Improve and fix GCP CI test

cmd/tesseract/gcp/generate_key/main.go

@@ -76,11 +76,11 @@ func main() {
 		sec, pub = genEd25519KeypairNote()
 	}
 
-	pubKName := fmt.Sprintf("%s-%s-public", *keyUsage, resourceFromOrigin(*origin))
+	pubKName := fmt.Sprintf("%s-%s-public", resourceFromOrigin(*origin), *keyUsage)
 	if err := createSecret(ctx, *projectID, client, pubKName, pub); err != nil {
 		exit("Failed to create secret %q: %v", pubKName, err)
 	}
-	secKName := fmt.Sprintf("%s-%s-secret", *keyUsage, resourceFromOrigin(*origin))
+	secKName := fmt.Sprintf("%s-%s-secret", resourceFromOrigin(*origin), *keyUsage)
 	if err := createSecret(ctx, *projectID, client, secKName, sec); err != nil {
 		exit("Failed to create secret %q: %v", secKName, err)
 	}

deployment/live/gcp/static-ct-ci/logs/ci/terragrunt.hcl

@@ -3,14 +3,15 @@ terraform {
 }
 
 locals {
-  env                    = "ci"
-  docker_env             = local.env
-  base_name              = "${local.env}-conformance"
-  origin_suffix          = ".ct.transparency.dev"
-  log_public_key_suffix  = "-ecdsa-p256-public-key"  # Legacy key name pattern.
-  log_private_key_suffix = "-ecdsa-p256-private-key" # Legacy key name pattern.
-  server_docker_image    = "${include.root.locals.location}-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/conformance-gcp:latest"
-  ephemeral              = true
+  env                         = "ci"
+  docker_env                  = local.env
+  base_name                   = "${local.env}-conformance"
+  origin                      = "${local.base_name}.ct.transparency.dev"
+  safe_origin                 = replace("${local.origin}", "/[^-a-zA-Z0-9]/", "-")
+  log_public_key_secret_name  = "projects/223810646869/secrets/${local.safe_origin}-log-public/versions/1"
+  log_private_key_secret_name = "projects/223810646869/secrets/${local.safe_origin}-log-secret/versions/1"
+  server_docker_image         = "${include.root.locals.location}-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/conformance-gcp:latest"
+  ephemeral                   = true
 }
 
 include "root" {

deployment/live/gcp/static-ct-staging/logs/arche2025h1/terragrunt.hcl

@@ -6,7 +6,7 @@ locals {
   env                                        = include.root.locals.env
   docker_env                                 = local.env
   base_name                                  = include.root.locals.base_name
-  origin_suffix                              = include.root.locals.origin_suffix
+  origin                                     = "${local.base_name}${include.root.locals.origin_suffix}"
   not_after_start                            = "2025-01-01T00:00:00Z"
   not_after_limit                            = "2025-07-01T00:00:00Z"
   server_docker_image                        = "${include.root.locals.location}-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/tesseract-gcp:${include.root.locals.docker_container_tag}"

deployment/live/gcp/static-ct-staging/logs/arche2025h2/terragrunt.hcl

@@ -6,7 +6,7 @@ locals {
   env                                        = include.root.locals.env
   docker_env                                 = local.env
   base_name                                  = include.root.locals.base_name
-  origin_suffix                              = include.root.locals.origin_suffix
+  origin                                     = "${local.base_name}${include.root.locals.origin_suffix}"
   not_after_start                            = "2025-07-01T00:00:00Z"
   not_after_limit                            = "2026-01-01T00:00:00Z"
   server_docker_image                        = "${include.root.locals.location}-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/tesseract-gcp:${include.root.locals.docker_container_tag}"

deployment/live/gcp/static-ct-staging/logs/arche2026h1/terragrunt.hcl

@@ -6,7 +6,7 @@ locals {
   env                                        = include.root.locals.env
   docker_env                                 = local.env
   base_name                                  = include.root.locals.base_name
-  origin_suffix                              = include.root.locals.origin_suffix
+  origin                                     = "${local.base_name}${include.root.locals.origin_suffix}"
   not_after_start                            = "2026-01-01T00:00:00Z"
   not_after_limit                            = "2026-07-01T00:00:00Z"
   server_docker_image                        = "${include.root.locals.location}-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/tesseract-gcp:${include.root.locals.docker_container_tag}"

