            secretEnvironmentVariables: ['TEST_SECRET=secret:latest'],
+            timeout: '60s',
+            sourceArchiveUrl: 'gs://sls-my-service-dev-12345678/some-path/artifact.zip',
+            httpsTrigger: {
+              url: 'foo',
+            },
+            labels: {},
+          },
+        },
+      ];
+
+      return googlePackage.compileFunctions().then(() => {
+        expect(consoleLogStub.calledOnce).toEqual(true);
+        expect(
+          googlePackage.serverless.service.provider.compiledConfigurationTemplate.resources
+        ).toEqual(compiledResources);
+      });
+    });
+
+    it('should merge the secret environment variables on the provider configuration and function definition', () => {
+      googlePackage.serverless.service.functions = {
+        func1: {
+          handler: 'func1',
+          secrets: {
+            TEST_SECRET: 'secret1:latest',
+            TEST_SECRET2: 'secret2:latest',
+          },
+          events: [{ http: 'foo' }],
+        },
+      };
+      googlePackage.serverless.service.provider.secrets = {
+        TEST_SECRET: 'secretbase:latest',
+        TEST_SECRET_PROVIDER: 'secretprovider:latest',
+      };
+
+      const compiledResources = [
+        {
+          type: 'gcp-types/cloudfunctions-v1:projects.locations.functions',
+          name: 'my-service-dev-func1',
+          properties: {
+            parent: 'projects/myProject/locations/us-central1',
+            runtime: 'nodejs10',
+            function: 'my-service-dev-func1',
+            entryPoint: 'func1',
+            availableMemoryMb: 256,
+            secretEnvironmentVariables: [
+              'TEST_SECRET=secret1:latest',
+              'TEST_SECRET_PROVIDER=secretprovider:latest',
+              'TEST_SECRET2=secret2:latest',
+            ],
+            timeout: '60s',
+            sourceArchiveUrl: 'gs://sls-my-service-dev-12345678/some-path/artifact.zip',
+            httpsTrigger: {
+              url: 'foo',
+            },
+            labels: {},
+          },
+        },
+      ];
+
+      return googlePackage.compileFunctions().then(() => {
+        expect(consoleLogStub.calledOnce).toEqual(true);
+        expect(
+          googlePackage.serverless.service.provider.compiledConfigurationTemplate.resources
+        ).toEqual(compiledResources);
+        expect(googlePackage.serverless.service.provider.secrets).toEqual({
+          TEST_SECRET: 'secretbase:latest',
+          TEST_SECRET_PROVIDER: 'secretprovider:latest',
+        });
+      });
+    });
+
     it('should compile "http" events properly', () => {
       googlePackage.serverless.service.functions = {
         func1: {

provider/googleProvider.js

@@ -92,6 +92,9 @@ class GoogleProvider {
           },
           additionalProperties: false,
         },
+        cloudFunctionSecretEnvironmentVariables: {
+          type: 'object',
+        },
         cloudFunctionVpcEgress: {
           enum: ['ALL', 'ALL_TRAFFIC', 'PRIVATE', 'PRIVATE_RANGES_ONLY'],
         },
@@ -119,6 +122,7 @@ class GoogleProvider {
           memorySize: { $ref: '#/definitions/cloudFunctionMemory' }, // Can be overridden by function configuration
           timeout: { type: 'string' }, // Can be overridden by function configuration
           environment: { $ref: '#/definitions/cloudFunctionEnvironmentVariables' }, // Can be overridden by function configuration
+          secrets: { $ref: '#/definitions/cloudFunctionSecretEnvironmentVariables' }, // Can be overridden by function configuration
           vpc: { type: 'string' }, // Can be overridden by function configuration
           vpcEgress: { $ref: '#/definitions/cloudFunctionVpcEgress' }, // Can be overridden by function configuration
           labels: { $ref: '#/definitions/resourceManagerLabels' }, // Can be overridden by function configuration
@@ -133,6 +137,7 @@ class GoogleProvider {
           timeout: { type: 'string' }, // Override provider configuration
           minInstances: { type: 'number' },
           environment: { $ref: '#/definitions/cloudFunctionEnvironmentVariables' }, // Override provider configuration
+          secrets: { $ref: '#/definitions/cloudFunctionSecretEnvironmentVariables' }, // Can be overridden by function configuration
           vpc: { type: 'string' }, // Override provider configuration
           vpcEgress: { $ref: '#/definitions/cloudFunctionVpcEgress' }, // Can be overridden by function configuration
           labels: { $ref: '#/definitions/resourceManagerLabels' }, // Override provider configuration
@@ -279,6 +284,17 @@ class GoogleProvider {
     );
   }
 
+  getConfiguredSecrets(funcObject) {
+    const secrets = _.merge(
+      {},
+      _.get(this, 'serverless.service.provider.secrets'),
+      funcObject.secrets
+    );
+    return Object.keys(secrets).map((key) => {
+      return `${key}=${secrets[key]}`;
+    });
+  }
+
   getConfiguredEnvironment(funcObject) {
     return _.merge(
       {},