Manage GCP Projects 2

gcp_manage_tf_02.sh

export TF_CREDS=~/.config/gcloud/terraform-admin.json

# create service account in Terraform Admin Project
gcloud iam service-accounts create terraform \
  --display-name "Terraform Admin Account"

# download JSON credentials
gcloud iam service-accounts keys create ${TF_CREDS} \
  --iam-account terraform@${TF_ADMIN}.iam.gserviceaccount.com

# grant service account permission to view Admin Project & Manage Cloud Storage
for ROLE in 'viewer' 'storage.admin'; do
  gcloud projects add-iam-policy-binding ${TF_ADMIN} \
    --member serviceAccount:terraform@${TF_ADMIN}.iam.gserviceaccount.com \
    --role roles/${ROLE}
done

# Enable API for terraform
for API in 'cloudresourcemanager' 'cloudbilling' 'iam' 'compute'; do
  gcloud services enable "${API}.googleapis.com"
done

# Grant service account permissions to create projects & assign billing accounts
for ROLE in 'resourcemanager.projectCreator' 'billing.user'; do
  gcloud organizations add-iam-policy-binding ${TF_VAR_ORG_ID} \
    --member serviceAccount:terraform@${TF_ADMIN}.iam.gserviceaccount.com \
    --role roles/${ROLE}
done