Google Cloud integration API: GAR integration setup script

d86e2f60 · Imre Farkas · GitLab · ab781509 · d86e2f60 · d86e2f60
--- a/ee/lib/api/project_google_cloud_integration.rb
+++ b/ee/lib/api/project_google_cloud_integration.rb
@@ -4,6 +4,8 @@ module API
  class ProjectGoogleCloudIntegration < ::API::Base
    feature_category :integrations

+    include GrapePathHelpers::NamedRouteMatcher
+
    before { authorize_admin_project }
    before do
      unless ::Feature.enabled?(:google_cloud_integration_onboarding, user_project.root_namespace, type: :beta)
@@ -11,14 +13,55 @@ class ProjectGoogleCloudIntegration < ::API::Base
      end
    end

-    desc 'Get shell script to create and configure Workload Identity Federation' do
-      detail 'This feature is experimental.'
-    end
    params do
      requires :id, types: [String, Integer], desc: 'The ID or URL-encoded path of the project'
    end
    resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
+      namespace ':id/google_cloud/setup' do
+        desc 'Get shell script to setup an integration in Google Cloud' do
+          detail 'This feature is experimental.'
+        end
+        params do
+          optional :enable_google_cloud_artifact_registry, types: Boolean
+          optional :google_cloud_artifact_registry_project_id, types: String
+          at_least_one_of :enable_google_cloud_artifact_registry
+        end
+        get '/integrations.sh' do
+          env['api.format'] = :binary
+          content_type 'text/plain'
+
+          wlif_integration = user_project.google_cloud_platform_workload_identity_federation_integration
+          unless user_project.google_cloud_workload_identity_federation_enabled? && wlif_integration&.activated?
+            render_api_error!('Workload Identity Federation is not configured', 400)
+          end
+
+          template_path = File.join(
+            'ee', 'lib', 'api', 'templates', 'google_cloud_integration_setup_integration.sh.erb')
+          template = ERB.new(File.read(template_path))
+
+          locals = {
+            google_cloud_artifact_registry_project_id:
+              declared_params[:google_cloud_artifact_registry_project_id],
+            identity_provider: wlif_integration.identity_pool_resource_name,
+            oidc_claim_grants: [
+              { claim_name: 'guest_access', claim_value: 'true', iam_role: 'roles/artifactregistry.reader' },
+              { claim_name: 'developer_access', claim_value: 'true', iam_role: 'roles/artifactregistry.writer' }
+            ],
+            api_integrations_url:
+              Gitlab::Utils.append_path(
+                Gitlab.config.gitlab.url,
+                api_v4_projects_integrations_path(id: params[:id])
+              )
+          }
+
+          template.result_with_hash(locals)
+        end
+      end
+
      namespace ':id/scripts/google_cloud/' do
+        desc 'Get shell script to create and configure Workload Identity Federation' do
+          detail 'This feature is experimental.'
+        end
        params do
          requires :google_cloud_project_id, types: String
          optional(

--- a/ee/lib/api/templates/google_cloud_integration_setup_integration.sh.erb
+++ b/ee/lib/api/templates/google_cloud_integration_setup_integration.sh.erb
+#!/bin/bash
+
+set -eu
+set -o pipefail
+
+if [[ "${1:-}" == "--debug" ]]; then
+  set -x
+  shift
+fi
+
+create_google_cloud_resources() {
+  <% oidc_claim_grants.each do |oidc_claim_grant| %>
+    PRINCIPAL="principalSet://<%= identity_provider %>/attribute.<%= oidc_claim_grant[:claim_name] %>/<%= oidc_claim_grant[:claim_value] %>"
+
+    gcloud projects add-iam-policy-binding '<%= google_cloud_artifact_registry_project_id %>' \
+           --member=$PRINCIPAL --role='<%= oidc_claim_grant[:iam_role] %>'
+  <% end %>
+}
+
+create_google_cloud_resources
--- a/ee/spec/requests/api/project_google_cloud_integration_spec.rb
+++ b/ee/spec/requests/api/project_google_cloud_integration_spec.rb
@@ -19,7 +19,7 @@

      expect(response).to have_gitlab_http_status(:ok)
      expect(response.content_type).to eql('text/plain')
-      expect(response.body).to include("gcloud config set project '#{google_cloud_project_id}'")
+      expect(response.body).to include("#!/bin/bash")
    end

    context 'when required param is missing' do
@@ -80,4 +80,33 @@

    it_behaves_like 'an endpoint generating a bash script for Google Cloud'
  end
+
+  describe 'GET /projects/:id/google_cloud/setup/integrations.sh' do
+    let(:path) { "/projects/#{project.id}/google_cloud/setup/integrations.sh" }
+    let(:params) do
+      { enable_google_cloud_artifact_registry: true,
+        google_cloud_project_id: google_cloud_project_id }
+    end
+
+    before do
+      stub_saas_features(google_cloud_support: true)
+    end
+
+    context 'when Workload Identity Federation integration exists' do
+      before do
+        create(:google_cloud_platform_workload_identity_federation_integration, project: project)
+      end
+
+      it_behaves_like 'an endpoint generating a bash script for Google Cloud'
+    end
+
+    context 'when Workload Identity Federation integration does not exist' do
+      it 'returns error' do
+        get(api(path, owner), params: params)
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+        expect(json_response['message']).to eq('Workload Identity Federation is not configured')
+      end
+    end
+  end
 end