def grant_access(config):
logging.info('Granting forseti service account access to project %s',
project_id)
forseti.grant_access(
project_id,
config.root['forseti'][_GENERATED_FIELDS_NAME]['service_account'])
def grant_access(config):
service_account = field_generation.get_forseti_service_generated_fields(
config.root)['service_account']
forseti.grant_access(project_id, service_account)
def test_grant_access(self, mock_check_output):
FLAGS.dry_run = False
forseti.grant_access(
'project1', 'forseti-sa@@forseti-project.iam.gserviceaccount.com')
want_calls = []
want_calls.extend(
build_add_binding_call('roles/{}'.format(role))
for role in forseti._STANDARD_ROLES)
want_calls.append(
unittest.mock.call([
'gcloud',
'iam',
'roles',
'create',
'forsetiBigqueryViewer',
'--project',
'project1',
'--title',
'Forseti BigQuery Metadata Viewer',
'--description',
'Access to only view BigQuery datasets and tables',
'--stage',
'ALPHA',
'--permissions',
'bigquery.datasets.get,bigquery.tables.get,bigquery.tables.list',
]))
want_calls.append(
build_add_binding_call(
'projects/project1/roles/forsetiBigqueryViewer'))
want_calls.append(
unittest.mock.call([
'gcloud',
'iam',
'roles',
'create',
'forsetiCloudsqlViewer',
'--project',
'project1',
'--title',
'Forseti CloudSql Metadata Viewer',
'--description',
'Access to only view CloudSql resources',
'--stage',
'ALPHA',
'--permissions',
('cloudsql.backupRuns.get,cloudsql.backupRuns.list,'
'cloudsql.databases.get,cloudsql.databases.list,'
'cloudsql.instances.get,cloudsql.instances.list,'
'cloudsql.sslCerts.get,cloudsql.sslCerts.list,cloudsql.users.list'
),
]))
want_calls.append(
build_add_binding_call(
'projects/project1/roles/forsetiCloudsqlViewer'))
mock_check_output.assert_has_calls(want_calls)
def grant_access(config):
forseti.grant_access(
project_id,
config.root['forseti'][_GENERATED_FIELDS_NAME]['service_account'])
def main(argv):
del argv # Unused.
input_yaml_path = utils.normalize_path(FLAGS.project_yaml)
output_yaml_path = utils.normalize_path(FLAGS.output_yaml_path)
output_rules_path = (utils.normalize_path(FLAGS.output_rules_path)
if FLAGS.output_rules_path else None)
# Output YAML will rearrange fields and remove comments, so do a basic check
# against accidental overwriting.
if input_yaml_path == output_yaml_path:
logging.error('output_yaml_path cannot overwrite project_yaml.')
return
# Read and parse the project configuration YAML file.
root_config = utils.resolve_env_vars(utils.read_yaml_file(input_yaml_path))
if not root_config:
logging.error('Error loading project YAML.')
return
logging.info('Validating project YAML against schema.')
try:
utils.validate_config_yaml(root_config)
except jsonschema.exceptions.ValidationError as e:
logging.error('Error in YAML config: %s', e)
return
overall = root_config['overall']
audit_logs_project = root_config.get('audit_logs_project')
projects = []
# Always deploy the remote audit logs project first (if present).
if audit_logs_project:
projects.append(ProjectConfig(overall=overall,
project=audit_logs_project,
audit_logs_project=None))
forseti_config = root_config.get('forseti', {})
if forseti_config:
forseti_project_config = ProjectConfig(
overall=overall,
project=forseti_config.get('project'),
audit_logs_project=audit_logs_project)
projects.append(forseti_project_config)
for project_config in root_config.get('projects', []):
projects.append(ProjectConfig(overall=overall,
project=project_config,
audit_logs_project=audit_logs_project))
validate_project_configs(overall, projects)
# If resuming setup from a particular project, skip to that project.
if FLAGS.resume_from_project:
while (projects and
projects[0].project['project_id'] != FLAGS.resume_from_project):
skipped = projects.pop(0)
logging.info('Skipping project %s', skipped.project['project_id'])
if not projects:
logging.error('Project not found: %s', FLAGS.resume_from_project)
if projects:
starting_step = max(1, FLAGS.resume_from_step)
for config in projects:
logging.info('Setting up project %s', config.project['project_id'])
if not setup_new_project(config, starting_step):
# Don't attempt to deploy additional projects if one project failed.
return
# Fill in unset generated fields for the project and save it.
add_generated_fields(config.project)
utils.write_yaml_file(root_config, output_yaml_path)
starting_step = 1
else:
logging.error('No projects to deploy.')
# TODO: allow for forseti installation to be retried.
if forseti_config:
forseti_project_id = forseti_config['project']['project_id']
forseti_service_account = forseti_config.get('generated_fields',
{}).get('service_account')
# If the forseti block does not have generated fields from a previous
# deployment, consider Forseti to be undeployed.
# TODO: add more checks of a previous deployment.
if 'generated_fields' not in forseti_config:
forseti.install(forseti_config)
forseti_service_account = forseti.get_server_service_account(
forseti_project_id)
forseti_config['generated_fields'] = {
'service_account': forseti_service_account,
'server_bucket': forseti.get_server_bucket(forseti_project_id),
}
utils.write_yaml_file(root_config, output_yaml_path)
for project in projects:
project_id = project.project['project_id']
forseti.grant_access(project_id,
forseti_service_account)
rule_generator.run(root_config, output_path=output_rules_path)
def main(argv):
del argv # Unused.
runner.DRY_RUN = FLAGS.dry_run
runner.GCLOUD_BINARY = FLAGS.gcloud_bin
forseti.grant_access(FLAGS.project_id, FLAGS.forseti_service_account)
def main(argv): del argv # Unused. forseti.grant_access(FLAGS.project_id, FLAGS.forseti_service_account)
def grant_access(config):
service_account = config.generated_fields['forseti']['service_account']
forseti.grant_access(project_id, service_account)
