chore: update build-and-deploy.sh (#65)

jackwotherspoon · web-flow · commit 4f0d3cdc69f9 · 2022-06-23T13:42:23.000-04:00
diff --git a/scripts/README.md b/scripts/README.md
@@ -7,7 +7,7 @@ GroupSync is a self-deployed service that provides support for managing [Cloud S
 Below outlines the steps to automate the majority of a GroupSync deployment, allowing for faster and more scalable deployments.
 This deployment uses a script to build the appropriate GroupSync resources:
 - Service Account with required permissions
-- Serverless VPC Access Connector
+- Serverless VPC Access Connector (if using private IP Cloud SQL connections)
 - Cloud Run service
 - Cloud Scheduler Job
 
@@ -41,8 +41,10 @@ Scheduler Job between the desired IAM Groups and Cloud SQL Instances.
 ```
 
 ### Set Required Variables within Deployment Script
-The script used to facilitate the deployment of GroupSync is
-[build-and-deploy-private-ip.sh](build-and-deploy-private-ip.sh).
+The script used to facilitate the deployment of GroupSync is either
+[build-and-deploy.sh](build-and-deploy.sh) for Public IP connections or
+[build-and-deploy-private-ip.sh](build-and-deploy-private-ip.sh) for
+Private IP connections.
 
 Edit the following variables at the top of the script with the
 proper values for your deployment.
@@ -53,18 +55,25 @@ export REGION="" # Google Cloud region to deploy GroupSync in
 export SERVICE_ACCOUNT_NAME="" # name of service account to create and use with GroupSync
 export SERVICE_ACCOUNT_EMAIL="$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com" # email of service account to deploy Cloud Run with
 
+export PATH_TO_JSON="" # relative file path to JSON file containing instance-to-group mappings for Cloud Scheduler
+export SCHEDULE="*/10 * * * *" # schedule how often GroupSync Cloud Scheduler is called (defaults to 10 mins)
+
+# ONLY FOR PRIVATE IP (build-and-deploy-private-ip.sh)
 export HOST_PROJECT_ID="" # project ID of Shared VPC host project (optional)
 export CONNECTOR_NAME="" # name to be given to Serverless VPC Access Connector
 export SUBNET="" # the name of an unused /28 subnet for Serverless VPC Access Connector
-
-export PATH_TO_JSON="" # relative file path to JSON file containing instance-to-group mappings for Cloud Scheduler
-export SCHEDULE="*/10 * * * *" # schedule how often GroupSync Cloud Scheduler is called (defaults to 10 mins)
 ```
 
 ### Run Script
-Now the deployment script can be run by executing the following command:
+Now the deployment script can be run by executing one of the following commands:
+
+```bash
+# public IP
+./scripts/build-and-deploy.sh
+```
 
 ```bash
+# private IP
 ./scripts/build-and-deploy-private-ip.sh
 ```
 
diff --git a/scripts/build-and-deploy.sh b/scripts/build-and-deploy.sh
@@ -14,26 +14,121 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# variables required for below commands to properly build and deploy Cloud Run
-export PROJECT_ID= # project ID of project in which you want to deploy the service within
-export SERVICE_ACCOUNT_EMAIL= # email of service account to deploy Cloud Run with
+# variables required for below commands to properly build and deploy GroupSync
+echo "Setting environment variables..."
+######################## DEPLOYMENT variables ########################
+export PROJECT_ID="" # project ID of project in which you want to deploy the service within
+export REGION="" # Google Cloud region to deploy GroupSync in
 
-# check if variables are set, otherwise give error and exit
-declare -a vars=(PROJECT_ID SERVICE_ACCOUNT_EMAIL)
+######################## Service Account variables ########################
+export SERVICE_ACCOUNT_NAME="" # name of service account to create and use with GroupSync
+export SERVICE_ACCOUNT_EMAIL="$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com" # email of service account to deploy Cloud Run with
+
+######################## Cloud Scheduler variables ########################
+export PATH_TO_JSON="" # file path to JSON payload containing instance-to-group mappings for Cloud Scheduler
+export SCHEDULE="*/10 * * * *" # schedule how often GroupSync Cloud Scheduler is called (defaults to 10 mins)
+
+# load IAM Groups and Cloud SQL Instance names from JSON payload
+IAM_GROUPS=$(cat "$PATH_TO_JSON" | jq '.iam_groups' | tr -d '[],"')
+SQL_INSTANCES=$(cat "$PATH_TO_JSON" | jq '.sql_instances' | tr -d '[],"')
+
+# check if required variables are set, otherwise give error and exit
+declare -a vars=(PROJECT_ID REGION PATH_TO_JSON IAM_GROUPS SQL_INSTANCES)
 for var_name in "${vars[@]}"
 do
   if [ -z "$(eval "echo \$$var_name")" ]; then
-    echo "Missing environment variable $var_name in build-and-deploy.sh"
+    echo "Missing environment variable $var_name in deployment.sh"
     exit 1
   fi
 done
 
+echo "Successfully set environment variables..."
+
+######################## GCP PROJECT CONFIGURATION ########################
+echo "Configuring GCP project and region..."
+# set project
+gcloud config set project "$PROJECT_ID"
+
+# set region
+gcloud config set compute/region "$REGION"
+
+echo "Enabling required APIs..."
+# enable required APIs within project
+gcloud services enable run.googleapis.com cloudscheduler.googleapis.com \
+    cloudbuild.googleapis.com sqladmin.googleapis.com admin.googleapis.com \
+    iamcredentials.googleapis.com
+
+######################## SERVICE ACCOUNT CONFIGURATION ########################
+echo "Creating Service Account $SERVICE_ACCOUNT_EMAIL..."
+# create service account for use with GroupSync (REMOVE STEP IF USING PRE-EXISTING SERVICE ACCOUNT)
+gcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME" \
+  --description="IAM Groups Authn Service Account" \
+  --display-name="IAM Database Groups Authentication"
+
+echo "Adding IAM Policies to service account: $SERVICE_ACCOUNT_EMAIL"
+
+# add Cloud Run Invoke Role to service account
+gcloud projects add-iam-policy-binding "$PROJECT_ID" \
+  --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
+  --role="roles/run.invoker"
+
+# create custom IAM role and grant to service account
+gcloud iam roles create IamAuthnGroups \
+  --project="$PROJECT_ID" \
+  --title="IAM Groups Authn" \
+  --description="Custom role for IAM DB Authn for Groups Service" \
+  --permissions=cloudsql.instances.connect,cloudsql.instances.get,cloudsql.instances.login,cloudsql.users.create,cloudsql.users.list,iam.serviceAccounts.signBlob
+
+gcloud projects add-iam-policy-binding "$PROJECT_ID" \
+  --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
+  --role="projects/$PROJECT_ID/roles/IamAuthnGroups"
+
+######################## IAM and DB ROLE CONFIGURATION ########################
+echo "Adding Cloud SQL Instance User role to IAM Groups..."
+# grant Cloud SQL Instance User role to all IAM group emails (so users of Group can inherit)
+for GROUP in $IAM_GROUPS;
+do
+  gcloud projects add-iam-policy-binding "$PROJECT_ID" \
+    --member="group:$GROUP" \
+    --role="roles/cloudsql.instanceUser"
+done
+
+echo "Adding $SERVICE_ACCOUNT_EMAIL as IAM DB User to Cloud SQL Instances..."
+# add service account as Cloud SQL IAM User to all mapped instances
+for INSTANCE in $SQL_INSTANCES;
+do
+  IFS=: read -r PROJECT REGION_NAME INSTANCE_NAME <<< $INSTANCE
+  gcloud sql users create $SERVICE_ACCOUNT_EMAIL \
+    --instance="$INSTANCE_NAME" \
+    --type=cloud_iam_service_account
+done
+
+############################## CLOUD RUN ################################
+echo "Building docker container and deploying GroupSync Cloud Run Service..."
+# build container for Cloud Run
 gcloud builds submit \
-  --tag gcr.io/$PROJECT_ID/iam-db-authn-groups \
-  --project $PROJECT_ID
+  --tag "gcr.io/$PROJECT_ID/groupsync-run" \
+  --project "$PROJECT_ID" \
+  --region "$REGION"
 
-gcloud run deploy iam-db-authn-groups \
-  --image gcr.io/$PROJECT_ID/iam-db-authn-groups \
+# deploy Cloud Run service
+gcloud run deploy groupsync-run \
+  --image "gcr.io/$PROJECT_ID/groupsync-run" \
   --no-allow-unauthenticated \
-  --service-account $SERVICE_ACCOUNT_EMAIL \
-  --project $PROJECT_ID
+  --service-account "$SERVICE_ACCOUNT_EMAIL" \
+  --project "$PROJECT_ID" \
+  --region "$REGION"
+
+SERVICE_URL=$(gcloud run services describe groupsync-run --platform managed --region "$REGION" --format 'value(status.url)')
+echo "Deployed Cloud Run service at URL: $SERVICE_URL"
+
+########################### CLOUD SCHEDULER ############################
+echo "Creating GroupSync Cloud Scheduler job..."
+# cloud scheduler command (schedules GroupSync to run every 10 minutes)
+gcloud scheduler jobs create http groupsync-scheduler \
+  --schedule="$SCHEDULE" \
+  --uri="$SERVICE_URL/run" \
+  --oidc-service-account-email=$SERVICE_ACCOUNT_EMAIL \
+  --http-method="PUT" \
+  --headers="Content-Type=application/json" \
+  --message-body-from-file="$PATH_TO_JSON"
