-
Notifications
You must be signed in to change notification settings - Fork 26
/
teardown_gcp_authz.yml
121 lines (113 loc) · 5.31 KB
/
teardown_gcp_authz.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
---
# Copyright 2021 Cloudera, Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Delete CDP Cross Account Access during Teardown
when: plat__teardown_deletes_credential
cloudera.cloud.env_cred:
state: absent
name: "{{ plat__xacccount_credential_name }}"
- name: Remove GCP Cross Account Service Account Keys during Teardown
when:
- plat__gcp_xaccount_keys is defined
- __gcp_xaccount_key_item.keyType == 'USER_MANAGED'
loop: "{{ plat__gcp_xaccount_keys }}"
loop_control:
loop_var: __gcp_xaccount_key_item
command: >
gcloud iam service-accounts keys delete
{{ __gcp_xaccount_key_item.name.split('/')[-1] }}
--iam-account "{{ plat__gcp_xaccount_identity_name }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
- name: Remove GCP Cross Account Service Account
when: plat__teardown_deletes_xaccount
google.cloud.gcp_iam_service_account:
name: "{{ plat__gcp_xaccount_identity_name }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
project: "{{ plat__gcp_project }}"
state: absent
- name: Tear down GCP Custom Log Role
when: plat__teardown_deletes_gcp_custom_roles
register: __gcp_role_teardown
failed_when:
- __gcp_role_teardown.msg is defined
- "'GCP returned error' in __gcp_role_teardown.msg"
- "'it is already deleted' not in __gcp_role_teardown.msg"
google.cloud.gcp_iam_role:
name: "{{ plat__gcp_log_role_name }}"
project: "{{ plat__gcp_project }}"
state: absent
- name: Tear down Operational GCP Service Accounts
when: plat__teardown_deletes_roles
loop_control:
loop_var: __gcp_identity_item
loop:
- "{{ plat__gcp_log_identity_name }}"
- "{{ plat__gcp_datalakeadmin_identity_name }}"
- "{{ plat__gcp_ranger_audit_identity_name }}"
- "{{ plat__gcp_idbroker_identity_name }}"
google.cloud.gcp_iam_service_account:
name: "{{ __gcp_identity_item }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
project: "{{ plat__gcp_project }}"
state: absent
- name: Tear down Operational GCP Service Accounts Policies
when: plat__teardown_deletes_policies
register: __gcp_service_account_teardown
loop_control:
loop_var: __gcp_binding_item
label: __gcp_binding_item.member
failed_when:
- __gcp_service_account_teardown.rc == 1
- "'Policy bindings with the specified member and role not found!' not in __gcp_service_account_teardown.stderr"
loop:
# Logs
- member: "serviceAccount:{{ plat__gcp_log_identity_name }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
role: "projects/{{ plat__gcp_project }}/roles/{{ plat__gcp_log_role_name }}"
# Data Access
- member: "serviceAccount:{{ plat__gcp_datalakeadmin_identity_name }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
role: "{{ plat__gcp_roles.storage_admin }}"
- member: "serviceAccount:{{ plat__gcp_datalakeadmin_identity_name }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
role: "{{ plat__gcp_roles.storage_object_admin }}"
# Ranger Audit
- member: "serviceAccount:{{ plat__gcp_ranger_audit_identity_name }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
role: "{{ plat__gcp_roles.storage_object_admin }}"
# ID Broker / Assumer Role
- member: "serviceAccount:{{ plat__gcp_idbroker_identity_name }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
role: "{{ plat__gcp_roles.iam_workload_identity_user }}"
- member: "serviceAccount:{{ plat__gcp_idbroker_identity_name }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
role: "{{ plat__gcp_roles.iam_service_account_user }}"
- member: "serviceAccount:{{ plat__gcp_idbroker_identity_name }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
role: "{{ plat__gcp_roles.iam_service_account_token_creator }}"
command: >
gcloud projects
remove-iam-policy-binding {{ plat__gcp_project }}
--member={{ __gcp_binding_item.member |quote }}
--role={{ __gcp_binding_item.role |quote }}
--all
- name: Tear down GCP Storage Policies
when: plat__teardown_deletes_policies
register: __gcp_storage_policy_teardown
loop_control:
loop_var: __gcp_pol_item
failed_when:
- __gcp_storage_policy_teardown.rc == 1
- "'BucketNotFoundException:' not in __gcp_storage_policy_teardown.stderr"
loop:
- account: "serviceAccount:{{ plat__gcp_log_identity_name }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
bucket: "{{ plat__gcp_storage_location_logs }}"
- account: "serviceAccount:{{ plat__gcp_datalakeadmin_identity_name }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
bucket: "{{ plat__gcp_storage_location_data }}"
- account: "serviceAccount:{{ plat__gcp_ranger_audit_identity_name }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
bucket: "{{ plat__gcp_storage_location_data }}"
command: >
gsutil iam
ch -d {{ __gcp_pol_item.account |quote }}
gs://{{ __gcp_pol_item.bucket |quote }}