walac/setup-gcp-sccache.sh

## setup-gcp-sccache.sh
#!/bin/bash -ex

projectid=$(gcloud config list --format 'value(core.project)' 2> /dev/null)
auth_account=taskcluster-auth-token-creator
sa_suffix='iam.gserviceaccount.com'

create_service_account() {
    name=$1
    if ! gcloud beta iam service-accounts list | grep $name; then
        gcloud beta iam service-accounts create $name --display-name $name || true
    fi
}

create_service_account $auth_account
gcloud projects add-iam-policy-binding $projectid \
    --member serviceAccount:$auth_account@$projectid.$sa_suffix \
    --role 'roles/iam.serviceAccountTokenCreator'

for region in $(cat regions.txt); do
   for level in 1 2 3; do
        name=sccache-l$level-$region
        service_account=$name@$projectid.$sa_suffix
        create_service_account $name
        etag=$(gcloud iam service-accounts get-iam-policy $service_account | awk '$1 == "etag:" { print $2 }')
        (cat <<EOF
{
  "etag": "$etag",
  "bindings": [
    {
      "role": "roles/iam.serviceAccountTokenCreator",
      "members": [
          "serviceAccount:$auth_account@$projectid.$sa_suffix"
      ]
  }
  ]
}
EOF
) > /tmp/policy.json
        gcloud iam service-accounts set-iam-policy $service_account /tmp/policy.json
        #name=$(echo $name | tr -d -- -)
        gsutil rb gs://$name || true
        gsutil mb -l $region gs://$name
        etag=$(gsutil iam get gs://$name | jq '.etag' | tr -d \")
        (cat <<EOF
{
    "etag": "$etag",
    "bindings": [
        {
            "members": [
                "serviceAccount:$service_account"
            ],
            "role": "roles/storage.objectCreator"
        },
        {
            "members": [
                "serviceAccount:$service_account"
            ],
            "role": "roles/storage.objectViewer"
        },
        {
            "members": [
                "user:wcosta@mozilla.com"
            ],
            "role": "roles/storage.admin"
        }
    ]
}
EOF
) > /tmp/perm.json
        gsutil iam set -a /tmp/perm.json gs://$name
   done
done
	#!/bin/bash -ex

	projectid=$(gcloud config list --format 'value(core.project)' 2> /dev/null)
	auth_account=taskcluster-auth-token-creator
	sa_suffix='iam.gserviceaccount.com'

	create_service_account() {
	name=$1
	if ! gcloud beta iam service-accounts list \| grep $name; then
	gcloud beta iam service-accounts create $name --display-name $name \|\| true
	fi
	}

	create_service_account $auth_account
	gcloud projects add-iam-policy-binding $projectid \
	--member serviceAccount:$auth_account@$projectid.$sa_suffix \
	--role 'roles/iam.serviceAccountTokenCreator'

	for region in $(cat regions.txt); do
	for level in 1 2 3; do
	name=sccache-l$level-$region
	service_account=$name@$projectid.$sa_suffix
	create_service_account $name
	etag=$(gcloud iam service-accounts get-iam-policy $service_account \| awk '$1 == "etag:" { print $2 }')
	(cat <<EOF
	{
	"etag": "$etag",
	"bindings": [
	{
	"role": "roles/iam.serviceAccountTokenCreator",
	"members": [
	"serviceAccount:$auth_account@$projectid.$sa_suffix"
	]
	}
	]
	}
	EOF
	) > /tmp/policy.json
	gcloud iam service-accounts set-iam-policy $service_account /tmp/policy.json
	#name=$(echo $name \| tr -d -- -)
	gsutil rb gs://$name \|\| true
	gsutil mb -l $region gs://$name
	etag=$(gsutil iam get gs://$name \| jq '.etag' \| tr -d \")
	(cat <<EOF
	{
	"etag": "$etag",
	"bindings": [
	{
	"members": [
	"serviceAccount:$service_account"
	],
	"role": "roles/storage.objectCreator"
	},
	{
	"members": [
	"serviceAccount:$service_account"
	],
	"role": "roles/storage.objectViewer"
	},
	{
	"members": [
	"user:wcosta@mozilla.com"
	],
	"role": "roles/storage.admin"
	}
	]
	}
	EOF
	) > /tmp/perm.json
	gsutil iam set -a /tmp/perm.json gs://$name
	done
	done