Updating helper scripts to include GKE related roles (#306)

* Updating helper scripts to include GKE related roles
forseti-security · Oct 14, 2019 · 03b71eb · 03b71eb
1 parent c0ba69c
commit 03b71eb
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 16 deletions.
diff --git a/examples/on_gke_end_to_end/README.md b/examples/on_gke_end_to_end/README.md
@@ -33,20 +33,21 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 - [Terraform](https://www.terraform.io/downloads.html) 0.12
 - [Terraform Provider for GCP](https://www.terraform.io/docs/providers/google/index.html) v2.9
 
-### Configure a Service Account
-In addition to the [roles](https://github.com/forseti-security/terraform-google-forseti#iam-roles) required for the core module function, the Service Account must have these roles for this example.
-- roles/container.admin
-- roles/iam.serviceAccountAdmin
-- roles/iam.serviceAccountKeyAdmin
-- roles/compute.networkAdmin
-- roles/resourcemanager.projectIamAdmin (only required if `service_account` is set to `create`)
-
-### Enable APIs
-In order to operate with the Service Account you must activate the following APIs on the project where the Service Account was created:
-
-- Compute Engine API - compute.googleapis.com
-- Kubernetes Engine API - container.googleapis.com
-- Container Registry API - containerregistry.googleapis.com
+### Create the Service Account and enable required APIs
+You can create the service account manually, or by running the following command:
+
+```bash
+./helpers/setup.sh -p PROJECT_ID -o ORG_ID -k
+```
+
+This will create a service account called `cloud-foundation-forseti-<suffix>`,
+give it the proper roles, and download service account credentials to
+`${PWD}/credentials.json`. Note, that using this script assumes that you are
+currently authenticated as a user that can create/authorize service accounts at
+both the organization and project levels.
+
+This script will also activate necessary APIs required for Terraform to deploy Forseti on-GKE end-to-end.
+```
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs

diff --git a/helpers/cleanup.sh b/helpers/cleanup.sh
@@ -26,6 +26,7 @@ Options:
     -o ORG_ID               The organization ID to remove roles from the Forseti service account.
     -s SERVICE_ACCOUNT_NAME The service account to remove from the project and organization IAM roles.
     -e                      Remove additional IAM roles for running the real time policy enforcer.
+    -k                      Add additional IAM roles for running Forseti on-GKE
     -f HOST_PROJECT_ID      ID of a project holding shared VPC.
 
 Examples:
@@ -41,9 +42,10 @@ ORG_ID=""
 SERVICE_ACCOUNT_NAME=""
 WITH_ENFORCER=""
 HOST_PROJECT_ID=""
+ON_GKE=""
 
 OPTIND=1
-while getopts ":hef:p:o:s:" opt; do
+while getopts ":hekf:p:o:s:" opt; do
   case "$opt" in
     h)
       show_help
@@ -61,6 +63,9 @@ while getopts ":hef:p:o:s:" opt; do
     o)
       ORG_ID="$OPTARG"
       ;;
+    k)
+      ON_GKE=1
+      ;;
     s)
       SERVICE_ACCOUNT_NAME="$OPTARG"
       ;;
@@ -192,6 +197,18 @@ gcloud projects remove-iam-policy-binding "${PROJECT_ID}" \
     --role="roles/cloudsql.admin" \
     --user-output-enabled false
 
+if [[ -n "$ON_GKE" ]]; then
+  gke_roles=("roles/container.admin" "roles/compute.networkAdmin" "roles/resourcemanager.projectIamAdmin")
+
+  echo "Removing on-GKE related roles on project $PROJECT_ID..." 
+  for gke_role in "${gke_roles[@]}"; do
+    gcloud projects remove-iam-policy-binding "${PROJECT_ID}" \
+        --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
+        --role="$gke_role" \
+        --user-output-enabled false
+  done
+fi
+
 if [[ $HOST_PROJECT_ID != "" ]];
 then
     gcloud projects remove-iam-policy-binding "${HOST_PROJECT_ID}" \

diff --git a/helpers/setup.sh b/helpers/setup.sh
@@ -25,6 +25,7 @@ Options:
     -p PROJECT_ID    The project ID where Forseti resources will be created.
     -o ORG_ID        The organization ID that Forseti will be monitoring.
     -e               Add additional IAM roles for running the real time policy enforcer.
+    -k               Add additional IAM roles for running Forseti on-GKE
     -f HOST_PROJECT_ID  ID of a project holding shared vpc.
 
 Examples:
@@ -39,9 +40,10 @@ PROJECT_ID=""
 ORG_ID=""
 WITH_ENFORCER=""
 HOST_PROJECT_ID=""
+ON_GKE=""
 
 OPTIND=1
-while getopts ":hep:f:o:" opt; do
+while getopts ":hekf:p:o:" opt; do
   case "$opt" in
     h)
       show_help
@@ -59,6 +61,9 @@ while getopts ":hep:f:o:" opt; do
     o)
       ORG_ID="$OPTARG"
       ;;
+    k)
+      ON_GKE=1
+      ;;
     *)
       echo "Unhandled option: -$opt" >&2
       show_help >&2
@@ -185,6 +190,18 @@ if [[ -n "$WITH_ENFORCER" ]]; then
   done
 fi
 
+if [[ -n "$ON_GKE" ]]; then
+  gke_roles=("roles/container.admin" "roles/compute.networkAdmin" "roles/resourcemanager.projectIamAdmin")
+
+  echo "Granting on-GKE related roles on project $PROJECT_ID..." 
+  for gke_role in "${gke_roles[@]}"; do
+    gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
+        --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
+        --role="$gke_role" \
+        --user-output-enabled false
+  done
+fi
+
 if [[ $HOST_PROJECT_ID != "" ]];
 then
     echo "Enabling services on host project"