Skip to content

Add runner_deployment_project.sh REST endpoint

Pedro Pombeiro (OOO from July 16th till Aug 7th) requested to merge pedropombeiro/441115/replace-graphql-api-with-rest into master

What does this MR do and why?

This MR updates the projectSetupShellScript GraphQL field and adds a twin REST endpoint at GET /projects/:id/google_cloud/setup/runner_deployment_project.sh. Not sure whether the endpoint should be under /projects/:id/scripts/google_cloud/... or here though. Ping @ifarkas as you likely have an opinion about it.

EE: true

Related to #441115 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

image

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.


$ curl --url 'http://gdk.test:3000/api/v4/projects/43/google_cloud/setup/runner_deployment_project.sh?google_cloud_project_id=demo' --header "Authorization: Bearer $GITLAB_GDK_TOKEN"
#!/bin/bash

set -eu
set -o pipefail

if [[ "${1:-}" == "--debug" ]]; then
  set -x
  shift
fi

GOOGLE_PROJECT_ID="demo"
GRIT_PROVISIONER_SERVICE_ACCOUNT_NAME="grit-provisioner"
GRIT_PROVISIONER_ROLE_ID="GRITProvisioner"

# Create a new project
gcloud projects create $GOOGLE_PROJECT_ID --name=$GOOGLE_PROJECT_ID || echo "Project $GOOGLE_PROJECT_ID already exists."

# Set up services required for runner provisioning
gcloud services enable cloudkms.googleapis.com compute.googleapis.com iam.googleapis.com cloudresourcemanager.googleapis.com --project=$GOOGLE_PROJECT_ID

# Set up services required for runner execution
gcloud services enable iamcredentials.googleapis.com oslogin.googleapis.com --project=$GOOGLE_PROJECT_ID

# Prepare roles permissions definition file
temp_dir="$(mktemp --directory)"
provisioner_role_json_path="$(mktemp $temp_dir/grit-provisioner-role.XXXX.json)"
cat <<EOF > $provisioner_role_json_path
{
  "title": "GRITProvisioner",
  "description": "A role with minimum list of permissions required for GRIT provisioning",
  "includedPermissions": [
    "cloudkms.cryptoKeyVersions.destroy",
    "cloudkms.cryptoKeyVersions.list",
    "cloudkms.cryptoKeyVersions.useToEncrypt",
    "cloudkms.cryptoKeys.create",
    "cloudkms.cryptoKeys.get",
    "cloudkms.cryptoKeys.update",
    "cloudkms.keyRings.create",
    "cloudkms.keyRings.get",
    "compute.disks.create",
    "compute.firewalls.create",
    "compute.firewalls.delete",
    "compute.firewalls.get",
    "compute.instanceGroupManagers.create",
    "compute.instanceGroupManagers.delete",
    "compute.instanceGroupManagers.get",
    "compute.instanceGroups.create",
    "compute.instanceGroups.delete",
    "compute.instanceTemplates.create",
    "compute.instanceTemplates.delete",
    "compute.instanceTemplates.get",
    "compute.instanceTemplates.useReadOnly",
    "compute.instances.create",
    "compute.instances.delete",
    "compute.instances.get",
    "compute.instances.setLabels",
    "compute.instances.setMetadata",
    "compute.instances.setServiceAccount",
    "compute.instances.setTags",
    "compute.networks.create",
    "compute.networks.delete",
    "compute.networks.get",
    "compute.networks.updatePolicy",
    "compute.subnetworks.create",
    "compute.subnetworks.delete",
    "compute.subnetworks.get",
    "compute.subnetworks.use",
    "compute.subnetworks.useExternalIp",
    "compute.zones.get",
    "iam.roles.create",
    "iam.roles.delete",
    "iam.roles.get",
    "iam.roles.list",
    "iam.roles.update",
    "iam.serviceAccounts.actAs",
    "iam.serviceAccounts.create",
    "iam.serviceAccounts.delete",
    "iam.serviceAccounts.get",
    "iam.serviceAccounts.list",
    "resourcemanager.projects.get",
    "resourcemanager.projects.getIamPolicy",
    "resourcemanager.projects.setIamPolicy",
    "storage.buckets.create",
    "storage.buckets.delete",
    "storage.buckets.get",
    "storage.buckets.getIamPolicy",
    "storage.buckets.setIamPolicy"
  ],
  "stage": "BETA"
}
EOF

# Setup of provisioning permissions
gcloud iam roles create $GRIT_PROVISIONER_ROLE_ID --project=$GOOGLE_PROJECT_ID --file="$provisioner_role_json_path" || \
  echo "$GRIT_PROVISIONER_ROLE_ID role already created"
rm -rf "$temp_dir"

gcloud iam service-accounts create $GRIT_PROVISIONER_SERVICE_ACCOUNT_NAME --project=$GOOGLE_PROJECT_ID \
    --display-name='GRIT provisioner' --description='Service account for GRIT provisioning' || \
  echo "Service account $GRIT_PROVISIONER_SERVICE_ACCOUNT_NAME already created"

gcloud projects add-iam-policy-binding \
  $GOOGLE_PROJECT_ID \
  --member='serviceAccount:${GRIT_PROVISIONER_SERVICE_ACCOUNT_NAME}@${GOOGLE_PROJECT_ID}.iam.gserviceaccount.com' \
  --role='projects/${GOOGLE_PROJECT_ID}/roles/${GRIT_PROVISIONER_ROLE_ID}'
Edited by Pedro Pombeiro (OOO from July 16th till Aug 7th)

Merge request reports