Provision default compute service account (#6797)

tonyjhuang · web-flow · commit 9dc6d38f629a · 2024-02-21T14:02:54.000-05:00
* initial change

* update

* update tests

* lint

* lint

* lint

* fix test
diff --git a/src/commands/apphosting-backends-create.ts b/src/commands/apphosting-backends-create.ts
@@ -8,10 +8,16 @@ import { ensureApiEnabled } from "../gcp/apphosting";
 export const command = new Command("apphosting:backends:create")
   .description("Create a backend in a Firebase project")
   .option("-l, --location <location>", "Specify the region of the backend", "")
+  .option(
+    "-s, --service-account <serviceAccount>",
+    "Specify the service account used to run the server",
+    "",
+  )
   .before(ensureApiEnabled)
   .before(requireInteractive)
   .action(async (options: Options) => {
     const projectId = needProjectId(options);
     const location = options.location;
-    await doSetup(projectId, location as string | null);
+    const serviceAccount = options.serviceAccount;
+    await doSetup(projectId, location as string | null, serviceAccount as string | null);
   });
diff --git a/src/gcp/apphosting.ts b/src/gcp/apphosting.ts
@@ -41,6 +41,7 @@ export interface Backend {
   createTime: string;
   updateTime: string;
   uri: string;
+  computeServiceAccount?: string;
 }
 
 export type BackendOutputOnlyFields = "name" | "createTime" | "updateTime" | "uri";
diff --git a/src/init/features/apphosting/index.ts b/src/init/features/apphosting/index.ts
@@ -12,6 +12,8 @@ import {
   Build,
   Rollout,
 } from "../../../gcp/apphosting";
+import { addServiceAccountToRoles } from "../../../gcp/resourceManager";
+import { createServiceAccount } from "../../../gcp/iam";
 import { Repository } from "../../../gcp/cloudbuild";
 import { FirebaseError } from "../../../error";
 import { promptOnce } from "../../../prompt";
@@ -20,6 +22,8 @@ import { ensure } from "../../../ensureApiEnabled";
 import * as deploymentTool from "../../../deploymentTool";
 import { DeepOmit } from "../../../metaprogramming";
 
+const DEFAULT_COMPUTE_SERVICE_ACCOUNT_NAME = "firebase-app-hosting-compute";
+
 const apphostingPollerOptions: Omit<poller.OperationPollerOptions, "operationResourceName"> = {
   apiOrigin: apphostingOrigin,
   apiVersion: API_VERSION,
@@ -30,7 +34,11 @@ const apphostingPollerOptions: Omit<poller.OperationPollerOptions, "operationRes
 /**
  * Set up a new App Hosting backend.
  */
-export async function doSetup(projectId: string, location: string | null): Promise<void> {
+export async function doSetup(
+  projectId: string,
+  location: string | null,
+  serviceAccount: string | null,
+): Promise<void> {
   await Promise.all([
     ensure(projectId, "cloudbuild.googleapis.com", "apphosting", true),
     ensure(projectId, "secretmanager.googleapis.com", "apphosting", true),
@@ -73,7 +81,13 @@ export async function doSetup(projectId: string, location: string | null): Promi
 
   const cloudBuildConnRepo = await repo.linkGitHubRepository(projectId, location);
 
-  const backend = await createBackend(projectId, location, backendId, cloudBuildConnRepo);
+  const backend = await createBackend(
+    projectId,
+    location,
+    backendId,
+    cloudBuildConnRepo,
+    serviceAccount,
+  );
 
   // TODO: Once tag patterns are implemented, prompt which method the user
   // prefers. We could reduce the number of questions asked by letting people
@@ -137,31 +151,83 @@ async function promptNewBackendId(
   }
 }
 
