def deploy_project_resources(config):
"""Deploys resources into the new data project."""
logging.info('Deploying Project resources...')
setup_account = utils.get_gcloud_user()
has_organization = bool(config.overall.get('organization_id'))
project_id = config.project['project_id']
dm_service_account = utils.get_deployment_manager_service_account(project_id)
# Build a deployment config for the data_project.py deployment manager
# template.
properties = copy.deepcopy(config.project)
# Remove the current user as an owner of the project if project is part of an
# organization.
properties['has_organization'] = has_organization
if has_organization:
properties['remove_owner_user'] = setup_account
# Change audit_logs to either local_audit_logs or remote_audit_logs in the
# deployment manager template properties.
audit_logs = properties.pop('audit_logs')
if config.audit_logs_project:
properties['remote_audit_logs'] = {
'audit_logs_project_id': config.audit_logs_project['project_id'],
'logs_bigquery_dataset_id': audit_logs['logs_bigquery_dataset']['name'],
}
# Logs GCS bucket is not required for projects without data GCS buckets.
if 'logs_gcs_bucket' in audit_logs:
properties['remote_audit_logs']['logs_gcs_bucket_name'] = (
audit_logs['logs_gcs_bucket']['name'])
else:
properties['local_audit_logs'] = audit_logs
path = os.path.join(os.path.dirname(__file__), 'templates/data_project.py')
dm_template_dict = {
'imports': [{'path': path}],
'resources': [{
'type': path,
'name': 'data_project_deployment',
'properties': properties,
}]
}
# Create the deployment.
utils.create_new_deployment(dm_template_dict, 'data-project-deployment',
project_id)
# Create project liens if requested.
if config.project.get('create_deletion_lien'):
runner.run_gcloud_command([
'alpha', 'resource-manager', 'liens', 'create',
'--restrictions', 'resourcemanager.projects.delete',
'--reason', 'Automated project deletion lien deployment.'
], project_id=project_id)
# Remove Owners role from the DM service account.
runner.run_gcloud_command(['projects', 'remove-iam-policy-binding',
project_id,
'--member', dm_service_account,
'--role', 'roles/owner'],
project_id=None)
def deploy_project_resources(config):
"""Deploys resources into the new data project."""
if FLAGS.enable_new_style_resources:
logging.info('Project resources will be deployed through CFT.')
return
setup_account = utils.get_gcloud_user()
has_organization = bool(config.root['overall'].get('organization_id'))
project_id = config.project['project_id']
dm_service_account = utils.get_deployment_manager_service_account(project_id)
# Build a deployment config for the data_project.py deployment manager
# template.
properties = copy.deepcopy(config.project)
# Remove the current user as an owner of the project if project is part of an
# organization.
properties['has_organization'] = has_organization
if has_organization:
properties['remove_owner_user'] = setup_account
# Change audit_logs to either local_audit_logs or remote_audit_logs in the
# deployment manager template properties.
audit_logs = properties.pop('audit_logs')
if config.audit_logs_project:
properties['remote_audit_logs'] = {
'audit_logs_project_id': config.audit_logs_project['project_id'],
'logs_bigquery_dataset_id': audit_logs['logs_bigquery_dataset']['name'],
}
# Logs GCS bucket is not required for projects without data GCS buckets.
if 'logs_gcs_bucket' in audit_logs:
properties['remote_audit_logs']['logs_gcs_bucket_name'] = (
audit_logs['logs_gcs_bucket']['name'])
else:
properties['local_audit_logs'] = audit_logs
# Set data buckets' names.
for data_bucket in properties.get('data_buckets', []):
data_bucket['name'] = get_data_bucket_name(data_bucket, project_id)
data_bucket.pop('name_suffix', '')
path = os.path.join(os.path.dirname(__file__), 'templates/data_project.py')
dm_template_dict = {
'imports': [{
'path': path
}],
'resources': [{
'type': path,
'name': 'data_project_deployment',
'properties': properties,
}]
}
# API iam.googleapis.com is necessary when using custom roles
iam_api_disable = False
if not _is_service_enabled('iam.googleapis.com', project_id):
runner.run_gcloud_command(['services', 'enable', 'iam.googleapis.com'],
project_id=project_id)
iam_api_disable = True
try:
# Create the deployment.
utils.run_deployment(dm_template_dict, 'data-project-deployment',
project_id)
for role in _DEPLOYMENT_MANAGER_ROLES:
runner.run_gcloud_command([
'projects', 'remove-iam-policy-binding', project_id, '--member',
dm_service_account, '--role', role
],
project_id=None)
finally:
# Disable iam.googleapis.com if it is enabled in this function
if iam_api_disable:
runner.run_gcloud_command(['services', 'disable', 'iam.googleapis.com'],
project_id=project_id)
def deploy_project_resources(config):
"""Deploys resources into the new data project."""
setup_account = utils.get_gcloud_user()
has_organization = bool(config.root['overall'].get('organization_id'))
project_id = config.project['project_id']
dm_service_account = utils.get_deployment_manager_service_account(project_id)
# Build a deployment config for the data_project.py deployment manager
# template.
properties = copy.deepcopy(config.project)
# Remove the current user as an owner of the project if project is part of an
# organization.
properties['has_organization'] = has_organization
if has_organization:
properties['remove_owner_user'] = setup_account
# Change audit_logs to either local_audit_logs or remote_audit_logs in the
# deployment manager template properties.
audit_logs = properties.pop('audit_logs')
if config.audit_logs_project:
properties['remote_audit_logs'] = {
'audit_logs_project_id': config.audit_logs_project['project_id'],
'logs_bigquery_dataset_id': audit_logs['logs_bigquery_dataset']['name'],
}
# Logs GCS bucket is not required for projects without data GCS buckets.
if 'logs_gcs_bucket' in audit_logs:
properties['remote_audit_logs']['logs_gcs_bucket_name'] = (
audit_logs['logs_gcs_bucket']['name'])
else:
properties['local_audit_logs'] = audit_logs
path = os.path.join(os.path.dirname(__file__), 'templates/data_project.py')
dm_template_dict = {
'imports': [{
'path': path
}],
'resources': [{
'type': path,
'name': 'data_project_deployment',
'properties': properties,
}]
}
# API iam.googleapis.com is necessary when using custom roles
iam_api_disable = False
if not _is_service_enabled('iam.googleapis.com', project_id):
runner.run_gcloud_command(['services', 'enable', 'iam.googleapis.com'],
project_id=project_id)
iam_api_disable = True
try:
# Create the deployment.
utils.run_deployment(dm_template_dict, 'data-project-deployment',
project_id)
# Create project liens if requested.
if config.project.get('create_deletion_lien'):
existing_restrictions = runner.run_gcloud_command(
[
'alpha', 'resource-manager', 'liens', 'list', '--format',
'value(restrictions)'
],
project_id=project_id).split('\n')
if _LIEN_RESTRICTION not in existing_restrictions:
runner.run_gcloud_command([
'alpha', 'resource-manager', 'liens', 'create', '--restrictions',
_LIEN_RESTRICTION, '--reason',
'Automated project deletion lien deployment.'
],
project_id=project_id)
for role in _DEPLOYMENT_MANAGER_ROLES:
runner.run_gcloud_command([
'projects', 'remove-iam-policy-binding', project_id, '--member',
dm_service_account, '--role', role
],
project_id=None)
finally:
# Disable iam.googleapis.com if it is enabled in this function
if iam_api_disable:
runner.run_gcloud_command(['services', 'disable', 'iam.googleapis.com'],
project_id=project_id)