search

canada-ca / accelerators_accelerateurs-gcp

[GCP] Tools and templates to accelerate GC service delivery. Outils et modèles pour accélérer la prestation de services du GC.
MIT License
10 stars 8 forks source link

adjust both sh scripts - derive project for organization and billing (no input required) #46

Open obriensystems opened 2 years ago

obriensystems commented 2 years ago 
gcloud config set project lz-stg
export PROJ=$(gcloud config list --format 'value(core.project)') 
export ORGANIZATION_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
export BILLING_ID=$(gcloud alpha billing projects describe $PROJECT_ID '--format=value(billingAccountName)' | sed 's/.*\///')
obriensystems commented 2 years ago

assigned to fmichaelobrien

fmichaelobrien commented 1 year ago

verifying

admin_root@cloudshell:~$ gcloud config set project biometric-ncinfo
Updated property [core/project].
admin_root@cloudshell:~ (biometric-ncinfo)$ export REGION=northamerica-northeast1
export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
export EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')
export BILLING_ID=$(gcloud alpha billing projects describe $PROJECT_ID '--format=value(billingAccountName)' | sed 's/.*\///')
admin_root@cloudshell:~ (biometric-ncinfo)$ echo $PROJECT_ID
biometric-ncinfo
admin_root@cloudshell:~ (biometric-ncinfo)$ echo $ORG_ID
93413315325
admin_root@cloudshell:~ (biometric-ncinfo)$ echo $EMAIL
admin-root@nuage-cloud.info
admin_root@cloudshell:~ (biometric-ncinfo)$ echo $BILLING_ID                                                                                                               
01713E-16D628-13B483
obriensystems commented 1 year ago

testing

getrole()
{
    array=( roles/iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin roles/orgpolicy.policyAdmin roles/resourcemanager.projectCreator roles/billing.projectManager )
    for i in "${array[@]}"
    do
        echo "$i"
        ROLE=`gcloud organizations get-iam-policy $1 --filter="bindings.members:$2" --flatten="bindings[].members" --format="table(bindings.role)" | grep $i`
        if [ -z "$ROLE" ]
        then
            echo "roles/$i role missing - setting"
            gcloud organizations add-iam-policy-binding $1  --member=user:$2 --role=$i
        else
            echo "${ROLE} role set OK on super admin account"
        fi  
done
}

result

admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d sscncinfo -p accelerator-nc-info
seed project id: sscncinfo-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
roles/iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
roles/orgpolicy.policyAdmin
roles/roles/orgpolicy.policyAdmin role missing - setting
Updated IAM policy for organization [93413315325].
auditConfigs:
- auditLogConfigs:
  - logType: DATA_WRITE
  - logType: DATA_READ
  - logType: ADMIN_READ
  service: allServices
bindings:
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/accesscontextmanager.policyAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/bigquery.dataEditor
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/billing.admin
- members:
  - domain:nuage-cloud.info
  - user:admin-root@nuage-cloud.info
  role: roles/billing.creator
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/billing.projectManager
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/billing.user
- members:
  - group:billing_data_users@nuage-cloud.info
  - group:ssc_broker_users@nuage-cloud.info
  role: roles/billing.viewer
- members:
  - group:ssc_broker_users@nuage-cloud.info
  role: roles/cloudasset.viewer
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/compute.networkAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/compute.xpnAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/iam.organizationRoleAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/iam.serviceAccountAdmin
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/iam.serviceAccountTokenCreator
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/logging.configWriter
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/orgpolicy.policyAdmin
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/owner
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/pubsub.admin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.folderAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.organizationAdmin
- members:
  - domain:nuage-cloud.info
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.projectCreator
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectDeleter
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectIamAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectMover
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/serviceusage.serviceUsageAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/storage.admin
etag: BwXouf6_BgU=
version: 1
roles/resourcemanager.projectCreator
ROLE: roles/resourcemanager.projectCreator role set OK on super admin account
roles/billing.projectManager
ROLE: roles/billing.projectManager role set OK on super admin account
all roles set OK on super admin account:  admin-root@nuage-cloud.info - proceeding
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d sscncinfo -p accelerator-nc-info
seed project id: sscncinfo-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
roles/iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
roles/orgpolicy.policyAdmin
ROLE: roles/orgpolicy.policyAdmin role set OK on super admin account
roles/resourcemanager.projectCreator
ROLE: roles/resourcemanager.projectCreator role set OK on super admin account
roles/billing.projectManager
ROLE: roles/billing.projectManager role set OK on super admin account
all roles set OK on super admin account:  admin-root@nuage-cloud.info - proceeding
fmichaelobrien commented 1 year ago

Note: handle multiple billing accounts (org and no-org)