From 638932b1eece242be6ae7c592909ac7212fe8af2 Mon Sep 17 00:00:00 2001
From: mwiegand <mwiegand@seibert-media.net>
Date: Sat, 19 Jun 2021 12:11:40 +0200
Subject: [PATCH] wip

---
 bundles/gcloud/README.md                      |  2 ++
 bundles/gcloud/items.py                       | 30 +++++++++++++++++++
 .../backup@sublimity-182017.json.enc          |  1 +
 groups/all.py                                 |  4 +++
 4 files changed, 37 insertions(+)
 create mode 100644 bundles/gcloud/README.md
 create mode 100644 data/gcloud/service_accounts/backup@sublimity-182017.json.enc

diff --git a/bundles/gcloud/README.md b/bundles/gcloud/README.md
new file mode 100644
index 0000000..2b62e9b
--- /dev/null
+++ b/bundles/gcloud/README.md
@@ -0,0 +1,2 @@
+# gcloud projects add-iam-policy-binding sublimity-182017 --member 'serviceAccount:backup@sublimity-182017.iam.gserviceaccount.com' --role 'roles/storage.objectViewer'
+# gcloud projects add-iam-policy-binding sublimity-182017 --member 'serviceAccount:backup@sublimity-182017.iam.gserviceaccount.com' --role 'roles/storage.objectCreator'
diff --git a/bundles/gcloud/items.py b/bundles/gcloud/items.py
index e69de29..c329b3f 100644
--- a/bundles/gcloud/items.py
+++ b/bundles/gcloud/items.py
@@ -0,0 +1,30 @@
+from os.path import join
+
+service_account = node.metadata.get('gcloud/service_account')
+project = node.metadata.get('gcloud/project')
+
+files[f'/root/.config/gcloud/service_account.json'] = {
+    'content': repo.vault.decrypt_file(
+        join(repo.path, 'data', 'gcloud', 'service_accounts', f'{service_account}@{project}.json.enc')
+    ),
+    'mode': '500',
+    'needs': [
+        'pkg_apt:google-cloud-sdk',
+    ],
+}
+
+actions['gcloud_activate_service_account'] = {
+    'command': 'gcloud auth activate-service-account --key-file /root/.config/gcloud/service_account.json',
+    'unless': f"gcloud auth list | grep -q '^\*[[:space:]]*{service_account}@{project}.iam.gserviceaccount.com'",
+    'needs': [
+        f'file:/root/.config/gcloud/service_account.json'
+    ],
+}
+
+actions['gcloud_select_project'] = {
+    'command': f"gcloud config set project '{project}'",
+    'unless': f"gcloud config get-value project | grep -q '^{project}$'",
+    'needs': [
+        f'action:gcloud_activate_service_account'
+    ],
+}
diff --git a/data/gcloud/service_accounts/backup@sublimity-182017.json.enc b/data/gcloud/service_accounts/backup@sublimity-182017.json.enc
new file mode 100644
index 0000000..8d064c2
--- /dev/null
+++ b/data/gcloud/service_accounts/backup@sublimity-182017.json.enc
@@ -0,0 +1 @@
+encrypt$gAAAAABgzbX64G_2XFuGX4gcdRqms9eiov9FS_p2gwhkJGLTRd8uR8QfxzcUg_RJDuSOhE3lE5mQPjfgjYJ0Bluv87MT8y-Cn16smz0ONWaMusjNR23CJQc9MHfyyxAV6pUiwrqExacY7dS-VDvV_QzpZTbM2WqKHIpxqrzyDSQfFW9LnSZYSEERAmJe4k87vjlOWsbXo2zfo1GJe2eTJO2wUkdzBR0M1EUvG769e0a1NoT_yeRJdid3YAiQi7Zzvmaf_p5SuXQ8IJrDJWL0_citS6XW-mh2blJVjGB1BHGypeAnSRhXbdNouqCYKj6p3bxmpyX2Ao076cnkOyaieXnydaGjxp6ZFlrDOmR07nUGP2e5pbRJavU56RlNVSTAkkV4sZVX_hYs7gzTjZLl2vIg_weRTmf5X881l07qVXhyaGydP4qNYijPdoYcxGlG-tt6dLMmbrTfjdRzpwZcyLveJQPVQD1dZoJxZkT0GPoQ8xAHHm4sZl7jdABxtgoRhF1nFcR1nnvarHgSBlp0eY3NL0fAAtiqqGganvd1x_hQZIpZJP2VY6IuMUXswzL8Rro_6fZVF06GsftQiOyPBpmS4kJph2nr9TNsTajTxbmtEILAP4pmaKwxZtcrZRtm-KHolNn3sTJPku43APTLNGSlth9wJYkOGb__2tH63mAIAGB9JtQr8mbqKUOas5WbEAtlYFuKVcbtdyw1P7gxGZIdt4-_apK_QpfHs9mwj3Fda_POEa9ff2tOGaE6njJXL8xxVgiThkf0YJ4HjewYp72YHKAsQJA0BAlf3oGSggTasQpszcykgH6i4ExwbXH5bc5qvhP-RHzfINj3trd22H9EIhMb1qqc-XlKONCaDG3iOqogUTJgpEe7RXgp-Kl4bPhZENgOTxA5PvIF0zuYjN-HwTX449NmaTP_mGrIftpLUcZQpRiRFBXQAVIbDlxtDUAkecJWSMz3nRJI6pPy1jCJPuvqa_DnkwBmbKiqGXCiz29r-YDb7lRKZ4wEzyMSwZoiToeOGjdC9os2KutwMelzP_O3pWRsp6hIxYtwM2dcUqrdCzt4PKinkUI_2UOC7G7fMIfJVJ-5GYu3ho50kxS0moWbLHcSL4xg5pjgYB4UYpt0_Bke9WjIbvxUMKFXzdsCnhPs8GsdGMxgUijlizJNAWj0mdf6Z29GdjdZ2IR2qSoN22XN6hSAg2gTXXeUBp5uOQn9kSame8cstvn-gKh4F1M_TzF2hHtEzFxfR_vh62ZTcjIq_gsFyXAftbJtmVqJXB16IDXhKUb_sN2dy-HKOuPFd226fzrw9qOaz2NHAs8dEC5f3Gh48y54vWBbNi9WfEacst1ChpqXRwBq4BBhH7okUbXCubdXsk9aD6tSLE0vBLoOytuCVN2Qs6R-SsYCSiEGwjK9WdlQDmiKbYUhtfCX4-Zcm8O4h6w4pWUpJ54aG15jdaenKSRCYI0suRplAjxJxyZSRRo-VJCY_6YRrwD9ydChj9eyBiT8SRb-Focj8JOm9Mk22UOCUqgreyOs_oWf1v-UFRotssuP_Bh9D5xrTnkoLhxIzo0gvVDkFsH66atKHHWObejuHd6o6EUqG68Vi5Bykk5ZlpEZzRTOdZJ-N9cPQ6nXWC2-j_HtVk4qx0MOh3GQwcjws0p2wRV1PlbHCum49VTnMoeFAlZthBDb5TiyhgkEzTpxAGAp1Vg6_ge1-RjAgsaQXHS2X0iKfd1A-9zgAFK6bVjgdnmOj3BlbzJpetEQRs23JY0-rN6d39Wt1Fd3jsbMWB5hTaOqDNC-WbNUJPOCqoG72LueD73I6_ywA-jg9Nv4cKq6IJPnY_QMM0rQtbVyXPDqLXmcPVh5NdTNC5g1zLEGfjCmfTh-0fe-G1VbBvfPtzl33000BtDvVhpedD-pZg5mVa9r0TN_JhktHCa1yMmu-XiCRXY8DeUH3v9RDi4yZ7_ZwqcfrMB75uT5stUD7Y4WVN1iWHRsLjKDLkhTUku5bIZs48GY5DXEvP1zFzmRYFLLhIOP3L8Uh92cjp4rwteVj3-6JDyM_mmB5iXRK71PURc6_Ll-nEFoI6zH9HWCO1woe7O5UJF5OvQ_5ryRRgu_J7EAC9lHhPjOhWRM-d0PAMpsqFi5o7HClfIqY3fOOsMzralakL8uXszhuHW9corxuj9FW_9wiXW1Cue317_anVemJZEl-I_uJ1R0w7izoegjAlewVngZSO9V0HBX6bqKkm_xvAdenyalsKs_M5nzlKNuD3LyfjZ04hYjtcqdTFZB8c76QkSBLj30dDHSpV0ZqIUliXz-u0Uu2Ah3xloLwHieYYkRpXgMK1xTyKpwkW-s7rFRnqdX9qBopNAUOy6a5IGk9gimJh6ZdzOMUSAth9xIEA3LUvujV3JQMYsHzv1u65LDN0IRySwErX2L_oxlFJXMVQROTuMVae70MxyIRHQ8gSbhkyaLx4q9hiDwvOH-nWVf97vF44Z_LjZ5j-lWCaTAaoSZY3z_D5tR3m8KZGy5GIQb2vW9ldtWw8j80dROIVMuqpvVHWbty-jybq1h-SHoyDe0qut8l592XtKQrpjtCK_zLLpBsye6Y0XCvYOOAP260xvwDeWNisoWEmUYpE2O3ZDGLbNAi2l5c2rgQL17Iv_lkPAHv8d5tDTA0nhAkCuoegBRGaoQcYzdfsihFHjTCPYJIShFvqWRKmPPPaOyz-6pGssn1RpzyQFMqq0RxWqsckZG_pKFr-nYPjA-zOTlXjV6D98NjeQLm-tSthey-thHqovrd1oWYbuphR2Hf9h9hLFQFaeFRDtpO--Vqn1rjlOeZvkovNHSvs024PaY_fdu3wjnY_Pik5RNPauFB8eE72avpLhVjkADavqmhXBVN-D-k0fkB56iPmHosifQUUQko4XSDuMYd-Rw7ZRfRdW1PNmti510OlQWKk0hLhy1zmPThjKH7Jaj4mkgvKl61fcZ0BqgzV8UKG3zprZCsGRuXfBEmGEw4R7Jjft-s8lsXher-VceQuf-dbcnzIzZ0EpUf1BIvevy1wvICW1aCD7H-_FhhBHtepNgj-f9JBzimO2mxAcgfNipMR2PaU96fwziOhIoD76QdHDvZ4soc5TQI010HYUnZdxL5KZY5ZjIJs4tTtVUxiKzJ0GR0QqrxBwNi8YImg==
diff --git a/groups/all.py b/groups/all.py
index 2e8e687..60446c8 100644
--- a/groups/all.py
+++ b/groups/all.py
@@ -1,5 +1,9 @@
 {
     'metadata': {
         'dns': {},
+        'gcloud': {
+            'service_account': 'backup',
+            'project': 'sublimity-182017',
+        },
     }
 }