gcp-source-setup/overmind-gcp-source-setup.sh at main · overmindtech/gcp-source-setup · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
#!/bin/bash

# Script to add IAM policy bindings to a service account in GCP
# Takes GCP Parent (organizations/123, folders/456, or projects/my-project) and Overmind service account as arguments
#
# Usage: ./overmind-gcp-source-setup.sh <parent> <service-account-email>
#
# NOTE: The Overmind service account should be the service account email presented
# in the Overmind application when creating a new GCP source.

set -euo pipefail  # Exit on error, undefined vars, and pipe failures

# Check if both arguments are provided
if [[ $# -ne 2 ]]; then
    echo "ERROR: Both parent and service account email are required"
    echo "Usage: $0 <parent> <service-account-email>"
    echo "Parent format: organizations/123, folders/456, or projects/my-project"
    exit 1
fi

# Get arguments
GCP_PARENT="$1"
GCP_OVERMIND_SA="$2"

# Check if GCP_PARENT is empty
if [[ -z "${GCP_PARENT}" ]]; then
    echo "ERROR: GCP Parent cannot be empty"
    exit 1
fi

# Check if GCP_OVERMIND_SA is empty
if [[ -z "${GCP_OVERMIND_SA}" ]]; then
    echo "ERROR: Overmind service account email cannot be empty"
    echo "NOTE: Use the service account email presented in the Overmind application when creating a GCP source"
    exit 1
fi

# Parse parent to determine type and ID
PARENT="${GCP_PARENT}"
if [[ ${PARENT} =~ ^organizations?/([0-9]+)$ ]]; then
    PARENT_TYPE="organization"
    PARENT_ID="${BASH_REMATCH[1]}"
elif [[ ${PARENT} =~ ^folders?/([0-9]+)$ ]]; then
    PARENT_TYPE="folder"
    PARENT_ID="${BASH_REMATCH[1]}"
elif [[ ${PARENT} =~ ^projects?/([a-z][a-z0-9-]*[a-z0-9])$ ]]; then
    PARENT_TYPE="project"
    PARENT_ID="${BASH_REMATCH[1]}"
else
    echo "✗ Invalid parent format: ${PARENT}"
    echo "Must be: organizations/123, folders/456, or projects/my-project"
    exit 1
fi

echo "Detected parent type: ${PARENT_TYPE}"
echo "Parent ID: ${PARENT_ID}"

# Save the variables to a local file for other scripts to use
echo "export GCP_PARENT=\"${GCP_PARENT}\"" > ./.gcp-source-setup-env
echo "export GCP_PARENT_TYPE=\"${PARENT_TYPE}\"" >> ./.gcp-source-setup-env
echo "export GCP_PARENT_ID=\"${PARENT_ID}\"" >> ./.gcp-source-setup-env
echo "export GCP_OVERMIND_SA=\"${GCP_OVERMIND_SA}\"" >> ./.gcp-source-setup-env

echo "Using GCP Parent: ${GCP_PARENT}"
echo "Service Account: ${GCP_OVERMIND_SA}"

# @generator:inline-start:overmind-gcp-roles.sh
# This block is replaced with inlined role definitions during TypeScript generation
source "$(dirname "$0")/overmind-gcp-roles.sh"
# @generator:inline-end

# For project-level parents, create custom role
if [ "${PARENT_TYPE}" = "project" ]; then
    echo "Creating custom role for additional BigQuery and Spanner permissions..."
    if gcloud iam roles create overmindCustomRole \
        --project="${PARENT_ID}" \
        --title="Overmind Custom Role" \
        --description="Custom role for Overmind service account with additional BigQuery and Spanner permissions" \
        --permissions="bigquery.transfers.get,spanner.databases.get,spanner.databases.list" \
        --quiet > /dev/null 2>&1; then
        echo "✓ Successfully created custom role: overmindCustomRole"
    else
        echo "ℹ Custom role may already exist, continuing..."
    fi
fi

