Created
September 5, 2019 05:22
-
-
Save simbalinux/37cfb51fd8952aaa69434a37bd0904bc to your computer and use it in GitHub Desktop.
provisioning gcp
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/env/bash env | |
| set -ex | |
| # define our roles to be applied to our folders | |
| declare -a folder_roles=( | |
| "roles/resourcemanager.folderAdmin" | |
| "roles/bigquery.admin" | |
| "roles/cloudfunctions.admin" | |
| "roles/cloudkms.admin" | |
| "roles/cloudsql.admin" | |
| "roles/logging.configWriter" | |
| "roles/pubsub.admin" | |
| "roles/iam.serviceAccountUser" | |
| "roles/iam.serviceAccountAdmin" | |
| "roles/storage.admin") | |
| # define our roles to be applied to our orgs | |
| declare -a org_roles=( | |
| "roles/billing.admin" | |
| "roles/billing.projectManager" | |
| "roles/iam.organizationRoleAdmin" | |
| "roles/iam.securityAdmin" | |
| "roles/resourcemanager.projectCreator") | |
| # -- create project & set current project as working project | |
| gcloud projects create ${TF_ADMIN} --folder ${TF_FOLDER_id_AUTO_SVC} --set-as-default | |
| # -- link to billing account | |
| gcloud beta billing projects link ${TF_ADMIN} \ | |
| --billing-account ${TF_VAR_billing_account} | |
| # -- create the service account | |
| gcloud iam service-accounts create ${TF_SANAME} \ | |
| --display-name ${TF_SANAME} | |
| # -- create service account keys | |
| gcloud iam service-accounts keys create ${TF_CREDS} \ | |
| --iam-account ${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com | |
| # add the array of permissions to the folder_id | |
| for role in "${folder_roles[@]}" | |
| do | |
| gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_AME} \ | |
| --member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \ | |
| --role "$role" | |
| done | |
| unset role | |
| for role in "${folder_roles[@]}" | |
| do | |
| gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_APA} \ | |
| --member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \ | |
| --role "$role" | |
| done | |
| unset role | |
| for role in "${folder_roles[@]}" | |
| do | |
| gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_EMA} \ | |
| --member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \ | |
| --role "$role" | |
| done | |
| unset role | |
| for role in "${folder_roles[@]}" | |
| do | |
| gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_AUTO_SVC} \ | |
| --member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \ | |
| --role "$role" | |
| done | |
| unset role | |
| # -- ENABLE ALL APIS NEEDED | |
| gcloud services enable bigquery-json.googleapis.com | |
| gcloud services enable bigquerystorage.googleapis.com | |
| # -- load up the roles to be applied to the ORG | |
| for org in "${org_roles[@]}" | |
| do | |
| gcloud organizations add-iam-policy-binding ${TF_VAR_org_id} \ | |
| --member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \ | |
| --role "$org" | |
| done | |
| # create a bucket inside our project to capture .envrc & admin.json creds | |
| gsutil mb -p ${TF_ADMIN} gs://${TF_ADMIN} | |
| # | |
| cat > backend.tf << EOF | |
| terraform { | |
| backend "gcs" { | |
| bucket = "${TF_ADMIN}" | |
| prefix = "${TF_ADMIN}/state" | |
| } | |
| } | |
| EOF | |
| ## -- enable versioning | |
| gsutil versioning set on gs://${TF_ADMIN} | |
| #-- copy secure files to bucket | |
| gsutil cp .envrc gs://${TF_ADMIN} | |
| gsutil cp ${TF_ADMIN}-admin.json gs://${TF_ADMIN} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment