Skip to content

Commit

Permalink
Merge pull request #139 from pwei1018/main
Browse files Browse the repository at this point in the history 
Update scripts.
  • Loading branch information
@pwei1018
pwei1018 authored May 7, 2024
2 parents 927be81 + 1ec411f commit 0ac6e10
Show file tree
Hide file tree
Showing 5 changed files with 84 additions and 70 deletions.
11 changes: 5 additions & 6 deletions gcp/iam/application-roles.sh → gcp/iam/application.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
#!/bin/bash

declare -a environments=("dev" "test" "tools" "prod" "integration" "sandbox")
declare -a projects=("a083gt" "mvnjri" "gtksf3" "yfjq17" "c4hnrd" "k973yf" "yfthig" "eogruh" "bcrbk9")
declare -a services=("api" "job" "queue" "cdcloudrun")
declare -a projects=("")
declare -a services=("api" "job" "queue")

for ev in "${environments[@]}"
do
Expand All @@ -23,25 +23,24 @@ do
SA_DESCRIPTION="Service Account for running $se services"
SA_ROLE="projects/${PROJECT_ID}/roles/$ROLE_NAME"

# create/update role
if [[ -z `gcloud iam roles describe $ROLE_NAME --project=${PROJECT_ID} --verbosity=none` ]]; then
gcloud iam roles create $ROLE_NAME --quiet --project=${PROJECT_ID} --file=role-$se.yaml
else
gcloud iam roles update $ROLE_NAME --quiet --project=${PROJECT_ID} --file=role-$se.yaml
fi

# create service account
if [[ -z `gcloud iam service-accounts describe $SA_FULL_NAME --project=${PROJECT_ID} --verbosity=none` ]]; then
## API service account
gcloud iam service-accounts create $SA_NAME \
--description="$SA_DESCRIPTION" \
--display-name="$SA_NAME"
fi

# role binding
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:$SA_FULL_NAME" \
--role="$SA_ROLE"

#gcloud iam service-accounts list --filter $SA_NAME
#gcloud iam roles describe $ROLE_NAME --project=${PROJECT_ID}
done
fi
done
Expand Down
9 changes: 7 additions & 2 deletions gcp/iam/cd-cloudrun-role.sh → gcp/iam/cd.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,7 @@
#!/bin/bash

declare -a environments=("dev" "test" "tools" "prod" "integration" "sandbox")
#declare -a projects=("a083gt" "mvnjri" "gtksf3" "yfjq17" "c4hnrd" "k973yf" "yfthig" "eogruh" "bcrbk9")
declare -a projects=("bcrbk9")
#declare -a projects=("")
declare -a service="cdcloudrun"

for ev in "${environments[@]}"
Expand All @@ -22,29 +21,35 @@ do
SA_FULL_NAME="${PROJECT_NUMBER}[email protected]"
SA_ROLE="projects/${PROJECT_ID}/roles/$ROLE_NAME"

# create/update service account
if [[ -z `gcloud iam roles describe $ROLE_NAME --project=${PROJECT_ID} --verbosity=none` ]]; then
gcloud iam roles create $ROLE_NAME --quiet --project=${PROJECT_ID} --file=role-$service.yaml
else
gcloud iam roles update $ROLE_NAME --quiet --project=${PROJECT_ID} --file=role-$service.yaml
fi

# role binding
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:$SA_FULL_NAME" \
--role="$SA_ROLE"

# role binding - default cloud run service account
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:[email protected]" \
--role="$SA_ROLE"

# role binding - default cloud build service account
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:[email protected]" \
--role="$SA_ROLE"

# role binding - default cloud run robot service account
SA_ROBOT_FULL_NAME="service-${PROJECT_NUMBER}@serverless-robot-prod.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:$SA_ROBOT_FULL_NAME" \
--role="$SA_ROLE"

# role binding - default cloud run robot service account in cloud deploy project
SA_DEPLOY_ROLE="projects/c4hnrd-tools/roles/$ROLE_NAME"
gcloud projects add-iam-policy-binding c4hnrd-tools \
--member="serviceAccount:$SA_ROBOT_FULL_NAME" \
Expand Down
49 changes: 0 additions & 49 deletions gcp/iam/developer-roles.sh
View file

This file was deleted.

