mikesparr/vpc-service-control-demo-teardown.sh

## vpc-service-control-demo-teardown.sh
#!/usr/bin/env bash

export ORG_ID="CHANGEME"
export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_USER=$(gcloud config get-value core/account) # set current user
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
export IDNS=${PROJECT_ID}.svc.id.goog # workflow identity domain

export DATA_SA_NAME="data-viewer"
export DATA_SA_ID="${DATA_SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"

export API_SA_NAME="aws-api"
export API_SA_ID="${API_SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"

export BUCKET_NAME="mike-vpc-sa-test1"
export STORAGE_CLASS="STANDARD" # NEARLINE | COLDLINE | ARCHIVE
export STORAGE_LOCATION="us-central1" # US | EU | ASIA | US-CENTRAL1 | ...

export POLICY_TITLE="default policy"
export PERIMETER_NAME="StoragePerimeter"
export LEVEL_NAME="AWSApiAccess"

# confirm they are in right project
while true; do
    read -p "Remove VPC Service Control from ${PROJECT_ID} as user ${PROJECT_USER}? " -n 1 -r yn
    echo
    case $yn in
        [Yy]* ) break;;
        [Nn]* ) exit;;
        * ) echo "Please answer yes or no.";;
    esac
done

export POLICY_NAME=$(gcloud access-context-manager policies list --organization $ORG_ID --format="value(name)")

# delete perimeter
gcloud access-context-manager perimeters delete $PERIMETER_NAME \
    --policy=$POLICY_NAME

# delete access level
gcloud access-context-manager levels delete $LEVEL_NAME \
    --policy=$POLICY_NAME

# delete access level config
rm access-level.yaml

# remove service account to access data
gcloud organizations remove-iam-policy-binding $ORG_ID \
    --member="serviceAccount:${DATA_SA_ID}" \
    --role="roles/storage.objectViewer"
gcloud iam service-accounts create $DATA_SA_NAME

# remove service account to impersonate sa
gcloud organizations remove-iam-policy-binding $ORG_ID \
    --member="serviceAccount:${API_SA_ID}" \
    --role="roles/iam.serviceAccountTokenCreator"
gcloud iam service-accounts create $API_SA_ID

# delete storage bucket
gsutil rm -r gs://${BUCKET_NAME}

# disable apis
gcloud services disable accesscontextmanager.googleapis.com
	#!/usr/bin/env bash

	export ORG_ID="CHANGEME"
	export PROJECT_ID=$(gcloud config get-value project)
	export PROJECT_USER=$(gcloud config get-value core/account) # set current user
	export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
	export IDNS=${PROJECT_ID}.svc.id.goog # workflow identity domain

	export DATA_SA_NAME="data-viewer"
	export DATA_SA_ID="${DATA_SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"

	export API_SA_NAME="aws-api"
	export API_SA_ID="${API_SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"

	export BUCKET_NAME="mike-vpc-sa-test1"
	export STORAGE_CLASS="STANDARD" # NEARLINE \| COLDLINE \| ARCHIVE
	export STORAGE_LOCATION="us-central1" # US \| EU \| ASIA \| US-CENTRAL1 \| ...

	export POLICY_TITLE="default policy"
	export PERIMETER_NAME="StoragePerimeter"
	export LEVEL_NAME="AWSApiAccess"

	# confirm they are in right project
	while true; do
	read -p "Remove VPC Service Control from ${PROJECT_ID} as user ${PROJECT_USER}? " -n 1 -r yn
	echo
	case $yn in
	[Yy]* ) break;;
	[Nn]* ) exit;;
	* ) echo "Please answer yes or no.";;
	esac
	done

	export POLICY_NAME=$(gcloud access-context-manager policies list --organization $ORG_ID --format="value(name)")

	# delete perimeter
	gcloud access-context-manager perimeters delete $PERIMETER_NAME \
	--policy=$POLICY_NAME

	# delete access level
	gcloud access-context-manager levels delete $LEVEL_NAME \
	--policy=$POLICY_NAME

	# delete access level config
	rm access-level.yaml

	# remove service account to access data
	gcloud organizations remove-iam-policy-binding $ORG_ID \
	--member="serviceAccount:${DATA_SA_ID}" \
	--role="roles/storage.objectViewer"
	gcloud iam service-accounts create $DATA_SA_NAME

	# remove service account to impersonate sa
	gcloud organizations remove-iam-policy-binding $ORG_ID \
	--member="serviceAccount:${API_SA_ID}" \
	--role="roles/iam.serviceAccountTokenCreator"
	gcloud iam service-accounts create $API_SA_ID

	# delete storage bucket
	gsutil rm -r gs://${BUCKET_NAME}

	# disable apis
	gcloud services disable accesscontextmanager.googleapis.com