def validate_arguments(args):
roles_file = args.roles_file
if roles_file and not has_file(roles_file):
LOGGER.error('Role file passed is invalid: %s', roles_file)
sys.exit(1)
custom_roles = args.custom_roles
if custom_roles:
custom_roles_list = custom_roles.split(',')
for custom_role in custom_roles_list:
if not iam_org_level_role_exist(args.organization_id, custom_role):
LOGGER.error('Custom role invalid or inexistent: %s',
custom_role)
sys.exit(1)
def validate_arguments(args):
if not project_exists(args.project):
print(('Project {} not found. Please check if id is correct or if you '
'have been granted access to it.'.format(args.project)))
sys.exit(2)
cscc_api_client_file = os.path.join(helpers.BASE_DIR, 'function',
'transformer', 'accounts',
'cscc_api_client.json')
if not has_file(cscc_api_client_file):
print(
'CSCC api client file does not exist.\nPlease place a valid file '
'at {}'.format(cscc_api_client_file))
sys.exit(4)
def validate_arguments(args):
if not has_file(args.key_file):
print('Key File Does not Exist.\nPlease inform a file.')
sys.exit(1)
if not project_exists(args.connector_project):
print(('Project {} not found. Please check if id is correct or if you '
'have been granted access to it.'.format(args.connector_project)))
sys.exit(2)
connector_sa_file = args.connector_sa_file
if connector_sa_file and not os.path.isfile(connector_sa_file):
print('The service account file path passed is not valid: "{}".'.format(
connector_sa_file))
sys.exit(4)
def create_sa(args):
"""Create service account with the roles passed."""
sa_file_name = args.output_file or os.path.join(
helpers.BASE_DIR, 'setup', 'service_accounts', '{}_{}.json'.format(
args.project_id, args.name))
if has_file(sa_file_name):
LOGGER.info('Service account file already exists on "%s".',
sa_file_name)
return
else:
run_command([
'gcloud', 'iam', 'service-accounts', 'create', args.name,
'--display-name', args.name, '--project', args.project_id
])
time.sleep(5) #wait for data replication
account_email = get_service_account_email_from_api(
args.name, args.project_id)
sa_directory = os.path.dirname(sa_file_name)
if not os.path.exists(sa_directory):
os.makedirs(sa_directory)
run_command([
'gcloud', 'iam', 'service-accounts', 'keys', 'create',
sa_file_name, '--iam-account', account_email, '--project',
args.project_id
])
if args.roles_file:
LOGGER.info('Roles to SA.')
sa_roles = roles_file_to_list(args.roles_file)
custom_roles = args.custom_roles
if args.organization_id:
if custom_roles:
LOGGER.info('Considering custom roles: %s', custom_roles)
custom_roles_list = custom_roles.split(',')
for custom_role in custom_roles_list:
full_custom_role = build_org_level_role_full_name(
args.organization_id, custom_role)
sa_roles.append(full_custom_role)
set_policies(sa_roles,
organization_id=args.organization_id,
service_account_email=account_email)
else:
set_policies(sa_roles,
project_id=args.project_id,
service_account_email=account_email)
LOGGER.info('Service account created with file "%s".', sa_file_name)
def create_sa(sa_name, project_id, organization_id, sa_roles):
"""Create service account with the roles passed.
Args:
sa_name: Service account name.
project_id: Project id.
organization_id: Organization id.
sa_roles: Roles to add to service account.
Returns:
The service account generated file name.
"""
sa_file_name = os.path.join(helpers.BASE_DIR, 'setup', 'service_accounts',
project_id + '_' + sa_name + '.json')
if not has_file(sa_file_name):
run_command([
'gcloud', 'iam', 'service-accounts', 'create', sa_name,
'--display-name', sa_name, '--project', project_id
])
account_email = get_service_account_email(sa_name, project_id)
sa_directory = os.path.join(helpers.BASE_DIR, 'setup',
'service_accounts')
if not os.path.exists(sa_directory):
os.makedirs(sa_directory)
run_command([
'gcloud', 'iam', 'service-accounts', 'keys', 'create',
sa_file_name, '--iam-account', account_email, '--project',
project_id
])
print('Roles to SA.')
for role in sa_roles:
run_command([
'gcloud', 'projects', 'add-iam-policy-binding', project_id,
'--member', 'serviceAccount:' + account_email, '--quiet',
'--role', role
])
return sa_file_name
def validate_arguments(args):
template_file = args.template_file
if template_file and not has_file(template_file):
LOGGER.error('Template file passed is invalid: %s', template_file)
sys.exit(1)
def create_sa(sa_name, project_id, organization_id, sa_roles):
"""Create service account with the roles passed.
OBS: It also has the responsibility to:
* enable required APIs in the project
* apply roles to DM Google-managed service account
Args:
sa_name: Service account name.
project_id: Project id.
organization_id: Organization id.
sa_roles: Roles to add to service account.
Returns:
The service account generated file name.
"""
apis_to_enable = [
'cloudbilling.googleapis.com',
'cloudresourcemanager.googleapis.com',
'deploymentmanager.googleapis.com',
'iam.googleapis.com',
'appengine.googleapis.com',
'cloudbuild.googleapis.com',
'cloudfunctions.googleapis.com',
'servicemanagement.googleapis.com',
]
for api in apis_to_enable:
run_command([
'gcloud', 'services', 'enable', api, '--project', args.project_id
])
print('Roles to DM.')
dm_roles = [
'roles/billing.user', 'roles/deploymentmanager.editor',
'roles/resourcemanager.projectCreator',
'roles/iam.organizationRoleAdmin', 'roles/logging.admin'
]
dm_email = get_cloud_services_default_service_account(args.project_id)
for role in dm_roles:
run_command([
'gcloud', 'organizations', 'add-iam-policy-binding',
args.organization_id, '--member', 'serviceAccount:' + dm_email,
'--quiet', '--role', role
])
sa_file_name = os.path.join(helpers.BASE_DIR, 'setup', 'service_accounts',
project_id + '_' + sa_name + '.json')
if not has_file(sa_file_name):
run_command([
'gcloud', 'iam', 'service-accounts', 'create', sa_name,
'--display-name', sa_name, '--project', project_id
])
account_email = get_service_account_email(sa_name, project_id)
sa_directory = os.path.join(helpers.BASE_DIR, 'setup',
'service_accounts')
if not os.path.exists(sa_directory):
os.makedirs(sa_directory)
run_command([
'gcloud', 'iam', 'service-accounts', 'keys', 'create',
sa_file_name, '--iam-account', account_email, '--project',
project_id
])
print('Roles to SA.')
for role in sa_roles:
run_command([
'gcloud', 'organizations', 'add-iam-policy-binding',
organization_id, '--member', 'serviceAccount:' + account_email,
'--quiet', '--role', role
])
return sa_file_name