Add more descriptions to WIF resources (#684)

openshift-online · Oct 24, 2024 · 1e27ded · 1e27ded
1 parent 0c456f8
commit 1e27ded
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 16 deletions.
diff --git a/cmd/ocm/gcp/create-wif-config.go b/cmd/ocm/gcp/create-wif-config.go
@@ -28,8 +28,10 @@ var (
 )
 
 const (
-	poolDescription = "Created by the OLM CLI"
-	roleDescription = "Created by the OLM CLI"
+	// Description for wif-config-specific WIF resources
+	wifDescription = "Created by the OCM CLI for WIF config %s"
+	// Description for OpenShift version-specific WIF IAM roles
+	wifRoleDescription = "Created by the OCM CLI for Workload Identity Federation on OpenShift"
 )
 
 // NewCreateWorkloadIdentityConfiguration provides the "gcp create wif-config" subcommand

diff --git a/cmd/ocm/gcp/gcp-client-shim.go b/cmd/ocm/gcp/gcp-client-shim.go
@@ -69,12 +69,13 @@ func (c *shim) CreateWorkloadIdentityPool(
 			return errors.Wrapf(err, "failed to undelete workload identity pool %s", poolId)
 		}
 	} else if err != nil {
+		description := fmt.Sprintf(wifDescription, c.wifConfig.DisplayName())
 		if gerr, ok := err.(*googleapi.Error); ok && gerr.Code == 404 &&
 			strings.Contains(gerr.Message, "Requested entity was not found") {
 			pool := &iamv1.WorkloadIdentityPool{
 				Name:        poolId,
 				DisplayName: poolId,
-				Description: poolDescription,
+				Description: description,
 				State:       "ACTIVE",
 				Disabled:    false,
 			}
@@ -110,10 +111,11 @@ func (c *shim) CreateWorkloadIdentityProvider(
 	if err != nil {
 		if gerr, ok := err.(*googleapi.Error); ok && gerr.Code == 404 &&
 			strings.Contains(gerr.Message, "Requested entity was not found") {
+			description := fmt.Sprintf(wifDescription, c.wifConfig.DisplayName())
 			provider := &iamv1.WorkloadIdentityPoolProvider{
 				Name:        providerId,
 				DisplayName: providerId,
-				Description: poolDescription,
+				Description: description,
 				State:       "ACTIVE",
 				Disabled:    false,
 				Oidc: &iamv1.Oidc{
@@ -182,14 +184,13 @@ func (c *shim) createServiceAccount(
 ) error {
 	serviceAccountId := serviceAccount.ServiceAccountId()
 	serviceAccountName := c.wifConfig.DisplayName() + "-" + serviceAccountId
-	serviceAccountDesc := poolDescription + " for WIF config " + c.wifConfig.DisplayName()
-
+	serviceAccountDescription := fmt.Sprintf(wifDescription, c.wifConfig.DisplayName())
 	request := &adminpb.CreateServiceAccountRequest{
 		Name:      fmt.Sprintf("projects/%s", c.wifConfig.Gcp().ProjectId()),
 		AccountId: serviceAccountId,
 		ServiceAccount: &adminpb.ServiceAccount{
 			DisplayName: serviceAccountName,
-			Description: serviceAccountDesc,
+			Description: serviceAccountDescription,
 		},
 	}
 	_, err := c.gcpClient.CreateServiceAccount(ctx, request)
@@ -228,7 +229,7 @@ func (c *shim) createOrUpdateRoles(
 					permissions,
 					roleTitle,
 					roleID,
-					roleDescription,
+					wifRoleDescription,
 					c.wifConfig.Gcp().ProjectId(),
 				)
 				if err != nil {

diff --git a/cmd/ocm/gcp/scripting.go b/cmd/ocm/gcp/scripting.go
@@ -122,22 +122,24 @@ func generateUpdateScriptContent(wifConfig *cmv1.WifConfig, projectNum int64) st
 func createIdentityPoolScriptContent(wifConfig *cmv1.WifConfig) string {
 	name := wifConfig.Gcp().WorkloadIdentityPool().PoolId()
 	project := wifConfig.Gcp().ProjectId()
+	description := fmt.Sprintf(wifDescription, wifConfig.DisplayName())
 
