forked from hplush/slowreader
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprepare-google-cloud.sh
executable file
·84 lines (75 loc) · 3.41 KB
/
prepare-google-cloud.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#!/bin/bash
# Configures Google Cloud project for Slow Reader deployment.
# Google Cloud settings can be complex. We have this file to not forget them.
# Do not change Google Cloud by web. Always use `gcloud` and update this script.
PROJECT_ID=slowreader-418220
REGION=europe-west1
WORKFLOWS=(
".github/workflows/staging.yml"
".github/workflows/preview-close.yml"
".github/workflows/preview-deploy.yml"
)
# Set project as default in CLI
gcloud init --project=$PROJECT_ID
# Create deploy account
gcloud services enable iamcredentials.googleapis.com --project=$PROJECT_ID
gcloud iam service-accounts create "github-deploy" --project=$PROJECT_ID
ACCOUNT_EMAIL="github-deploy@$PROJECT_ID.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$ACCOUNT_EMAIL" \
--role="roles/iam.serviceAccountUser"
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$ACCOUNT_EMAIL" \
--role="roles/run.admin"
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$ACCOUNT_EMAIL" \
--role="roles/artifactregistry.admin"
# Create repository for Docker images
gcloud services enable artifactregistry.googleapis.com --project=$PROJECT_ID
gcloud artifacts repositories create staging \
--project=$PROJECT_ID \
--repository-format=docker \
--location=${REGION}
# Allow safer access to the service account from GitHub Actions
gcloud iam workload-identity-pools create "github" \
--project=$PROJECT_ID \
--location="global" \
--display-name="GitHub Actions Pool"
gcloud iam workload-identity-pools providers create-oidc "slowreader" \
--project=$PROJECT_ID \
--location="global" \
--workload-identity-pool="github" \
--display-name="GitHub Slow Reader Provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \
--attribute-condition="assertion.repository_owner == 'hplush'" \
--issuer-uri="https://token.actions.githubusercontent.com"
# Bind the deploy account to that saver access
WORKLOAD_IDENTITY_POOL_ID=`gcloud iam workload-identity-pools describe "github" \
--project=$PROJECT_ID \
--location="global" \
--format="value(name)"`
gcloud iam service-accounts add-iam-policy-binding "$ACCOUNT_EMAIL" \
--project=$PROJECT_ID \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/hplush/slowreader"
# Enable Google Cloud Run
gcloud services enable run.googleapis.com --project=$PROJECT_ID
# Use workload_identity_provider in workflows
IDENTITY=`gcloud iam workload-identity-pools providers describe "slowreader" \
--project=$PROJECT_ID \
--location="global" \
--workload-identity-pool="github" \
--format="value(name)"`
for file in "${WORKFLOWS[@]}"; do
sed -i "s|identity_provider: .*|identity_provider: $IDENTITY|" "$file"
sed -i "s/PROJECT_ID: .*/PROJECT_ID: $PROJECT_ID/" "$file"
sed -i "s/REGION: .*/REGION: $REGION/" "$file"
done
echo ""
echo -e "\033[0;33m\033[1mAfter first deploy:\033[0m"
echo ""
echo -e "1. Open https://console.cloud.google.com/run"
echo -e "2. Switch to \033[1m*@slowreader.app\033[0m account"
echo -e "3. Click on \033[1mManage Custom Domains\033[0m"
echo -e "4. Click on \033[1mAdd Mapping\033[0m"
echo -e "5. Add \033[1mdev.slowreader.app\033[0m to \033[1mstaging\033[0m"