generate SRE role (#191)

gcp/iam/sre-role/README.md

@@ -0,0 +1,7 @@
+**Role SRE**
+
+ *generate-sre-role.sh* script generates role for SRE team member via taking a union of all enabled APIs across BC Registries GCP projects minus the excluded APIs and permissions.
+
+Current role definition generated via the script is commited to the repo to track changes.
+
+As of writing, GCP does not allow custom roles with more than 3000 permissions or permissions files larger than 64KB. In addition, some permissions cannot be assigned to custom roles. Every attempt is made to make SRE role mimic project owner role within that constraint.

gcp/iam/sre-role/excluded-api-list.txt

@@ -0,0 +1,88 @@
+automlrecommendations
+aiplatform
+analyticshub
+applianceactivation
+appengine
+appenginereporting
+billing
+bigtable
+bigquerymigration
+blockchainvalidatormanager
+capacityplanner
+carestudio
+certificatemanager
+chroniclesm
+clientauthconfig
+cloudasset
+cloudkms
+cloudjobdiscovery
+cloudiottoken
+cloudonefs
+cloudaicompanion
+cloudtranslate
+cloudmigration
+compute
+commerceagreementpublishing
+commercebusinessenablement
+commerceoffercatalog
+commerceorggovernance
+commerceprice
+datamigration
+dataprep
+documentai
+chronicle
+cloudprivatecatalogproducer
+cloudvolumesgcp
+cloudvolumesgcp-api
+cloudtestservice
+consumerprocurement
+contactcenterinsights
+container
+containerfilesystem
+dataform
+datamigration
+dataplex
+developerconnect
+dns
+domains
+earthengine
+edgecache
+eventarc
+financialservices
+fleetengine
+gcp
+genomics
+gdchardwaremanagement
+gkebackup
+googlecloudmessaging
+healthcare
+lookerstudio
+mandiant
+marketplacesolutions
+mapsadmin
+mapsanalytics
+ml
+nestconsole
+networksecurity
+notebooks
+osconfig
+privilegedaccessmanager
+proximitybeacon
+recommender
+redis
+riskmanager
+riscconfigurationservice
+rma
+storagetransfer
+testing
+securesourcemanager
+servicebroker
+speakerid
+speech
+telcoautomation
+videostitcher
+visionai
+visualinspection
+vmmigration
+vmwareengine
+workstations

gcp/iam/sre-role/excluded-permission-list.txt

@@ -0,0 +1,71 @@
+networksecurity.firewallEndpoints.get
+networksecurity.firewallEndpoints.list
+networksecurity.firewallEndpoints.use
+serviceusage.apiKeys.regenerate
+serviceusage.apiKeys.revert
+serviceusage.services.disable
+serviceusage.services.enable
+iam.roles.create
+iam.roles.delete
+iam.roles.update
+iam.serviceAccounts.create
+iam.serviceAccounts.delete
+iam.serviceAccounts.update
+iam.googleapis.com/oauthClients.create
+iam.googleapis.com/oauthClients.delete
+iam.googleapis.com/oauthClients.update
+iam.googleapis.com/workforcePools.create
+iam.googleapis.com/workloadIdentityPools.create
+iam.workloadIdentityPools.updatePolicyBinding
+iam.googleapis.com/workforcePoolProviderKeys.create
+iam.googleapis.com/workforcePoolProviderKeys.delete
+iam.googleapis.com/workforcePoolProviderKeys.get
+iam.googleapis.com/workforcePoolProviderKeys.list
+iam.googleapis.com/workforcePoolProviderKeys.undelete
+iam.googleapis.com/workforcePoolProviders.create
+iam.googleapis.com/workforcePoolProviders.delete
+iam.googleapis.com/workforcePoolProviders.get
+iam.googleapis.com/workforcePoolProviders.list
+iam.googleapis.com/workforcePoolProviders.undelete
+iam.googleapis.com/workforcePoolProviders.update
+iam.googleapis.com/workforcePoolSubjects.delete
+iam.googleapis.com/workforcePoolSubjects.undelete
+iam.googleapis.com/workforcePools.createPolicyBinding
+iam.googleapis.com/workforcePools.delete
+iam.googleapis.com/workforcePools.deletePolicyBinding
+iam.googleapis.com/workforcePools.get
+iam.googleapis.com/workforcePools.getIamPolicy
+iam.googleapis.com/workforcePools.list
+iam.googleapis.com/workforcePools.searchPolicyBindings
+iam.googleapis.com/workforcePools.setIamPolicy
+iam.googleapis.com/workforcePools.undelete
+iam.googleapis.com/workforcePools.update
+iam.googleapis.com/workforcePools.updatePolicyBinding
+iam.googleapis.com/workspacePools.createPolicyBinding
+iam.googleapis.com/workspacePools.deletePolicyBinding
+iam.googleapis.com/workspacePools.searchPolicyBindings
+iam.googleapis.com/workspacePools.updatePolicyBinding
+iam.principalaccessboundarypolicies.searchPolicyBindings
+resourcemanager.folders.createPolicyBinding
+resourcemanager.folders.deletePolicyBinding
+resourcemanager.folders.searchPolicyBindings
+resourcemanager.folders.updatePolicyBinding
+resourcemanager.organizations.createPolicyBinding
+resourcemanager.organizations.deletePolicyBinding
+resourcemanager.organizations.searchPolicyBindings
+resourcemanager.organizations.updatePolicyBinding
+resourcemanager.projects.list
+securedlandingzone.operations.get
+securitycenter.attackpaths.list
+securitycenter.exposurepathexplan.get
+securitycenter.organizationsettings.get
+securitycenter.organizationsettings.update
+securitycenter.resourcevalueconfigs.create
+securitycenter.resourcevalueconfigs.delete
+securitycenter.resourcevalueconfigs.get
+securitycenter.resourcevalueconfigs.list
+securitycenter.resourcevalueconfigs.update
+securitycenter.simulations.get
+securitycenter.subscription.get
+securitycenter.valuedresources.list
+source.repos.update

