From 2e4ebafbee516f87848068fe5b13bb90622494f5 Mon Sep 17 00:00:00 2001 From: Al Cutter Date: Mon, 26 Jan 2026 17:17:58 +0000 Subject: [PATCH 1/6] Fix key naming --- cmd/tesseract/gcp/generate_key/main.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/tesseract/gcp/generate_key/main.go b/cmd/tesseract/gcp/generate_key/main.go index 890b0222..cb8619dd 100644 --- a/cmd/tesseract/gcp/generate_key/main.go +++ b/cmd/tesseract/gcp/generate_key/main.go @@ -76,11 +76,11 @@ func main() { sec, pub = genEd25519KeypairNote() } - pubKName := fmt.Sprintf("%s-%s-public", *keyUsage, resourceFromOrigin(*origin)) + pubKName := fmt.Sprintf("%s-%s-public", resourceFromOrigin(*origin), *keyUsage) if err := createSecret(ctx, *projectID, client, pubKName, pub); err != nil { exit("Failed to create secret %q: %v", pubKName, err) } - secKName := fmt.Sprintf("%s-%s-secret", *keyUsage, resourceFromOrigin(*origin)) + secKName := fmt.Sprintf("%s-%s-secret", resourceFromOrigin(*origin), *keyUsage) if err := createSecret(ctx, *projectID, client, secKName, sec); err != nil { exit("Failed to create secret %q: %v", secKName, err) } From c80124d3ef14f6423f70400f8257744488dec383 Mon Sep 17 00:00:00 2001 From: Al Cutter Date: Mon, 26 Jan 2026 17:17:58 +0000 Subject: [PATCH 2/6] origin_suffix --> origin --- .../gcp/static-ct-staging/logs/arche2025h1/terragrunt.hcl | 2 +- .../gcp/static-ct-staging/logs/arche2025h2/terragrunt.hcl | 2 +- .../gcp/static-ct-staging/logs/arche2026h1/terragrunt.hcl | 2 +- deployment/modules/gcp/cloudbuild/conformance/main.tf | 2 ++ deployment/modules/gcp/cloudrun/main.tf | 4 ++-- deployment/modules/gcp/cloudrun/variables.tf | 4 ++-- deployment/modules/gcp/gce/tesseract/main.tf | 2 +- deployment/modules/gcp/gce/tesseract/variables.tf | 4 ++-- deployment/modules/gcp/tesseract/cloudrun/main.tf | 2 +- deployment/modules/gcp/tesseract/cloudrun/variables.tf | 4 ++-- deployment/modules/gcp/tesseract/gce/main.tf | 2 +- deployment/modules/gcp/tesseract/gce/variables.tf | 4 ++-- 12 files changed, 18 insertions(+), 16 deletions(-) diff --git a/deployment/live/gcp/static-ct-staging/logs/arche2025h1/terragrunt.hcl b/deployment/live/gcp/static-ct-staging/logs/arche2025h1/terragrunt.hcl index 351032ae..43197dcb 100644 --- a/deployment/live/gcp/static-ct-staging/logs/arche2025h1/terragrunt.hcl +++ b/deployment/live/gcp/static-ct-staging/logs/arche2025h1/terragrunt.hcl @@ -6,7 +6,7 @@ locals { env = include.root.locals.env docker_env = local.env base_name = include.root.locals.base_name - origin_suffix = include.root.locals.origin_suffix + origin = "${local.base_name}${include.root.locals.origin_suffix}" not_after_start = "2025-01-01T00:00:00Z" not_after_limit = "2025-07-01T00:00:00Z" server_docker_image = "${include.root.locals.location}-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/tesseract-gcp:${include.root.locals.docker_container_tag}" diff --git a/deployment/live/gcp/static-ct-staging/logs/arche2025h2/terragrunt.hcl b/deployment/live/gcp/static-ct-staging/logs/arche2025h2/terragrunt.hcl index ecbc4262..13b4dc3c 100644 --- a/deployment/live/gcp/static-ct-staging/logs/arche2025h2/terragrunt.hcl +++ b/deployment/live/gcp/static-ct-staging/logs/arche2025h2/terragrunt.hcl @@ -6,7 +6,7 @@ locals { env = include.root.locals.env docker_env = local.env base_name = include.root.locals.base_name - origin_suffix = include.root.locals.origin_suffix + origin = "${local.base_name}${include.root.locals.origin_suffix}" not_after_start = "2025-07-01T00:00:00Z" not_after_limit = "2026-01-01T00:00:00Z" server_docker_image = "${include.root.locals.location}-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/tesseract-gcp:${include.root.locals.docker_container_tag}" diff --git a/deployment/live/gcp/static-ct-staging/logs/arche2026h1/terragrunt.hcl b/deployment/live/gcp/static-ct-staging/logs/arche2026h1/terragrunt.hcl index ab984866..1c6d4e92 100644 --- a/deployment/live/gcp/static-ct-staging/logs/arche2026h1/terragrunt.hcl +++ b/deployment/live/gcp/static-ct-staging/logs/arche2026h1/terragrunt.hcl @@ -6,7 +6,7 @@ locals { env = include.root.locals.env docker_env = local.env base_name = include.root.locals.base_name - origin_suffix = include.root.locals.origin_suffix + origin = "${local.base_name}${include.root.locals.origin_suffix}" not_after_start = "2026-01-01T00:00:00Z" not_after_limit = "2026-07-01T00:00:00Z" server_docker_image = "${include.root.locals.location}-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/tesseract-gcp:${include.root.locals.docker_container_tag}" diff --git a/deployment/modules/gcp/cloudbuild/conformance/main.tf b/deployment/modules/gcp/cloudbuild/conformance/main.tf index b0293670..436d9b72 100644 --- a/deployment/modules/gcp/cloudbuild/conformance/main.tf +++ b/deployment/modules/gcp/cloudbuild/conformance/main.tf @@ -24,6 +24,8 @@ locals { cloudbuild_service_account = "cloudbuild-${var.env}-sa@${var.project_id}.iam.gserviceaccount.com" artifact_repo = "${var.location}-docker.pkg.dev/${var.project_id}/${module.artifactregistry.docker.name}" conformance_gcp_docker_image = "${local.artifact_repo}/conformance-gcp" + origin = "static-ct-${var.env}" + safe_origin = replace("${local.origin}", "/[^-a-zA-Z0-9]/", "-") } resource "google_project_service" "cloudbuild_api" { diff --git a/deployment/modules/gcp/cloudrun/main.tf b/deployment/modules/gcp/cloudrun/main.tf index 24c9fc69..33dc1296 100644 --- a/deployment/modules/gcp/cloudrun/main.tf +++ b/deployment/modules/gcp/cloudrun/main.tf @@ -46,8 +46,8 @@ resource "google_cloud_run_v2_service" "default" { "--spanner_db_path=${local.spanner_log_db_path}", "--spanner_antispam_db_path=${local.spanner_antispam_db_path}", "--roots_pem_file=/bin/test_root_ca_cert.pem", - "--origin=${var.base_name}${var.origin_suffix}", - "--path_prefix=${var.base_name}${var.origin_suffix}", + "--origin=${var.origin}", + "--path_prefix=${var.origin}", "--signer_public_key_secret_name=${var.signer_public_key_secret_name}", "--signer_private_key_secret_name=${var.signer_private_key_secret_name}", "--inmemory_antispam_cache_size=256k", diff --git a/deployment/modules/gcp/cloudrun/variables.tf b/deployment/modules/gcp/cloudrun/variables.tf index 4d04e1aa..e0afe695 100644 --- a/deployment/modules/gcp/cloudrun/variables.tf +++ b/deployment/modules/gcp/cloudrun/variables.tf @@ -8,8 +8,8 @@ variable "base_name" { type = string } -variable "origin_suffix" { - description = "Origin suffix, appended to base_name" +variable "origin" { + description = "Log origin" type = string } diff --git a/deployment/modules/gcp/gce/tesseract/main.tf b/deployment/modules/gcp/gce/tesseract/main.tf index 0ff0fa08..ae9db77c 100644 --- a/deployment/modules/gcp/gce/tesseract/main.tf +++ b/deployment/modules/gcp/gce/tesseract/main.tf @@ -46,7 +46,7 @@ locals { "-spanner_db_path=${local.spanner_log_db_path}", "-spanner_antispam_db_path=${local.spanner_antispam_db_path}", format("-roots_pem_file=%s", var.accepted_roots == "" ? "/bin/test_root_ca_cert.pem" : local.accepted_roots_file), - "-origin=${var.base_name}${var.origin_suffix}", + "-origin=${var.origin}", "-signer_public_key_secret_name=${var.signer_public_key_secret_name}", "-signer_private_key_secret_name=${var.signer_private_key_secret_name}", "-inmemory_antispam_cache_size=256k", diff --git a/deployment/modules/gcp/gce/tesseract/variables.tf b/deployment/modules/gcp/gce/tesseract/variables.tf index ba1ef8c0..b12b1ab5 100644 --- a/deployment/modules/gcp/gce/tesseract/variables.tf +++ b/deployment/modules/gcp/gce/tesseract/variables.tf @@ -8,8 +8,8 @@ variable "base_name" { type = string } -variable "origin_suffix" { - description = "Origin suffix, appended to base_name" +variable "origin" { + description = "Log origin" type = string } diff --git a/deployment/modules/gcp/tesseract/cloudrun/main.tf b/deployment/modules/gcp/tesseract/cloudrun/main.tf index 5765ec6a..470d70d3 100644 --- a/deployment/modules/gcp/tesseract/cloudrun/main.tf +++ b/deployment/modules/gcp/tesseract/cloudrun/main.tf @@ -18,7 +18,7 @@ module "cloudrun" { env = var.env project_id = var.project_id base_name = var.base_name - origin_suffix = var.origin_suffix + origin = var.origin location = var.location server_docker_image = var.server_docker_image not_after_start = var.not_after_start diff --git a/deployment/modules/gcp/tesseract/cloudrun/variables.tf b/deployment/modules/gcp/tesseract/cloudrun/variables.tf index 06ca587c..a3a666f0 100644 --- a/deployment/modules/gcp/tesseract/cloudrun/variables.tf +++ b/deployment/modules/gcp/tesseract/cloudrun/variables.tf @@ -8,8 +8,8 @@ variable "base_name" { type = string } -variable "origin_suffix" { - description = "Origin suffix, appended to base_name" +variable "origin" { + description = "Log origin" type = string } diff --git a/deployment/modules/gcp/tesseract/gce/main.tf b/deployment/modules/gcp/tesseract/gce/main.tf index dc293d6c..fa7a6b84 100644 --- a/deployment/modules/gcp/tesseract/gce/main.tf +++ b/deployment/modules/gcp/tesseract/gce/main.tf @@ -19,7 +19,7 @@ module "gce" { env = var.env project_id = var.project_id base_name = var.base_name - origin_suffix = var.origin_suffix + origin = var.origin location = var.location server_docker_image = var.server_docker_image machine_type = var.machine_type diff --git a/deployment/modules/gcp/tesseract/gce/variables.tf b/deployment/modules/gcp/tesseract/gce/variables.tf index da91d610..cd97594a 100644 --- a/deployment/modules/gcp/tesseract/gce/variables.tf +++ b/deployment/modules/gcp/tesseract/gce/variables.tf @@ -8,8 +8,8 @@ variable "base_name" { type = string } -variable "origin_suffix" { - description = "Origin suffix, appended to base_name" +variable "origin" { + description = "Log origin" type = string } From d06586bb6e99e099d2ab4520964536e4dab338f4 Mon Sep 17 00:00:00 2001 From: Al Cutter Date: Mon, 26 Jan 2026 17:17:58 +0000 Subject: [PATCH 3/6] Safe origin --- deployment/live/gcp/static-ct-ci/logs/ci/terragrunt.hcl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/deployment/live/gcp/static-ct-ci/logs/ci/terragrunt.hcl b/deployment/live/gcp/static-ct-ci/logs/ci/terragrunt.hcl index 42e945e1..0fdb1d94 100644 --- a/deployment/live/gcp/static-ct-ci/logs/ci/terragrunt.hcl +++ b/deployment/live/gcp/static-ct-ci/logs/ci/terragrunt.hcl @@ -6,11 +6,12 @@ locals { env = "ci" docker_env = local.env base_name = "${local.env}-conformance" - origin_suffix = ".ct.transparency.dev" log_public_key_suffix = "-ecdsa-p256-public-key" # Legacy key name pattern. log_private_key_suffix = "-ecdsa-p256-private-key" # Legacy key name pattern. server_docker_image = "${include.root.locals.location}-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/conformance-gcp:latest" ephemeral = true + origin = "${local.base_name}.ct.transparency.dev" + safe_origin = replace("${local.origin}", "/[^-a-zA-Z0-9]/", "-") } include "root" { From c24b287d44ddb3cd21e660a63298d2120a911983 Mon Sep 17 00:00:00 2001 From: Al Cutter Date: Mon, 26 Jan 2026 17:17:58 +0000 Subject: [PATCH 4/6] key suffixes --> key resource name --- .../live/gcp/static-ct-ci/logs/ci/terragrunt.hcl | 14 +++++++------- .../modules/gcp/tesseract/cloudrun/variables.tf | 10 ++++------ deployment/modules/gcp/tesseract/gce/variables.tf | 1 - 3 files changed, 11 insertions(+), 14 deletions(-) diff --git a/deployment/live/gcp/static-ct-ci/logs/ci/terragrunt.hcl b/deployment/live/gcp/static-ct-ci/logs/ci/terragrunt.hcl index 0fdb1d94..c437bc2a 100644 --- a/deployment/live/gcp/static-ct-ci/logs/ci/terragrunt.hcl +++ b/deployment/live/gcp/static-ct-ci/logs/ci/terragrunt.hcl @@ -3,15 +3,15 @@ terraform { } locals { - env = "ci" - docker_env = local.env - base_name = "${local.env}-conformance" - log_public_key_suffix = "-ecdsa-p256-public-key" # Legacy key name pattern. - log_private_key_suffix = "-ecdsa-p256-private-key" # Legacy key name pattern. - server_docker_image = "${include.root.locals.location}-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/conformance-gcp:latest" - ephemeral = true + env = "ci" + docker_env = local.env + base_name = "${local.env}-conformance" origin = "${local.base_name}.ct.transparency.dev" safe_origin = replace("${local.origin}", "/[^-a-zA-Z0-9]/", "-") + log_public_key_secret_name = "projects/223810646869/secrets/${local.safe_origin}-log-public/versions/1" + log_private_key_secret_name = "projects/223810646869/secrets/${local.safe_origin}-log-secret/versions/1" + server_docker_image = "${include.root.locals.location}-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/conformance-gcp:latest" + ephemeral = true } include "root" { diff --git a/deployment/modules/gcp/tesseract/cloudrun/variables.tf b/deployment/modules/gcp/tesseract/cloudrun/variables.tf index a3a666f0..692acff9 100644 --- a/deployment/modules/gcp/tesseract/cloudrun/variables.tf +++ b/deployment/modules/gcp/tesseract/cloudrun/variables.tf @@ -75,16 +75,14 @@ variable "trace_fraction" { type = number } -variable "log_public_key_suffix" { - description = "Suffix to apply to base_name to create the name of the log public key resource." +variable "log_public_key_secret_name" { + description = "Secret manager secret version resource for the log public key. Format: projects/{projectId}/secrets/{secretName}/versions/{secretVersion}." type = string - default = "-public" } -variable "log_private_key_suffix" { - description = "Suffix to apply to base_name to create the name of the log private key resource." +variable "log_private_key_secret_name" { + description = "Secret manager secret version resource for the log private key. Format: projects/{projectId}/secrets/{secretName}/versions/{secretVersion}." type = string - default = "-secret" } variable "roots_remote_fetch_url" { diff --git a/deployment/modules/gcp/tesseract/gce/variables.tf b/deployment/modules/gcp/tesseract/gce/variables.tf index cd97594a..e079177a 100644 --- a/deployment/modules/gcp/tesseract/gce/variables.tf +++ b/deployment/modules/gcp/tesseract/gce/variables.tf @@ -125,7 +125,6 @@ variable "log_public_key_secret_name" { variable "log_private_key_secret_name" { description = "Secret manager secret version resource for the log private key. Format: projects/{projectId}/secrets/{secretName}/versions/{secretVersion}." type = string - default = "-secret" } variable "additional_signer_private_key_secret_names" { From eeb50228baeb6d1b88e26bcb22bdc37a165c51a6 Mon Sep 17 00:00:00 2001 From: Al Cutter Date: Mon, 26 Jan 2026 17:17:58 +0000 Subject: [PATCH 5/6] Cloud build --- .../gcp/cloudbuild/conformance/main.tf | 34 ++++++++++++++++--- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/deployment/modules/gcp/cloudbuild/conformance/main.tf b/deployment/modules/gcp/cloudbuild/conformance/main.tf index 436d9b72..7b6bba1b 100644 --- a/deployment/modules/gcp/cloudbuild/conformance/main.tf +++ b/deployment/modules/gcp/cloudbuild/conformance/main.tf @@ -24,7 +24,7 @@ locals { cloudbuild_service_account = "cloudbuild-${var.env}-sa@${var.project_id}.iam.gserviceaccount.com" artifact_repo = "${var.location}-docker.pkg.dev/${var.project_id}/${module.artifactregistry.docker.name}" conformance_gcp_docker_image = "${local.artifact_repo}/conformance-gcp" - origin = "static-ct-${var.env}" + origin = "${var.env}-conformance.ct.transparency.dev" # Must match the origin in the deplyment/gcp/static-ct-ci/logs/ci/terragrunt.hcl file. safe_origin = replace("${local.origin}", "/[^-a-zA-Z0-9]/", "-") } @@ -92,6 +92,31 @@ resource "google_cloudbuild_trigger" "build_trigger" { wait_for = ["prepare_terragrunt_opentofu_container"] } + ## Destroy test log keys + step { + id = "destroy_test_keys" + name = "gcr.io/cloud-builders/gcloud" + script = < /workspace/conformance_url terragrunt --terragrunt-no-color output --raw tesseract_bucket_name -no-color > /workspace/conformance_bucket_name - terragrunt --terragrunt-no-color output --raw ecdsa_p256_public_key_data -no-color > /workspace/conformance_log_public_key.pem EOT dir = var.log_terragrunt env = [ @@ -195,10 +219,10 @@ resource "google_cloudbuild_trigger" "build_trigger" { base64 -w 0 /workspace/conformance_log_public_key.der > /workspace/conformance_log_public_key retry -t 5 -d 15 --until=success go run ./internal/hammer \ - --origin="ci-static-ct-ci" \ + --origin="${local.origin}" \ --log_public_key="$(cat /workspace/conformance_log_public_key)" \ --log_url="https://storage.googleapis.com/$(cat /workspace/conformance_bucket_name)/" \ - --write_log_url="$(cat /workspace/conformance_url)/ci-static-ct-ci" \ + --write_log_url="$(cat /workspace/conformance_url)/${local.origin}" \ -v=1 \ --show_ui=false \ --bearer_token="$(cat /workspace/cb_access)" \ From 0a2ec8f02bb93a1cf41e64e7c16647fa30a7073a Mon Sep 17 00:00:00 2001 From: Al Cutter Date: Mon, 26 Jan 2026 17:17:58 +0000 Subject: [PATCH 6/6] tesseract/main.tf fmt --- deployment/modules/gcp/gce/tesseract/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/modules/gcp/gce/tesseract/main.tf b/deployment/modules/gcp/gce/tesseract/main.tf index ae9db77c..a893025b 100644 --- a/deployment/modules/gcp/gce/tesseract/main.tf +++ b/deployment/modules/gcp/gce/tesseract/main.tf @@ -177,7 +177,7 @@ resource "google_compute_region_instance_template" "tesseract" { } resource "google_compute_health_check" "healthz" { - count = var.health_checks ? 1: 0 + count = var.health_checks ? 1 : 0 name = "${var.base_name}-mig-hc-http" timeout_sec = 10 check_interval_sec = 10