+function defaultComputeServiceAccountEmail(projectId: string): string {
+  return `${DEFAULT_COMPUTE_SERVICE_ACCOUNT_NAME}@${projectId}.iam.gserviceaccount.com`;
+}
+
 /**
- * Creates (and waits for) a new backend.
+ * Creates (and waits for) a new backend. Optionally may create the default compute service account if
+ * it was requested and doesn't exist.
  */
 export async function createBackend(
   projectId: string,
   location: string,
   backendId: string,
   repository: Repository,
+  serviceAccount: string | null,
 ): Promise<Backend> {
+  const defaultServiceAccount = defaultComputeServiceAccountEmail(projectId);
   const backendReqBody: Omit<Backend, BackendOutputOnlyFields> = {
     servingLocality: "GLOBAL_ACCESS",
     codebase: {
       repository: `${repository.name}`,
       rootDirectory: "/",
     },
     labels: deploymentTool.labels(),
+    computeServiceAccount: serviceAccount || defaultServiceAccount,
   };
 
-  const op = await apphosting.createBackend(projectId, location, backendReqBody, backendId);
-  const backend = await poller.pollOperation<Backend>({
-    ...apphostingPollerOptions,
-    pollerName: `create-${projectId}-${location}-${backendId}`,
-    operationResourceName: op.name,
-  });
-  return backend;
+  // TODO: remove computeServiceAccount when the backend supports the field.
+  delete backendReqBody.computeServiceAccount;
+
+  async function createBackendAndPoll() {
+    const op = await apphosting.createBackend(projectId, location, backendReqBody, backendId);
+    return await poller.pollOperation<Backend>({
+      ...apphostingPollerOptions,
+      pollerName: `create-${projectId}-${location}-${backendId}`,
+      operationResourceName: op.name,
+    });
+  }
+
+  try {
+    return await createBackendAndPoll();
+  } catch (err: any) {
+    if (err.status === 403 && err.message.includes(defaultServiceAccount)) {
+      // Create the default service account if it doesn't exist and try again.
+      await provisionDefaultComputeServiceAccount(projectId);
+      return await createBackendAndPoll();
+    }
+    throw err;
+  }
+}
+
+async function provisionDefaultComputeServiceAccount(projectId: string): Promise<void> {
+  try {
+    await createServiceAccount(
+      projectId,
+      DEFAULT_COMPUTE_SERVICE_ACCOUNT_NAME,
+      "Firebase App Hosting compute service account",
+      "Default service account used to run builds and deploys for Firebase App Hosting",
+    );
+  } catch (err: any) {
+    // 409 Already Exists errors can safely be ignored.
+    if (err.status !== 409) {
+      throw err;
+    }
+  }
+  await addServiceAccountToRoles(
+    projectId,
+    defaultComputeServiceAccountEmail(projectId),
+    [
+      // TODO: Update to roles/firebaseapphosting.computeRunner when it is available.
+      "roles/firebaseapphosting.viewer",
+      "roles/artifactregistry.createOnPushWriter",
+      "roles/logging.logWriter",
+      "roles/storage.objectAdmin",
+      "roles/firebase.sdkAdminServiceAgent",
+    ],
+    /* skipAccountLookup= */ true,
+  );
 }
 
 /**
diff --git a/src/test/init/apphosting/index.spec.ts b/src/test/init/apphosting/index.spec.ts
@@ -2,16 +2,21 @@ import * as sinon from "sinon";
 import { expect } from "chai";
 
 import * as apphosting from "../../../gcp/apphosting";
+import * as iam from "../../../gcp/iam";
+import * as resourceManager from "../../../gcp/resourceManager";
 import * as poller from "../../../operation-poller";
 import { createBackend, setDefaultTrafficPolicy } from "../../../init/features/apphosting/index";
 import * as deploymentTool from "../../../deploymentTool";
+import { FirebaseError } from "../../../error";
 
 describe("operationsConverter", () => {
   const sandbox: sinon.SinonSandbox = sinon.createSandbox();
 
   let pollOperationStub: sinon.SinonStub;
   let createBackendStub: sinon.SinonStub;
   let updateTrafficStub: sinon.SinonStub;
+  let createServiceAccountStub: sinon.SinonStub;
+  let addServiceAccountToRolesStub: sinon.SinonStub;
 
   beforeEach(() => {
     pollOperationStub = sandbox
@@ -23,6 +28,12 @@ describe("operationsConverter", () => {
     updateTrafficStub = sandbox
       .stub(apphosting, "updateTraffic")
       .throws("Unexpected updateTraffic call");
+    createServiceAccountStub = sandbox
+      .stub(iam, "createServiceAccount")
+      .throws("Unexpected createServiceAccount call");
+    addServiceAccountToRolesStub = sandbox
+      .stub(resourceManager, "addServiceAccountToRoles")
+      .throws("Unexpected addServiceAccountToRoles call");
   });
 
   afterEach(() => {
@@ -54,24 +65,86 @@ describe("operationsConverter", () => {
       updateTime: "1",
     };
 