deployment/modules/gcp/cloudbuild/conformance/main.tf

@@ -24,6 +24,8 @@ locals {
   cloudbuild_service_account   = "cloudbuild-${var.env}-sa@${var.project_id}.iam.gserviceaccount.com"
   artifact_repo                = "${var.location}-docker.pkg.dev/${var.project_id}/${module.artifactregistry.docker.name}"
   conformance_gcp_docker_image = "${local.artifact_repo}/conformance-gcp"
+  origin                       = "${var.env}-conformance.ct.transparency.dev" # Must match the origin in the deplyment/gcp/static-ct-ci/logs/ci/terragrunt.hcl file.
+  safe_origin                 = replace("${local.origin}", "/[^-a-zA-Z0-9]/", "-")
 }
 
 resource "google_project_service" "cloudbuild_api" {
@@ -90,6 +92,31 @@ resource "google_cloudbuild_trigger" "build_trigger" {
       wait_for = ["prepare_terragrunt_opentofu_container"]
     }
 
+    ## Destroy test log keys
+    step {
+      id       = "destroy_test_keys"
+      name     = "gcr.io/cloud-builders/gcloud"
+      script   = <<EOT
+        # The generate_key tool creates two keys based on the provided origin string, adding "-log-public" and "-log-secret" suffixes.
+        # Delete both of these as we'll recretate them in the next build step.
+        gcloud secrets delete --quiet "${local.safe_origin}-log-public"
+        gcloud secrets delete --quiet "${local.safe_origin}-log-secret"
+      EOT
+      # Don't get upset if the key doesn't exist.
+      allow_failure = true
+      wait_for = ["prepare_terragrunt_opentofu_container"]
+    }
+
+    ## Create new test log keys
+    step {
+      id       = "create_test_keys"
+      name     = "golang"
+      script   = <<EOT
+      go run ./cmd/tesseract/gcp/generate_key --project_id ${var.project_id} --log_origin ${local.origin} | sed -e '1,/Public Key:/d' | tee /workspace/conformance_log_public_key.pem
+    EOT
+      wait_for = ["destroy_test_keys"]
+    }
+
     ## Build TesseraCT GCP Docker image.
     ## This will be used by the building the conformance Docker image which includes 
     ## the test data.
@@ -147,7 +174,7 @@ resource "google_cloudbuild_trigger" "build_trigger" {
         "TF_INPUT=false",
         "TF_VAR_project_id=${var.project_id}"
       ]
-      wait_for = ["preclean_env", "docker_push_conformance_gcp"]
+      wait_for = ["preclean_env", "create_test_keys", "docker_push_conformance_gcp"]
     }
 
     ## Print Terragrunt output to files.
@@ -157,7 +184,6 @@ resource "google_cloudbuild_trigger" "build_trigger" {
       script = <<EOT
         terragrunt --terragrunt-no-color output --raw tesseract_url -no-color > /workspace/conformance_url
         terragrunt --terragrunt-no-color output --raw tesseract_bucket_name -no-color > /workspace/conformance_bucket_name
-        terragrunt --terragrunt-no-color output --raw ecdsa_p256_public_key_data -no-color > /workspace/conformance_log_public_key.pem
       EOT
       dir    = var.log_terragrunt
       env = [
@@ -193,10 +219,10 @@ resource "google_cloudbuild_trigger" "build_trigger" {
         base64 -w 0 /workspace/conformance_log_public_key.der > /workspace/conformance_log_public_key
 
         retry -t 5 -d 15 --until=success go run ./internal/hammer \
-          --origin="ci-static-ct-ci" \
+          --origin="${local.origin}" \
           --log_public_key="$(cat /workspace/conformance_log_public_key)" \
           --log_url="https://storage.googleapis.com/$(cat /workspace/conformance_bucket_name)/" \
-          --write_log_url="$(cat /workspace/conformance_url)/ci-static-ct-ci" \
+          --write_log_url="$(cat /workspace/conformance_url)/${local.origin}" \
           -v=1 \
           --show_ui=false \
           --bearer_token="$(cat /workspace/cb_access)" \

deployment/modules/gcp/cloudrun/main.tf

@@ -46,8 +46,8 @@ resource "google_cloud_run_v2_service" "default" {
         "--spanner_db_path=${local.spanner_log_db_path}",
         "--spanner_antispam_db_path=${local.spanner_antispam_db_path}",
         "--roots_pem_file=/bin/test_root_ca_cert.pem",
-        "--origin=${var.base_name}${var.origin_suffix}",
-        "--path_prefix=${var.base_name}${var.origin_suffix}",
+        "--origin=${var.origin}",
+        "--path_prefix=${var.origin}",
         "--signer_public_key_secret_name=${var.signer_public_key_secret_name}",
         "--signer_private_key_secret_name=${var.signer_private_key_secret_name}",
         "--inmemory_antispam_cache_size=256k",