gcp/iam/sre-role/generate-sre-role.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+
+declare -a projects=("a083gt" "bcrbk9" "c4hnrd" "eogruh" "gtksf3" "k973yf" "keee67" "okagqp" "sbgmug" "yfjq17" "yfthig")
+declare -a environments=("dev" "test" "tools" "prod" "integration" "sandbox")
+
+
+ROLE_NAME="SRE"
+ROLE_FILE="role-sre.yaml"
+ENABLED_API_DUMP="enabled-api-keywords.txt"
+ALL_API_DUMP="all-api-keywords.txt"
+DISABLED_API_DUMP="disabled-api-keywords.txt"
+EXCLUDED_API="excluded-api-list.txt"
+EXCLUDED_PERMISSIONS="excluded-permission-list.txt"
+
+FILTERED_ROLE_FILE="filtered-role-sre.yaml"
+
+
+# Create a consolidated list of all enabled APIs for all projects
+touch "${ENABLED_API_DUMP}"
+
+for ev in "${environments[@]}"; do
+    for ns in "${projects[@]}"; do
+        PROJECT_ID="${ns}-${ev}"
+        echo "Processing project: ${PROJECT_ID}"
+
+        if gcloud projects describe "${PROJECT_ID}" --quiet --verbosity=none >/dev/null 2>&1; then
+            gcloud config set project "${PROJECT_ID}"
+
+            # List enabled services for this project and append unique APIs
+            gcloud services list --enabled | grep "\.googleapis\.com" | sed 's/\.googleapis\.com.*//' >> "${ENABLED_API_DUMP}"
+
+            # List all APIs
+            gcloud services list --available | grep "\.googleapis\.com" | sed 's/\.googleapis\.com.*//' >> "${ALL_API_DUMP}"
+
+
+        else
+            echo "Project ${PROJECT_ID} does not exist or cannot be accessed. Skipping."
+        fi
+    done
+done
+
+# Remove duplicate entries
+sort -u -o "${ENABLED_API_DUMP}" "${ENABLED_API_DUMP}"
+# Remove duplicate entries
+sort -u -o "${ALL_API_DUMP}" "${ALL_API_DUMP}"
+
+comm -13 "${ENABLED_API_DUMP}" "${ALL_API_DUMP}" > "${DISABLED_API_DUMP}"
+
+# Generate the folder-level IAM role description
+gcloud iam roles describe roles/owner > "${ROLE_FILE}"
+cat "${EXCLUDED_API}" >> "${DISABLED_API_DUMP}"
+sort -u -o "${DISABLED_API_DUMP}" "${DISABLED_API_DUMP}"
+
+grep -v -E "^-\ ($(sed 's/$/\\./' "${DISABLED_API_DUMP}" | tr '\n' '|' | sed 's/|$//'))" "${ROLE_FILE}" > "${FILTERED_ROLE_FILE}"
+
+# Need this role for managing VPC Connectors
+gcloud iam roles describe roles/compute.networkUser >> "${FILTERED_ROLE_FILE}"
+
+grep -Ev "^-\s($(awk '{print $1}' "${EXCLUDED_PERMISSIONS}" | paste -sd '|' -))\s*$" "${FILTERED_ROLE_FILE}" > temp_file && mv temp_file "${FILTERED_ROLE_FILE}"
+
+sort -u -o "${FILTERED_ROLE_FILE}" "${FILTERED_ROLE_FILE}"
+
+(echo 'title: "Role SRE"'
+echo 'description: "Role for SRE."'
+echo 'stage: "GA"'
+echo 'includedPermissions:'
+grep '^- ' "${FILTERED_ROLE_FILE}") > "$ROLE_FILE"
+
+
+# Clean up temporary files
+rm "${FILTERED_ROLE_FILE}" "${ENABLED_API_DUMP}" "${DISABLED_API_DUMP}" "{$ALL_API_DUMP}"
+
+for ev in "${environments[@]}"
+   do
+       for ns in "${projects[@]}"
+       do
+          echo "project: $ns-$ev"
+          PROJECT_ID=$ns-$ev
+          if [[ -z `gcloud iam roles describe $ROLE_NAME --project=${PROJECT_ID} --verbosity=none` ]]; then
+              gcloud iam roles create $ROLE_NAME --quiet --project=${PROJECT_ID} --file=$ROLE_FILE
+          else
+              gcloud iam roles update $ROLE_NAME --quiet --project=${PROJECT_ID} --file=$ROLE_FILE
+          fi
+      done
+done