def grant_deployment_manager_access(config):
"""Grants Deployment manager service account administration roles."""
if FLAGS.enable_new_style_resources:
logging.info('DM service account will be granted access through CFT.')
return
project_id = config.project['project_id']
# Grant deployment manager service account (temporary) owners access.
dm_service_account = utils.get_deployment_manager_service_account(project_id)
for role in _DEPLOYMENT_MANAGER_ROLES:
runner.run_gcloud_command([
'projects', 'add-iam-policy-binding', project_id, '--member',
dm_service_account, '--role', role
],
project_id=None)
logging.info('Sleeping for %d seconds to let IAM updates propagate.',
_IAM_PROPAGATAION_WAIT_TIME_SECS)
runner.run(time.sleep, _IAM_PROPAGATAION_WAIT_TIME_SECS)
def enable_deployment_manager(config):
"""Enables Deployment manager, with role/owners for its service account."""
project_id = config.project['project_id']
# Enabled Deployment Manger and Cloud Resource Manager for this project.
runner.run_gcloud_command([
'services', 'enable', 'deploymentmanager',
'cloudresourcemanager.googleapis.com'
],
project_id=project_id)
# Grant deployment manager service account (temporary) owners access.
dm_service_account = utils.get_deployment_manager_service_account(project_id)
for role in _DEPLOYMENT_MANAGER_ROLES:
runner.run_gcloud_command([
'projects', 'add-iam-policy-binding', project_id, '--member',
dm_service_account, '--role', role
],
project_id=None)
logging.info('Sleeping for %d seconds to let IAM updates propagate.',
_IAM_PROPAGATAION_WAIT_TIME_SECS)
runner.run(time.sleep, _IAM_PROPAGATAION_WAIT_TIME_SECS)