Last active
January 1, 2021 19:04
-
-
Save mikesparr/5c7a2b12aef12c64d9e01389e7172c5d to your computer and use it in GitHub Desktop.
VPC Service Control (Teardown)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
export ORG_ID="CHANGEME" | |
export PROJECT_ID=$(gcloud config get-value project) | |
export PROJECT_USER=$(gcloud config get-value core/account) # set current user | |
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)") | |
export IDNS=${PROJECT_ID}.svc.id.goog # workflow identity domain | |
export DATA_SA_NAME="data-viewer" | |
export DATA_SA_ID="${DATA_SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" | |
export API_SA_NAME="aws-api" | |
export API_SA_ID="${API_SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" | |
export BUCKET_NAME="mike-vpc-sa-test1" | |
export STORAGE_CLASS="STANDARD" # NEARLINE | COLDLINE | ARCHIVE | |
export STORAGE_LOCATION="us-central1" # US | EU | ASIA | US-CENTRAL1 | ... | |
export POLICY_TITLE="default policy" | |
export PERIMETER_NAME="StoragePerimeter" | |
export LEVEL_NAME="AWSApiAccess" | |
# confirm they are in right project | |
while true; do | |
read -p "Remove VPC Service Control from ${PROJECT_ID} as user ${PROJECT_USER}? " -n 1 -r yn | |
echo | |
case $yn in | |
[Yy]* ) break;; | |
[Nn]* ) exit;; | |
* ) echo "Please answer yes or no.";; | |
esac | |
done | |
export POLICY_NAME=$(gcloud access-context-manager policies list --organization $ORG_ID --format="value(name)") | |
# delete perimeter | |
gcloud access-context-manager perimeters delete $PERIMETER_NAME \ | |
--policy=$POLICY_NAME | |
# delete access level | |
gcloud access-context-manager levels delete $LEVEL_NAME \ | |
--policy=$POLICY_NAME | |
# delete access level config | |
rm access-level.yaml | |
# remove service account to access data | |
gcloud organizations remove-iam-policy-binding $ORG_ID \ | |
--member="serviceAccount:${DATA_SA_ID}" \ | |
--role="roles/storage.objectViewer" | |
gcloud iam service-accounts create $DATA_SA_NAME | |
# remove service account to impersonate sa | |
gcloud organizations remove-iam-policy-binding $ORG_ID \ | |
--member="serviceAccount:${API_SA_ID}" \ | |
--role="roles/iam.serviceAccountTokenCreator" | |
gcloud iam service-accounts create $API_SA_ID | |
# delete storage bucket | |
gsutil rm -r gs://${BUCKET_NAME} | |
# disable apis | |
gcloud services disable accesscontextmanager.googleapis.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment