From f0e1eac5261950107a50020b7f231286ed658b95 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=81ukasz=20Sitkiewicz?= <lukasz.sitkiewicz@intel.com>
Date: Fri, 22 Apr 2022 20:12:41 +0200
Subject: [PATCH] DAOSGCP-96 Add functionality to check GCP permission before
 adding them (#34)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* DAOSGCP-96 Add functionality to check GCP permission before adding them

Signed-off-by: Łukasz Sitkiewicz <lukasz.sitkiewicz@intel.com>

* Update variable names

Signed-off-by: Łukasz Sitkiewicz <lukasz.sitkiewicz@intel.com>
---
 images/build_images.sh | 31 ++++++++++++++++++++++++-------
 1 file changed, 24 insertions(+), 7 deletions(-)

diff --git a/images/build_images.sh b/images/build_images.sh
index 6cb7886..87f9152 100755
--- a/images/build_images.sh
+++ b/images/build_images.sh
@@ -242,13 +242,31 @@ configure_gcp_project() {
   log "Packer will be using service account ${CLOUD_BUILD_ACCOUNT}"
 
   # Add cloudbuild SA permissions
-  gcloud projects add-iam-policy-binding "${GCP_PROJECT}" \
-    --member "${CLOUD_BUILD_ACCOUNT}" \
-    --role roles/compute.instanceAdmin.v1
+  CHECK_ROLE_INST_ADMIN=$(
+    gcloud projects get-iam-policy "${GCP_PROJECT}" \
+    --flatten="bindings[].members" \
+    --filter="bindings.role=roles/compute.instanceAdmin.v1 AND \
+              bindings.members=${CLOUD_BUILD_ACCOUNT}" \
+    --format="value(bindings.members[])"
+  )
+  if [[ "${CHECK_ROLE_INST_ADMIN}" != "${CLOUD_BUILD_ACCOUNT}" ]]; then
+    gcloud projects add-iam-policy-binding "${GCP_PROJECT}" \
+      --member "${CLOUD_BUILD_ACCOUNT}" \
+      --role roles/compute.instanceAdmin.v1
+  fi
 
-  gcloud projects add-iam-policy-binding "${GCP_PROJECT}" \
-    --member "${CLOUD_BUILD_ACCOUNT}" \
-    --role roles/iam.serviceAccountUser
+  CHECK_ROLE_SVC_ACCT=$(
+    gcloud projects get-iam-policy "${GCP_PROJECT}" \
+    --flatten="bindings[].members" \
+    --filter="bindings.role=roles/iam.serviceAccountUser AND \
+              bindings.members=${CLOUD_BUILD_ACCOUNT}" \
+    --format="value(bindings.members[])"
+  )
+  if [[ "${CHECK_ROLE_SVC_ACCT}" != "${CLOUD_BUILD_ACCOUNT}" ]]; then
+    gcloud projects add-iam-policy-binding "${GCP_PROJECT}" \
+      --member "${CLOUD_BUILD_ACCOUNT}" \
+      --role roles/iam.serviceAccountUser
+  fi
 
   FWRULENAME="gcp-cloudbuild-ssh"
 
@@ -313,4 +331,3 @@ main() {
 }
 
 main "$@"
-