# Display the roles that will be added
echo ""
echo "This script will assign the following predefined GCP roles to ${GCP_OVERMIND_SA} on the ${PARENT_TYPE} ${PARENT_ID}:"
echo ""

for ROLE in "${ROLES[@]}"; do
    echo "  - ${ROLE}"
done

if [ "${PARENT_TYPE}" = "project" ]; then
    for ROLE in "${PROJECT_ONLY_ROLES[@]}"; do
        echo "  - ${ROLE} (project-level only)"
    done
    echo "  - projects/${PARENT_ID}/roles/overmindCustomRole (custom role with additional BigQuery and Spanner permissions)"
fi

echo ""
echo "These permissions are read-only and allow Overmind to inspect your GCP resources without making any changes."
echo ""

# Ask for confirmation
read -p "Do you want to continue? (Yes/No): " CONFIRMATION
if [[ ! "$(echo "$CONFIRMATION" | tr '[:upper:]' '[:lower:]')" =~ ^(yes|y)$ ]]; then
    echo "Operation canceled by user."
    exit 0
fi

# Counter for successful operations
SUCCESS_COUNT=0
TOTAL_ROLES=${#ROLES[@]}

echo ""
echo "Starting to add IAM policy bindings..."
echo "----------------------------------------"

# Loop through each role and add the policy binding
for ROLE in "${ROLES[@]}"; do
    echo "Adding role: ${ROLE}"

    # Determine the correct command based on parent type
    if [ "${PARENT_TYPE}" = "organization" ]; then
        CMD="gcloud organizations add-iam-policy-binding ${PARENT_ID}"
    elif [ "${PARENT_TYPE}" = "folder" ]; then
        CMD="gcloud resource-manager folders add-iam-policy-binding ${PARENT_ID}"
    else
        CMD="gcloud projects add-iam-policy-binding ${PARENT_ID}"
    fi

    if ${CMD} \
        --member="serviceAccount:${GCP_OVERMIND_SA}" \
        --role="${ROLE}" \
        --quiet > /dev/null 2>&1; then
        echo "✓ Successfully added role: ${ROLE}"
        ((SUCCESS_COUNT++)) || true
    else
        echo "✗ Failed to add role: ${ROLE}"
        # Print the error output
        ${CMD} \
            --member="serviceAccount:${GCP_OVERMIND_SA}" \
            --role="${ROLE}" \
            --quiet
        exit 1
    fi
done

# Add project-only roles if parent is a project
if [ "${PARENT_TYPE}" = "project" ]; then
    echo "Adding project-level-only IAM roles..."
    for ROLE in "${PROJECT_ONLY_ROLES[@]}"; do
        echo "Adding role: ${ROLE}"

        if gcloud projects add-iam-policy-binding "${PARENT_ID}" \
            --member="serviceAccount:${GCP_OVERMIND_SA}" \
            --role="${ROLE}" \
            --quiet > /dev/null 2>&1; then
            echo "✓ Successfully added role: ${ROLE}"
            ((SUCCESS_COUNT++)) || true
            ((TOTAL_ROLES++)) || true
        else
            echo "✗ Failed to add role: ${ROLE}"
            # Print the error output
            gcloud projects add-iam-policy-binding "${PARENT_ID}" \
                --member="serviceAccount:${GCP_OVERMIND_SA}" \
                --role="${ROLE}" \
                --quiet
            exit 1
        fi
    done

    # Add custom role only for project-level parents
    echo "Adding custom role: projects/${PARENT_ID}/roles/overmindCustomRole"
    if gcloud projects add-iam-policy-binding "${PARENT_ID}" \
        --member="serviceAccount:${GCP_OVERMIND_SA}" \
        --role="projects/${PARENT_ID}/roles/overmindCustomRole" \
        --quiet > /dev/null 2>&1; then
        echo "✓ Successfully added custom role"
        ((SUCCESS_COUNT++)) || true
        ((TOTAL_ROLES++)) || true
    else
        echo "✗ Failed to add custom role"
        exit 1
    fi
fi

echo "----------------------------------------"
echo "✓ All IAM policy bindings completed successfully!"
echo "✓ Added ${SUCCESS_COUNT}/${TOTAL_ROLES} roles to service account: ${GCP_OVERMIND_SA}"
echo "✓ Parent: ${GCP_PARENT}"
echo ""
echo "These variables have also been saved to ./.gcp-source-setup-env for other scripts to use."
echo "You can use these variables in subsequent commands."