deployment/modules/gcp/cloudrun/variables.tf

@@ -8,8 +8,8 @@ variable "base_name" {
   type        = string
 }
 
-variable "origin_suffix" {
-  description = "Origin suffix, appended to base_name"
+variable "origin" {
+  description = "Log origin"
   type        = string
 }
 

deployment/modules/gcp/gce/tesseract/main.tf

@@ -46,7 +46,7 @@ locals {
     "-spanner_db_path=${local.spanner_log_db_path}",
     "-spanner_antispam_db_path=${local.spanner_antispam_db_path}",
     format("-roots_pem_file=%s", var.accepted_roots == "" ? "/bin/test_root_ca_cert.pem" : local.accepted_roots_file),
-    "-origin=${var.base_name}${var.origin_suffix}",
+    "-origin=${var.origin}",
     "-signer_public_key_secret_name=${var.signer_public_key_secret_name}",
     "-signer_private_key_secret_name=${var.signer_private_key_secret_name}",
     "-inmemory_antispam_cache_size=256k",
@@ -177,7 +177,7 @@ resource "google_compute_region_instance_template" "tesseract" {
 }
 
 resource "google_compute_health_check" "healthz" {
-  count               = var.health_checks ? 1: 0
+  count               = var.health_checks ? 1 : 0
   name                = "${var.base_name}-mig-hc-http"
   timeout_sec         = 10
   check_interval_sec  = 10

deployment/modules/gcp/gce/tesseract/variables.tf

@@ -8,8 +8,8 @@ variable "base_name" {
   type        = string
 }
 
-variable "origin_suffix" {
-  description = "Origin suffix, appended to base_name"
+variable "origin" {
+  description = "Log origin"
   type        = string
 }
 

deployment/modules/gcp/tesseract/cloudrun/main.tf

@@ -18,7 +18,7 @@ module "cloudrun" {
   env                            = var.env
   project_id                     = var.project_id
   base_name                      = var.base_name
-  origin_suffix                  = var.origin_suffix
+  origin                         = var.origin
   location                       = var.location
   server_docker_image            = var.server_docker_image
   not_after_start                = var.not_after_start

deployment/modules/gcp/tesseract/cloudrun/variables.tf

@@ -8,8 +8,8 @@ variable "base_name" {
   type        = string
 }
 
-variable "origin_suffix" {
-  description = "Origin suffix, appended to base_name"
+variable "origin" {
+  description = "Log origin"
   type        = string
 }
 
@@ -75,16 +75,14 @@ variable "trace_fraction" {
   type        = number
 }
 
-variable "log_public_key_suffix" {
-  description = "Suffix to apply to base_name to create the name of the log public key resource."
+variable "log_public_key_secret_name" {
+  description = "Secret manager secret version resource for the log public key. Format: projects/{projectId}/secrets/{secretName}/versions/{secretVersion}."
   type        = string
-  default     = "-public"
 }
 
-variable "log_private_key_suffix" {
-  description = "Suffix to apply to base_name to create the name of the log private key resource."
+variable "log_private_key_secret_name" {
+  description = "Secret manager secret version resource for the log private key. Format: projects/{projectId}/secrets/{secretName}/versions/{secretVersion}."
   type        = string
-  default     = "-secret"
 }
 
 variable "roots_remote_fetch_url" {

deployment/modules/gcp/tesseract/gce/main.tf

@@ -19,7 +19,7 @@ module "gce" {
   env                                        = var.env
   project_id                                 = var.project_id
   base_name                                  = var.base_name
-  origin_suffix                              = var.origin_suffix
+  origin                                     = var.origin
   location                                   = var.location
   server_docker_image                        = var.server_docker_image
   machine_type                               = var.machine_type

deployment/modules/gcp/tesseract/gce/variables.tf

@@ -8,8 +8,8 @@ variable "base_name" {
   type        = string
 }
 
-variable "origin_suffix" {
-  description = "Origin suffix, appended to base_name"
+variable "origin" {
+  description = "Log origin"
   type        = string
 }
 
@@ -125,7 +125,6 @@ variable "log_public_key_secret_name" {
 variable "log_private_key_secret_name" {
   description = "Secret manager secret version resource for the log private key. Format: projects/{projectId}/secrets/{secretName}/versions/{secretVersion}."
   type        = string
-  default     = "-secret"
 }
 
 variable "additional_signer_private_key_secret_names" {