50 changes: 50 additions & 0 deletions gcp/iam/developer.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@

#!/bin/bash

#declare -a users=("b")

#declare -a projects=("")

#declare -a environments=("dev" "test" "tools" "prod" "integration" "sandbox")
declare -a roles=("developer")

for user in "${users[@]}"
do
echo "user: $user"
for ev in "${environments[@]}"
do
for ns in "${projects[@]}"
do
echo "project: $ns-$ev"
PROJECT_ID=$ns-$ev

if [[ ! -z `gcloud projects describe ${PROJECT_ID} --verbosity=none` ]]; then
gcloud config set project ${PROJECT_ID}

for ro in "${roles[@]}"
do
ROLE_NAME="projects/${PROJECT_ID}/roles/role$ro"
ROLE_FILE=role-$se.yaml

if [ $ev = 'dev' ]; then
ROLE_FILE=role-$se-dev.yaml
fi

echo "role: $ROLE_NAME"

# create/update developer role
if [[ -z `gcloud iam roles describe $ROLE_NAME --project=${PROJECT_ID} --verbosity=none` ]]; then
gcloud iam roles create $ROLE_NAME --quiet --project=${PROJECT_ID} --file=$ROLE_FILE
else
gcloud iam roles update $ROLE_NAME --quiet --project=${PROJECT_ID} --file=$ROLE_FILE
fi

gcloud projects add-iam-policy-binding $PROJECT_ID \
--member user:$user \
--role=$ROLE_NAME \
--condition=None --verbosity=none --quiet
done
fi
done
done
done
35 changes: 22 additions & 13 deletions gcp/iam/create-developer-roles.sh → gcp/iam/pubsub.sh
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@

#!/bin/bash

declare -a environments=("dev")
declare -a projects=("a083gt" "mvnjri" "gtksf3" "yfjq17" "c4hnrd" "k973yf" "yfthig" "eogruh")
declare -a services=("developer")
declare -a environments=("dev" "test" "tools" "prod" "integration" "sandbox")
declare -a projects=("" "")
declare -a services=("pubsub")

for ev in "${environments[@]}"
do
Expand All @@ -17,29 +17,38 @@ do

for se in "${services[@]}"
do
ROLE_NAME="role$se"
SA_NAME="sa-$se"
SA_FULL_NAME="$SA_NAME@${PROJECT_ID}.iam.gserviceaccount.com"
SA_DESCRIPTION="Service Account for running $se services"
SA_ROLE="projects/${PROJECT_ID}/roles/$ROLE_NAME"

if [[ -z `gcloud iam roles describe $ROLE_NAME --project=${PROJECT_ID} --verbosity=none` ]]; then
gcloud iam roles create $ROLE_NAME --quiet --project=${PROJECT_ID} --file=role-$se-dev.yaml
else
gcloud iam roles update $ROLE_NAME --quiet --project=${PROJECT_ID} --file=role-$se-dev.yaml
fi

# create service account
if [[ -z `gcloud iam service-accounts describe $SA_FULL_NAME --project=${PROJECT_ID} --verbosity=none` ]]; then
## API service account
gcloud iam service-accounts create $SA_NAME \
--description="$SA_DESCRIPTION" \
--display-name="$SA_NAME"
fi

# role binding
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:$SA_FULL_NAME" \
--role="roles/pubsub.publisher"

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:$SA_FULL_NAME" \
--role="$SA_ROLE"
--role="roles/pubsub.subscriber"

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:$SA_FULL_NAME" \
--role="roles/iam.serviceAccountTokenCreator"

# create key
gcloud iam service-accounts keys create ${SA_NAME}-${PROJECT_ID}.json --iam-account=${SA_FULL_NAME}

# encode key
echo "project: $ns-$ev \n" >> key.txt
echo "GCP_AUTH_KEY=$(cat ${SA_NAME}-${PROJECT_ID}.json | base64)" >> key.txt

rm ${SA_NAME}-${PROJECT_ID}.json
#gcloud iam service-accounts list --filter $SA_NAME
#gcloud iam roles describe $ROLE_NAME --project=${PROJECT_ID}
done
Expand Down

0 comments on commit 0ac6e10

Please sign in to comment.