 	return fmt.Sprintf(`
 # Create workload identity pool:
 gcloud iam workload-identity-pools create %s \
 	--project=%s \
 	--location=global \
-	--description="Workload Identity Pool for %s" \
+	--description="%s" \
 	--display-name="%s"
-`, name, project, poolDescription, name)
+`, name, project, description, name)
 }
 
 func createIdentityProviderScriptContent(wifConfig *cmv1.WifConfig) string {
 	poolId := wifConfig.Gcp().WorkloadIdentityPool().PoolId()
 	audiences := wifConfig.Gcp().WorkloadIdentityPool().IdentityProvider().AllowedAudiences()
 	issuerUrl := wifConfig.Gcp().WorkloadIdentityPool().IdentityProvider().IssuerUrl()
 	providerId := wifConfig.Gcp().WorkloadIdentityPool().IdentityProvider().IdentityProviderId()
+	description := fmt.Sprintf(wifDescription, wifConfig.DisplayName())
 
 	return fmt.Sprintf(`
 # Create workload identity provider:
@@ -150,7 +152,7 @@ gcloud iam workload-identity-pools providers create-oidc %s \
 	--allowed-audiences="%s" \
 	--attribute-mapping="google.subject=assertion.sub" \
 	--workload-identity-pool=%s
-`, providerId, providerId, poolDescription, issuerUrl, strings.Join(audiences, ","), poolId)
+`, providerId, providerId, description, issuerUrl, strings.Join(audiences, ","), poolId)
 }
 
 // This returns the gcloud commands to create a service account, bind roles, and grant access
@@ -202,10 +204,10 @@ func createServiceAccountScript(wifConfig *cmv1.WifConfig) string {
 		project := wifConfig.Gcp().ProjectId()
 		serviceAccountID := sa.ServiceAccountId()
 		serviceAccountName := wifConfig.DisplayName() + "-" + serviceAccountID
-		serviceAccountDesc := poolDescription + " for WIF config " + wifConfig.DisplayName()
+		description := fmt.Sprintf(wifDescription, wifConfig.DisplayName())
 		//nolint:lll
 		sb.WriteString(fmt.Sprintf("gcloud iam service-accounts create %s --display-name=%s --description=\"%s\" --project=%s\n",
-			serviceAccountID, serviceAccountName, serviceAccountDesc, project))
+			serviceAccountID, serviceAccountName, description, project))
 	}
 	return sb.String()
 }
@@ -219,10 +221,10 @@ func createCustomRoleScript(wifConfig *cmv1.WifConfig) string {
 				project := wifConfig.Gcp().ProjectId()
 				permissions := strings.Join(role.Permissions(), ",")
 				roleName := roleId
-				serviceAccountDesc := roleDescription + " for WIF config " + wifConfig.DisplayName()
+				roleDesc := wifRoleDescription
 				//nolint:lll
 				sb.WriteString(fmt.Sprintf("gcloud iam roles create %s --project=%s --title=%s --description=\"%s\" --stage=GA --permissions=%s\n",
-					roleId, project, roleName, serviceAccountDesc, permissions))
+					roleId, project, roleName, roleDesc, permissions))
 			}
 		}
 	}
@@ -302,7 +304,7 @@ func grantSupportAccessScriptContent(wifConfig *cmv1.WifConfig) string {
 			roleId := role.RoleId()
 			permissions := strings.Join(role.Permissions(), ",")
 			roleName := roleId
-			roleDesc := roleDescription + " for WIF config " + wifConfig.DisplayName()
+			roleDesc := wifRoleDescription
 			//nolint:lll
 			sb.WriteString(fmt.Sprintf("gcloud iam roles create %s --project=%s --title=%s --description=\"%s\" --stage=GA --permissions=%s\n",
 				roleId, project, roleName, roleDesc, permissions))