-    const backendInput: Omit<apphosting.Backend, apphosting.BackendOutputOnlyFields> = {
-      servingLocality: "GLOBAL_ACCESS",
-      codebase: {
-        repository: cloudBuildConnRepo.name,
-        rootDirectory: "/",
-      },
-      labels: deploymentTool.labels(),
-    };
-
     it("should create a new backend", async () => {
       createBackendStub.resolves(op);
       pollOperationStub.resolves(completeBackend);
 
-      await createBackend(projectId, location, backendId, cloudBuildConnRepo);
-
+      await createBackend(
+        projectId,
+        location,
+        backendId,
+        cloudBuildConnRepo,
+        "custom-service-account",
+      );
+
+      const backendInput: Omit<apphosting.Backend, apphosting.BackendOutputOnlyFields> = {
+        servingLocality: "GLOBAL_ACCESS",
+        codebase: {
+          repository: cloudBuildConnRepo.name,
+          rootDirectory: "/",
+        },
+        labels: deploymentTool.labels(),
+      };
       expect(createBackendStub).to.be.calledWith(projectId, location, backendInput);
     });
 
+    it("should provision the default compute service account", async () => {
+      createBackendStub.resolves(op);
+      pollOperationStub
+        // Initial CreateBackend operation should throw a permission denied to trigger service account creation.
+        .onFirstCall()
+        .throws(
+          new FirebaseError(
+            `missing actAs permission on firebase-app-hosting-compute@${projectId}.iam.gserviceaccount.com`,
+            { status: 403 },
+          ),
+        )
+        .onSecondCall()
+        .resolves(completeBackend);
+      createServiceAccountStub.resolves({});
+      addServiceAccountToRolesStub.resolves({});
+
+      await createBackend(
+        projectId,
+        location,
+        backendId,
+        cloudBuildConnRepo,
+        /* serviceAccount= */ null,
+      );
+
+      // CreateBackend should be called twice; once initially and once after the service account was created
+      expect(createBackendStub).to.be.calledTwice;
+      expect(createServiceAccountStub).to.be.calledOnce;
+      expect(addServiceAccountToRolesStub).to.be.calledOnce;
+    });
+
+    it("does not try to provision a custom service account", () => {
+      createBackendStub.resolves(op);
+      pollOperationStub
+        // Initial CreateBackend operation should throw a permission denied to
+        // potentially trigger service account creation.
+        .onFirstCall()
+        .throws(
+          new FirebaseError("missing actAs permission on my-service-account", { status: 403 }),
+        )
+        .onSecondCall()
+        .resolves(completeBackend);
+
+      expect(
+        createBackend(
+          projectId,
+          location,
+          backendId,
+          cloudBuildConnRepo,
+          /* serviceAccount= */ "my-service-account",
+        ),
+      ).to.be.rejectedWith(FirebaseError, "missing actAs permission on my-service-account");
+
+      expect(createBackendStub).to.be.calledOnce;
+      expect(createServiceAccountStub).to.not.have.been.called;
+      expect(addServiceAccountToRolesStub).to.not.have.been.called;
+    });
+
     it("should set default rollout policy to 100% all at once", async () => {
       const completeTraffic: apphosting.Traffic = {
         name: `projects/${projectId}/locations/${location}/backends/${backendId}/traffic`,

Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,7 @@ export interface Backend {`
`41`	`41`	`createTime: string;`
`42`	`42`	`updateTime: string;`
`43`	`43`	`uri: string;`
	`44`	`+ computeServiceAccount?: string;`
`44`	`45`	`}`
`45`	`46`
`46`	`47`	`export type BackendOutputOnlyFields = "name" \| "createTime" \| "updateTime" \| "uri";`