simbalinux/provision_gcp

## provision_gcp
#!/usr/env/bash env

set -ex
# define our roles to be applied to our folders
declare -a folder_roles=(
  "roles/resourcemanager.folderAdmin"
  "roles/bigquery.admin"
  "roles/cloudfunctions.admin"
  "roles/cloudkms.admin"
  "roles/cloudsql.admin"
  "roles/logging.configWriter"
  "roles/pubsub.admin"
  "roles/iam.serviceAccountUser"
  "roles/iam.serviceAccountAdmin"
  "roles/storage.admin")

# define our roles to be applied to our orgs
declare -a org_roles=(
  "roles/billing.admin"
  "roles/billing.projectManager"
  "roles/iam.organizationRoleAdmin"
  "roles/iam.securityAdmin"
  "roles/resourcemanager.projectCreator")

# -- create project & set current project as working project
gcloud projects create ${TF_ADMIN} --folder ${TF_FOLDER_id_AUTO_SVC} --set-as-default


# -- link to billing account
gcloud beta billing projects link ${TF_ADMIN} \
  --billing-account ${TF_VAR_billing_account}


# -- create the service account
gcloud iam service-accounts create ${TF_SANAME} \
  --display-name ${TF_SANAME}


# -- create service account keys
gcloud iam service-accounts keys create ${TF_CREDS} \
  --iam-account ${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com


# add the array of permissions to the folder_id
for role in "${folder_roles[@]}"
do
gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_AME} \
  --member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \
  --role "$role"
done
unset role

for role in "${folder_roles[@]}"
do
gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_APA} \
  --member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \
  --role "$role"
done
unset role

for role in "${folder_roles[@]}"
do
gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_EMA} \
  --member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \
  --role "$role"
done
unset role

for role in "${folder_roles[@]}"
do
gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_AUTO_SVC} \
  --member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \
  --role "$role"
done
unset role

# -- ENABLE ALL APIS NEEDED
gcloud services enable bigquery-json.googleapis.com
gcloud services enable bigquerystorage.googleapis.com

# -- load up the roles to be applied to the ORG
for org in "${org_roles[@]}"
do
gcloud organizations add-iam-policy-binding ${TF_VAR_org_id} \
  --member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \
  --role "$org"
done

# create a bucket inside our project to capture .envrc & admin.json creds
gsutil mb -p ${TF_ADMIN} gs://${TF_ADMIN}
#
cat > backend.tf << EOF
terraform {
 backend "gcs" {
   bucket  = "${TF_ADMIN}"
   prefix  = "${TF_ADMIN}/state"
 }
}
EOF
## -- enable versioning
gsutil versioning set on gs://${TF_ADMIN}
#-- copy secure files to bucket
gsutil cp .envrc gs://${TF_ADMIN}
gsutil cp ${TF_ADMIN}-admin.json gs://${TF_ADMIN}
	#!/usr/env/bash env

	set -ex
	# define our roles to be applied to our folders
	declare -a folder_roles=(
	"roles/resourcemanager.folderAdmin"
	"roles/bigquery.admin"
	"roles/cloudfunctions.admin"
	"roles/cloudkms.admin"
	"roles/cloudsql.admin"
	"roles/logging.configWriter"
	"roles/pubsub.admin"
	"roles/iam.serviceAccountUser"
	"roles/iam.serviceAccountAdmin"
	"roles/storage.admin")

	# define our roles to be applied to our orgs
	declare -a org_roles=(
	"roles/billing.admin"
	"roles/billing.projectManager"
	"roles/iam.organizationRoleAdmin"
	"roles/iam.securityAdmin"
	"roles/resourcemanager.projectCreator")

	# -- create project & set current project as working project
	gcloud projects create ${TF_ADMIN} --folder ${TF_FOLDER_id_AUTO_SVC} --set-as-default


	# -- link to billing account
	gcloud beta billing projects link ${TF_ADMIN} \
	--billing-account ${TF_VAR_billing_account}



	# -- create the service account
	gcloud iam service-accounts create ${TF_SANAME} \
	--display-name ${TF_SANAME}


	# -- create service account keys
	gcloud iam service-accounts keys create ${TF_CREDS} \
	--iam-account ${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com


	# add the array of permissions to the folder_id
	for role in "${folder_roles[@]}"
	do
	gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_AME} \
	--member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \
	--role "$role"
	done
	unset role

	for role in "${folder_roles[@]}"
	do
	gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_APA} \
	--member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \
	--role "$role"
	done
	unset role

	for role in "${folder_roles[@]}"
	do
	gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_EMA} \
	--member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \
	--role "$role"
	done
	unset role

	for role in "${folder_roles[@]}"
	do
	gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_AUTO_SVC} \
	--member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \
	--role "$role"
	done
	unset role

	# -- ENABLE ALL APIS NEEDED
	gcloud services enable bigquery-json.googleapis.com
	gcloud services enable bigquerystorage.googleapis.com

	# -- load up the roles to be applied to the ORG
	for org in "${org_roles[@]}"
	do
	gcloud organizations add-iam-policy-binding ${TF_VAR_org_id} \
	--member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \
	--role "$org"
	done

	# create a bucket inside our project to capture .envrc & admin.json creds
	gsutil mb -p ${TF_ADMIN} gs://${TF_ADMIN}
	#
	cat > backend.tf << EOF
	terraform {
	backend "gcs" {
	bucket = "${TF_ADMIN}"
	prefix = "${TF_ADMIN}/state"
	}
	}
	EOF
	## -- enable versioning
	gsutil versioning set on gs://${TF_ADMIN}
	#-- copy secure files to bucket
	gsutil cp .envrc gs://${TF_ADMIN}
	gsutil cp ${TF_ADMIN}-admin.json gs://${TF_ADMIN}