def grant_access(config): logging.info('Granting forseti service account access to project %s', project_id) forseti.grant_access( project_id, config.root['forseti'][_GENERATED_FIELDS_NAME]['service_account'])
def grant_access(config): service_account = field_generation.get_forseti_service_generated_fields( config.root)['service_account'] forseti.grant_access(project_id, service_account)
def test_grant_access(self, mock_check_output): FLAGS.dry_run = False forseti.grant_access( 'project1', 'forseti-sa@@forseti-project.iam.gserviceaccount.com') want_calls = [] want_calls.extend( build_add_binding_call('roles/{}'.format(role)) for role in forseti._STANDARD_ROLES) want_calls.append( unittest.mock.call([ 'gcloud', 'iam', 'roles', 'create', 'forsetiBigqueryViewer', '--project', 'project1', '--title', 'Forseti BigQuery Metadata Viewer', '--description', 'Access to only view BigQuery datasets and tables', '--stage', 'ALPHA', '--permissions', 'bigquery.datasets.get,bigquery.tables.get,bigquery.tables.list', ])) want_calls.append( build_add_binding_call( 'projects/project1/roles/forsetiBigqueryViewer')) want_calls.append( unittest.mock.call([ 'gcloud', 'iam', 'roles', 'create', 'forsetiCloudsqlViewer', '--project', 'project1', '--title', 'Forseti CloudSql Metadata Viewer', '--description', 'Access to only view CloudSql resources', '--stage', 'ALPHA', '--permissions', ('cloudsql.backupRuns.get,cloudsql.backupRuns.list,' 'cloudsql.databases.get,cloudsql.databases.list,' 'cloudsql.instances.get,cloudsql.instances.list,' 'cloudsql.sslCerts.get,cloudsql.sslCerts.list,cloudsql.users.list' ), ])) want_calls.append( build_add_binding_call( 'projects/project1/roles/forsetiCloudsqlViewer')) mock_check_output.assert_has_calls(want_calls)
def grant_access(config): forseti.grant_access( project_id, config.root['forseti'][_GENERATED_FIELDS_NAME]['service_account'])
def main(argv): del argv # Unused. input_yaml_path = utils.normalize_path(FLAGS.project_yaml) output_yaml_path = utils.normalize_path(FLAGS.output_yaml_path) output_rules_path = (utils.normalize_path(FLAGS.output_rules_path) if FLAGS.output_rules_path else None) # Output YAML will rearrange fields and remove comments, so do a basic check # against accidental overwriting. if input_yaml_path == output_yaml_path: logging.error('output_yaml_path cannot overwrite project_yaml.') return # Read and parse the project configuration YAML file. root_config = utils.resolve_env_vars(utils.read_yaml_file(input_yaml_path)) if not root_config: logging.error('Error loading project YAML.') return logging.info('Validating project YAML against schema.') try: utils.validate_config_yaml(root_config) except jsonschema.exceptions.ValidationError as e: logging.error('Error in YAML config: %s', e) return overall = root_config['overall'] audit_logs_project = root_config.get('audit_logs_project') projects = [] # Always deploy the remote audit logs project first (if present). if audit_logs_project: projects.append(ProjectConfig(overall=overall, project=audit_logs_project, audit_logs_project=None)) forseti_config = root_config.get('forseti', {}) if forseti_config: forseti_project_config = ProjectConfig( overall=overall, project=forseti_config.get('project'), audit_logs_project=audit_logs_project) projects.append(forseti_project_config) for project_config in root_config.get('projects', []): projects.append(ProjectConfig(overall=overall, project=project_config, audit_logs_project=audit_logs_project)) validate_project_configs(overall, projects) # If resuming setup from a particular project, skip to that project. if FLAGS.resume_from_project: while (projects and projects[0].project['project_id'] != FLAGS.resume_from_project): skipped = projects.pop(0) logging.info('Skipping project %s', skipped.project['project_id']) if not projects: logging.error('Project not found: %s', FLAGS.resume_from_project) if projects: starting_step = max(1, FLAGS.resume_from_step) for config in projects: logging.info('Setting up project %s', config.project['project_id']) if not setup_new_project(config, starting_step): # Don't attempt to deploy additional projects if one project failed. return # Fill in unset generated fields for the project and save it. add_generated_fields(config.project) utils.write_yaml_file(root_config, output_yaml_path) starting_step = 1 else: logging.error('No projects to deploy.') # TODO: allow for forseti installation to be retried. if forseti_config: forseti_project_id = forseti_config['project']['project_id'] forseti_service_account = forseti_config.get('generated_fields', {}).get('service_account') # If the forseti block does not have generated fields from a previous # deployment, consider Forseti to be undeployed. # TODO: add more checks of a previous deployment. if 'generated_fields' not in forseti_config: forseti.install(forseti_config) forseti_service_account = forseti.get_server_service_account( forseti_project_id) forseti_config['generated_fields'] = { 'service_account': forseti_service_account, 'server_bucket': forseti.get_server_bucket(forseti_project_id), } utils.write_yaml_file(root_config, output_yaml_path) for project in projects: project_id = project.project['project_id'] forseti.grant_access(project_id, forseti_service_account) rule_generator.run(root_config, output_path=output_rules_path)
def main(argv): del argv # Unused. runner.DRY_RUN = FLAGS.dry_run runner.GCLOUD_BINARY = FLAGS.gcloud_bin forseti.grant_access(FLAGS.project_id, FLAGS.forseti_service_account)
def main(argv): del argv # Unused. forseti.grant_access(FLAGS.project_id, FLAGS.forseti_service_account)
def grant_access(config): service_account = config.generated_fields['forseti']['service_account'] forseti.grant_access(project_id, service_account)