forked from PHACDataHub/infra-core
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Taskfile.yaml
55 lines (45 loc) · 3.45 KB
/
Taskfile.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
version: '3'
vars:
PROJECT_ID: php-01hdpgnv25h
REGION: northamerica-northeast1
NAME: management
REMOTE_FOLDER_ID: 108494461414
tasks:
enable-apis:
desc: enable required APIs
cmds:
- gcloud services enable container.googleapis.com --project={{.PROJECT_ID}}
- gcloud services enable cloudresourcemanager.googleapis.com --project={{.PROJECT_ID}}
- gcloud services enable cloudbilling.googleapis.com --project={{.PROJECT_ID}}
- gcloud services enable cloudbuild.googleapis.com --project={{.PROJECT_ID}}
- gcloud services enable billingbudgets.googleapis.com --project={{.PROJECT_ID}}
- gcloud services enable serviceusage.googleapis.com --project={{.PROJECT_ID}}
create-vpc:
desc: create VPC
cmds:
- gcloud compute networks create {{.NAME}} --subnet-mode=auto --bgp-routing-mode=regional --mtu=1460 --project={{.PROJECT_ID}}
create-auto:
desc: create gke autopilot k8s cluster
cmds:
- gcloud container --project {{.PROJECT_ID}} clusters create-auto "{{.NAME}}-auto" --region {{.REGION}} --release-channel "regular" --network "projects/{{.PROJECT_ID}}/global/networks/{{.NAME}}" --subnetwork "projects/{{.PROJECT_ID}}/regions/{{.REGION}}/subnetworks/{{.NAME}}" --cluster-ipv4-cidr "/17"
create-service-account:
desc: create service account for resource provisions
cmds:
- gcloud iam service-accounts create {{.NAME}}-sa --display-name "{{.NAME}}-sa" --project {{.PROJECT_ID}}
- gcloud projects add-iam-policy-binding "{{.PROJECT_ID}}" --member "serviceAccount:{{.NAME}}-sa@{{.PROJECT_ID}}.iam.gserviceaccount.com" --role roles/editor
- gcloud projects add-iam-policy-binding "{{.PROJECT_ID}}" --member "serviceAccount:{{.NAME}}-sa@{{.PROJECT_ID}}.iam.gserviceaccount.com" --role roles/resourcemanager.projectIamAdmin
- gcloud projects add-iam-policy-binding "{{.PROJECT_ID}}" --member "serviceAccount:{{.NAME}}-sa@{{.PROJECT_ID}}.iam.gserviceaccount.com" --role roles/iam.serviceAccountAdmin
- gcloud projects add-iam-policy-binding "{{.PROJECT_ID}}" --member "serviceAccount:{{.NAME}}-sa@{{.PROJECT_ID}}.iam.gserviceaccount.com" --role roles/storage.admin
# additional project specific roles such as project deletor, project creator, project billing manager, folder creator, folder editor, folder deletor, billing resource association create was assigned manually outside of this Taskfile.
# - gcloud resource-manager folders add-iam-policy-binding {{.REMOTE_FOLDER_ID}} --member "serviceAccount:{{.NAME}}-sa@{{.PROJECT_ID}}.iam.gserviceaccount.com" --role roles/resourcemanager.projectCreator
- gcloud iam service-accounts keys create gcp-credentials.json --iam-account={{.NAME}}-sa@{{.PROJECT_ID}}.iam.gserviceaccount.com --project {{.PROJECT_ID}}
delete-service-account:
desc: delete service account for resource provisions
cmds:
- gcloud iam service-accounts delete {{.NAME}}-sa@{{.PROJECT_ID}}.iam.gserviceaccount.com
create-sa-secret:
desc: create k8s secret for the service account created in `create-service-account`
cmds:
- kubectl create secret generic {{.NAME}}-crossplane --namespace crossplane-system --from-file=creds=./gcp-credentials.json -o yaml --dry-run=client > k8s/crossplane-system/gcp-credentials.yaml
- kubeseal --format yaml --cert k8s/flux-system/pub-sealed-secrets.pem < k8s/crossplane-system/gcp-credentials.yaml > k8s/crossplane-system/gcp-credentials-enc.yaml
- rm -f k8s/crossplane-system/gcp-credentials.yaml