Created
September 5, 2019 05:22
Revisions
-
simbalinux created this gist
Sep 5, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,106 @@ #!/usr/env/bash env set -ex # define our roles to be applied to our folders declare -a folder_roles=( "roles/resourcemanager.folderAdmin" "roles/bigquery.admin" "roles/cloudfunctions.admin" "roles/cloudkms.admin" "roles/cloudsql.admin" "roles/logging.configWriter" "roles/pubsub.admin" "roles/iam.serviceAccountUser" "roles/iam.serviceAccountAdmin" "roles/storage.admin") # define our roles to be applied to our orgs declare -a org_roles=( "roles/billing.admin" "roles/billing.projectManager" "roles/iam.organizationRoleAdmin" "roles/iam.securityAdmin" "roles/resourcemanager.projectCreator") # -- create project & set current project as working project gcloud projects create ${TF_ADMIN} --folder ${TF_FOLDER_id_AUTO_SVC} --set-as-default # -- link to billing account gcloud beta billing projects link ${TF_ADMIN} \ --billing-account ${TF_VAR_billing_account} # -- create the service account gcloud iam service-accounts create ${TF_SANAME} \ --display-name ${TF_SANAME} # -- create service account keys gcloud iam service-accounts keys create ${TF_CREDS} \ --iam-account ${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com # add the array of permissions to the folder_id for role in "${folder_roles[@]}" do gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_AME} \ --member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \ --role "$role" done unset role for role in "${folder_roles[@]}" do gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_APA} \ --member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \ --role "$role" done unset role for role in "${folder_roles[@]}" do gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_EMA} \ --member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \ --role "$role" done unset role for role in "${folder_roles[@]}" do gcloud alpha resource-manager folders add-iam-policy-binding ${TF_FOLDER_id_AUTO_SVC} \ --member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \ --role "$role" done unset role # -- ENABLE ALL APIS NEEDED gcloud services enable bigquery-json.googleapis.com gcloud services enable bigquerystorage.googleapis.com # -- load up the roles to be applied to the ORG for org in "${org_roles[@]}" do gcloud organizations add-iam-policy-binding ${TF_VAR_org_id} \ --member serviceAccount:${TF_SANAME}@${TF_ADMIN}.iam.gserviceaccount.com \ --role "$org" done # create a bucket inside our project to capture .envrc & admin.json creds gsutil mb -p ${TF_ADMIN} gs://${TF_ADMIN} # cat > backend.tf << EOF terraform { backend "gcs" { bucket = "${TF_ADMIN}" prefix = "${TF_ADMIN}/state" } } EOF ## -- enable versioning gsutil versioning set on gs://${TF_ADMIN} #-- copy secure files to bucket gsutil cp .envrc gs://${TF_ADMIN} gsutil cp ${TF_ADMIN}-admin.json gs://${TF_ADMIN}