Add runner_deployment_project.sh REST endpoint
What does this MR do and why?
This MR updates the projectSetupShellScript
GraphQL field and adds a twin REST endpoint at GET /projects/:id/google_cloud/setup/runner_deployment_project.sh
. Not sure whether the endpoint should be under /projects/:id/scripts/google_cloud/...
or here though. Ping @ifarkas as you likely have an opinion about it.
EE: true
Related to #441115 (closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
$ curl --url 'http://gdk.test:3000/api/v4/projects/43/google_cloud/setup/runner_deployment_project.sh?google_cloud_project_id=demo' --header "Authorization: Bearer $GITLAB_GDK_TOKEN"
#!/bin/bash
set -eu
set -o pipefail
if [[ "${1:-}" == "--debug" ]]; then
set -x
shift
fi
GOOGLE_PROJECT_ID="demo"
GRIT_PROVISIONER_SERVICE_ACCOUNT_NAME="grit-provisioner"
GRIT_PROVISIONER_ROLE_ID="GRITProvisioner"
# Create a new project
gcloud projects create $GOOGLE_PROJECT_ID --name=$GOOGLE_PROJECT_ID || echo "Project $GOOGLE_PROJECT_ID already exists."
# Set up services required for runner provisioning
gcloud services enable cloudkms.googleapis.com compute.googleapis.com iam.googleapis.com cloudresourcemanager.googleapis.com --project=$GOOGLE_PROJECT_ID
# Set up services required for runner execution
gcloud services enable iamcredentials.googleapis.com oslogin.googleapis.com --project=$GOOGLE_PROJECT_ID
# Prepare roles permissions definition file
temp_dir="$(mktemp --directory)"
provisioner_role_json_path="$(mktemp $temp_dir/grit-provisioner-role.XXXX.json)"
cat <<EOF > $provisioner_role_json_path
{
"title": "GRITProvisioner",
"description": "A role with minimum list of permissions required for GRIT provisioning",
"includedPermissions": [
"cloudkms.cryptoKeyVersions.destroy",
"cloudkms.cryptoKeyVersions.list",
"cloudkms.cryptoKeyVersions.useToEncrypt",
"cloudkms.cryptoKeys.create",
"cloudkms.cryptoKeys.get",
"cloudkms.cryptoKeys.update",
"cloudkms.keyRings.create",
"cloudkms.keyRings.get",
"compute.disks.create",
"compute.firewalls.create",
"compute.firewalls.delete",
"compute.firewalls.get",
"compute.instanceGroupManagers.create",
"compute.instanceGroupManagers.delete",
"compute.instanceGroupManagers.get",
"compute.instanceGroups.create",
"compute.instanceGroups.delete",
"compute.instanceTemplates.create",
"compute.instanceTemplates.delete",
"compute.instanceTemplates.get",
"compute.instanceTemplates.useReadOnly",
"compute.instances.create",
"compute.instances.delete",
"compute.instances.get",
"compute.instances.setLabels",
"compute.instances.setMetadata",
"compute.instances.setServiceAccount",
"compute.instances.setTags",
"compute.networks.create",
"compute.networks.delete",
"compute.networks.get",
"compute.networks.updatePolicy",
"compute.subnetworks.create",
"compute.subnetworks.delete",
"compute.subnetworks.get",
"compute.subnetworks.use",
"compute.subnetworks.useExternalIp",
"compute.zones.get",
"iam.roles.create",
"iam.roles.delete",
"iam.roles.get",
"iam.roles.list",
"iam.roles.update",
"iam.serviceAccounts.actAs",
"iam.serviceAccounts.create",
"iam.serviceAccounts.delete",
"iam.serviceAccounts.get",
"iam.serviceAccounts.list",
"resourcemanager.projects.get",
"resourcemanager.projects.getIamPolicy",
"resourcemanager.projects.setIamPolicy",
"storage.buckets.create",
"storage.buckets.delete",
"storage.buckets.get",
"storage.buckets.getIamPolicy",
"storage.buckets.setIamPolicy"
],
"stage": "BETA"
}
EOF
# Setup of provisioning permissions
gcloud iam roles create $GRIT_PROVISIONER_ROLE_ID --project=$GOOGLE_PROJECT_ID --file="$provisioner_role_json_path" || \
echo "$GRIT_PROVISIONER_ROLE_ID role already created"
rm -rf "$temp_dir"
gcloud iam service-accounts create $GRIT_PROVISIONER_SERVICE_ACCOUNT_NAME --project=$GOOGLE_PROJECT_ID \
--display-name='GRIT provisioner' --description='Service account for GRIT provisioning' || \
echo "Service account $GRIT_PROVISIONER_SERVICE_ACCOUNT_NAME already created"
gcloud projects add-iam-policy-binding \
$GOOGLE_PROJECT_ID \
--member='serviceAccount:${GRIT_PROVISIONER_SERVICE_ACCOUNT_NAME}@${GOOGLE_PROJECT_ID}.iam.gserviceaccount.com' \
--role='projects/${GOOGLE_PROJECT_ID}/roles/${GRIT_PROVISIONER_ROLE_ID}'