add extra params to manual workflow (#211)

gcp/pam/cloud-functions/pam-request-grant-approve/main.py

@@ -6,6 +6,9 @@
 from google.cloud import secretmanager
 
 project_number = os.environ['PROJECT_NUMBER']
+permissions = os.environ['DB_PERMISSIONS']
+entitlement = os.environ['GCP_ENTITLEMENT']
+database = os.environ['DB_NAME']
 pam_api_secret_id = os.environ['PAM_API_KEY_SECRET_ID']
 pam_api_secret_name = f"projects/{project_number}/secrets/{pam_api_secret_id}/versions/latest"
 client = secretmanager.SecretManagerServiceClient()
@@ -72,6 +75,9 @@ def pam_event_handler(event, context):
             "assignee": email,
             "entitlement": role_name,
             "duration": minutes,
+            "entitlement": entitlement,
+            "permissions": permissions,
+            "database": database,
             "robot": False
         }
 

gcp/pam/cloud-functions/pam-request-grant-approve/requirements.txt

@@ -1,4 +1,3 @@
-cachetools 5.5.0
 certifi==2024.12.14
 charset-normalizer==3.4.0
 click==8.1.7
@@ -7,26 +6,14 @@ deprecation==2.1.0
 flask==2.2.5
 functions-framework==3.8.1
 gunicorn==23.0.0
-google-api-core==2.24.0
-google-auth==2.37.0
 google-cloud-secret-manager==2.22.0
-googleapis-common-protos==1.66.0
-grpc-google-iam-v1==0.13.1
-grpcio-status==1.68.1
-grpcio==1.68.1
-gunicorn==23.0.0
 idna==3.10
 importlib-metadata==6.7.0
 itsdangerous==2.1.2
 jinja2==3.1.4
 markupsafe==2.1.5
 packaging==24.0
-proto-plus==1.25.0
-protobuf==5.29.2
-pyasn1-modules==0.4.1
-pyasn1==0.6.1
 requests==2.32.3
-rsa==4.9
 typing-extensions==4.7.1
 urllib3==2.2.3
 watchdog==3.0.0

gcp/pam/cloud-functions/pam-request-grant-create/main.py

@@ -95,7 +95,7 @@ def check_pam(user_email, role, project_id):
         for entitlement in response:
             for eligible_user in entitlement.eligible_users:
                 # Check if user_email exists in eligible_user.principals (case-insensitive)
-                if any(f'{prefix}:{user_email_lower}' in principal.lower() for principal in eligible_user.principals for prefix in ['user', 'serviceAccount']):
+                if any(f'{prefix}:{user_email_lower}' in principal.lower() for principal in eligible_user.principals for prefix in ['user', 'serviceaccount']):
                     for binding in entitlement.privileged_access.gcp_iam_access.role_bindings:
                         if binding.role == f'projects/{project_id}/roles/{role}':
                             return True, entitlement.max_request_duration.seconds

gcp/pam/generate-pam-infra.sh

@@ -10,6 +10,8 @@ DB_PASSWORD_SECRET_ID="DATA_WAREHOUSE_PAY_PASSWORD"
 PAM_API_KEY_SECRET_ID="PAM_API_KEY"
 PAM_API_URL_SECRET_ID="PAM_API_URL"
 DB_INSTANCE_CONNECTION_NAME="mvnjri-prod:northamerica-northeast1:fin-warehouse-prod"
+DB_PERMISSIONS="readonly"
+GCP_ENTITLEMENT="roleitops"
 
 for ev in "${environments[@]}"
   do
@@ -79,9 +81,10 @@ for ev in "${environments[@]}"
             --trigger-topic pam-approve-topic \
             --entry-point pam_event_handler \
             --source cloud-functions/pam-request-grant-approve \
-            --set-env-vars PROJECT_NUMBER=${PROJECT_NUMBER},PAM_API_URL_SECRET_ID=${PAM_API_URL_SECRET_ID},PAM_API_KEY_SECRET_ID=${PAM_API_KEY_SECRET_ID} \
+            --set-env-vars PROJECT_NUMBER=${PROJECT_NUMBER},PAM_API_URL_SECRET_ID=${PAM_API_URL_SECRET_ID},PAM_API_KEY_SECRET_ID=${PAM_API_KEY_SECRET_ID},DB_PERMISSIONS=${DB_PERMISSIONS},GCP_ENTITLEMENT=${GCP_ENTITLEMENT},DB_NAME=${DB_NAME} \
             --region $REGION
 
+
             # gcloud functions deploy pam-grant-test \
             # --runtime python312 \
             # --trigger-http \