diff options
Diffstat (limited to 'lib/google_api/cloud_platform/client.rb')
-rw-r--r-- | lib/google_api/cloud_platform/client.rb | 52 |
1 files changed, 46 insertions, 6 deletions
diff --git a/lib/google_api/cloud_platform/client.rb b/lib/google_api/cloud_platform/client.rb index 9bd2309d2b7..43a2480d5b7 100644 --- a/lib/google_api/cloud_platform/client.rb +++ b/lib/google_api/cloud_platform/client.rb @@ -7,11 +7,12 @@ require 'google/apis/container_v1beta1' require 'google/apis/cloudbilling_v1' require 'google/apis/cloudresourcemanager_v1' require 'google/apis/iam_v1' +require 'google/apis/serviceusage_v1' module GoogleApi module CloudPlatform class Client < GoogleApi::Auth - SCOPE = 'https://www.googleapis.com/auth/cloud-platform' + SCOPE = 'https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/service.management' LEAST_TOKEN_LIFE_TIME = 10.minutes CLUSTER_MASTER_AUTH_USERNAME = 'admin' CLUSTER_IPV4_CIDR_BLOCK = '/16' @@ -20,6 +21,7 @@ module GoogleApi "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring" ].freeze + ROLES_LIST = %w[roles/iam.serviceAccountUser roles/artifactregistry.admin roles/cloudbuild.builds.builder roles/run.admin roles/storage.admin roles/cloudsql.admin roles/browser].freeze class << self def session_key_for_token @@ -88,11 +90,8 @@ module GoogleApi def list_projects result = [] - service = Google::Apis::CloudresourcemanagerV1::CloudResourceManagerService.new - service.authorization = access_token - - response = service.fetch_all(items: :projects) do |token| - service.list_projects + response = cloud_resource_manager_service.fetch_all(items: :projects) do |token| + cloud_resource_manager_service.list_projects end # Google API results are paged by default, so we need to iterate through @@ -130,8 +129,32 @@ module GoogleApi service.create_service_account_key(name, request_body) end + def grant_service_account_roles(gcp_project_id, email) + body = policy_request_body(gcp_project_id, email) + cloud_resource_manager_service.set_project_iam_policy(gcp_project_id, body) + end + + def enable_cloud_run(gcp_project_id) + enable_service(gcp_project_id, 'run.googleapis.com') + end + + def enable_artifacts_registry(gcp_project_id) + enable_service(gcp_project_id, 'artifactregistry.googleapis.com') + end + + def enable_cloud_build(gcp_project_id) + enable_service(gcp_project_id, 'cloudbuild.googleapis.com') + end + private + def enable_service(gcp_project_id, service_name) + name = "projects/#{gcp_project_id}/services/#{service_name}" + service = Google::Apis::ServiceusageV1::ServiceUsageService.new + service.authorization = access_token + service.enable_service(name) + end + def make_cluster_options(cluster_name, cluster_size, machine_type, legacy_abac, enable_addons) { cluster: { @@ -173,6 +196,23 @@ module GoogleApi options.header = { 'User-Agent': "GitLab/#{Gitlab::VERSION.match('(\d+\.\d+)').captures.first} (GPN:GitLab;)" } end end + + def policy_request_body(gcp_project_id, email) + policy = cloud_resource_manager_service.get_project_iam_policy(gcp_project_id) + policy.bindings = policy.bindings + additional_policy_bindings("serviceAccount:#{email}") + + Google::Apis::CloudresourcemanagerV1::SetIamPolicyRequest.new(policy: policy) + end + + def additional_policy_bindings(member) + ROLES_LIST.map do |role| + Google::Apis::CloudresourcemanagerV1::Binding.new(role: role, members: [member]) + end + end + + def cloud_resource_manager_service + @gpc_service ||= Google::Apis::CloudresourcemanagerV1::CloudResourceManagerService.new.tap { |s| s. authorization = access_token } + end end end end |