Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
provisioning gcp
#!/usr/env/bash env
set -ex
# define our roles to be applied to our folders
declare -a folder_roles=(
"roles/resourcemanager.folderAdmin"
"roles/bigquery.admin"
"roles/cloudfunctions.admin"
"roles/cloudkms.admin"
"roles/cloudsql.admin"
"roles/logging.configWriter"
"roles/pubsub.admin"
"roles/iam.serviceAccountUser"
"roles/iam.serviceAccountAdmin"
"roles/storage.admin")
# define our roles to be applied to our orgs
declare -a org_roles=(
"roles/billing.admin"
"roles/billing.projectManager"
"roles/iam.organizationRoleAdmin"
"roles/iam.securityAdmin"
"roles/resourcemanager.projectCreator")
# -- create project & set current project as working project
gcloud projects create ${TF_ADMIN} --folder ${TF_FOLDER_id_AUTO_SVC} --set-as-default
# -- link to billing account
gcloud beta billing projects link ${TF_ADMIN} \
--billing-account ${TF_VAR_billing_account}
# -- create the service account
gcloud iam service-accounts create ${TF_SANAME} \
--display-name ${TF_SANAME}
# -- create service account keys
gcloud iam service-accounts keys create ${TF_CREDS} \
--iam-account ${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com
# add the array of permissions to the folder_id
for role in "${folder_roles[@]}"
do
gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_AME} \
--member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \
--role "$role"
done
unset role
for role in "${folder_roles[@]}"
do
gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_APA} \
--member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \
--role "$role"
done
unset role
for role in "${folder_roles[@]}"
do
gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_EMA} \
--member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \
--role "$role"
done
unset role
for role in "${folder_roles[@]}"
do
gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_AUTO_SVC} \
--member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \
--role "$role"
done
unset role
# -- ENABLE ALL APIS NEEDED
gcloud services enable bigquery-json.googleapis.com
gcloud services enable bigquerystorage.googleapis.com
# -- load up the roles to be applied to the ORG
for org in "${org_roles[@]}"
do
gcloud organizations add-iam-policy-binding ${TF_VAR_org_id} \
--member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \
--role "$org"
done
# create a bucket inside our project to capture .envrc & admin.json creds
gsutil mb -p ${TF_ADMIN} gs://${TF_ADMIN}
#
cat > backend.tf << EOF
terraform {
backend "gcs" {
bucket = "${TF_ADMIN}"
prefix = "${TF_ADMIN}/state"
}
}
EOF
## -- enable versioning
gsutil versioning set on gs://${TF_ADMIN}
#-- copy secure files to bucket
gsutil cp .envrc gs://${TF_ADMIN}
gsutil cp ${TF_ADMIN}-admin.json gs://${TF_ADMIN}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment