diff --git a/cmd/ocm/gcp/create-wif-config.go b/cmd/ocm/gcp/create-wif-config.go index 2e951cd5..eea2ef34 100644 --- a/cmd/ocm/gcp/create-wif-config.go +++ b/cmd/ocm/gcp/create-wif-config.go @@ -28,8 +28,10 @@ var ( ) const ( - poolDescription = "Created by the OLM CLI" - roleDescription = "Created by the OLM CLI" + // Description for wif-config-specific WIF resources + wifDescription = "Created by the OCM CLI for WIF config %s" + // Description for OpenShift version-specific WIF IAM roles + wifRoleDescription = "Created by the OCM CLI for Workload Identity Federation on OpenShift" ) // NewCreateWorkloadIdentityConfiguration provides the "gcp create wif-config" subcommand diff --git a/cmd/ocm/gcp/gcp-client-shim.go b/cmd/ocm/gcp/gcp-client-shim.go index 2a2fc86e..1a45a21d 100644 --- a/cmd/ocm/gcp/gcp-client-shim.go +++ b/cmd/ocm/gcp/gcp-client-shim.go @@ -69,12 +69,13 @@ func (c *shim) CreateWorkloadIdentityPool( return errors.Wrapf(err, "failed to undelete workload identity pool %s", poolId) } } else if err != nil { + description := fmt.Sprintf(wifDescription, c.wifConfig.DisplayName()) if gerr, ok := err.(*googleapi.Error); ok && gerr.Code == 404 && strings.Contains(gerr.Message, "Requested entity was not found") { pool := &iamv1.WorkloadIdentityPool{ Name: poolId, DisplayName: poolId, - Description: poolDescription, + Description: description, State: "ACTIVE", Disabled: false, } @@ -110,10 +111,11 @@ func (c *shim) CreateWorkloadIdentityProvider( if err != nil { if gerr, ok := err.(*googleapi.Error); ok && gerr.Code == 404 && strings.Contains(gerr.Message, "Requested entity was not found") { + description := fmt.Sprintf(wifDescription, c.wifConfig.DisplayName()) provider := &iamv1.WorkloadIdentityPoolProvider{ Name: providerId, DisplayName: providerId, - Description: poolDescription, + Description: description, State: "ACTIVE", Disabled: false, Oidc: &iamv1.Oidc{ @@ -182,14 +184,13 @@ func (c *shim) createServiceAccount( ) error { serviceAccountId := serviceAccount.ServiceAccountId() serviceAccountName := c.wifConfig.DisplayName() + "-" + serviceAccountId - serviceAccountDesc := poolDescription + " for WIF config " + c.wifConfig.DisplayName() - + serviceAccountDescription := fmt.Sprintf(wifDescription, c.wifConfig.DisplayName()) request := &adminpb.CreateServiceAccountRequest{ Name: fmt.Sprintf("projects/%s", c.wifConfig.Gcp().ProjectId()), AccountId: serviceAccountId, ServiceAccount: &adminpb.ServiceAccount{ DisplayName: serviceAccountName, - Description: serviceAccountDesc, + Description: serviceAccountDescription, }, } _, err := c.gcpClient.CreateServiceAccount(ctx, request) @@ -228,7 +229,7 @@ func (c *shim) createOrUpdateRoles( permissions, roleTitle, roleID, - roleDescription, + wifRoleDescription, c.wifConfig.Gcp().ProjectId(), ) if err != nil { diff --git a/cmd/ocm/gcp/scripting.go b/cmd/ocm/gcp/scripting.go index c528d38f..8dceed95 100644 --- a/cmd/ocm/gcp/scripting.go +++ b/cmd/ocm/gcp/scripting.go @@ -122,15 +122,16 @@ func generateUpdateScriptContent(wifConfig *cmv1.WifConfig, projectNum int64) st func createIdentityPoolScriptContent(wifConfig *cmv1.WifConfig) string { name := wifConfig.Gcp().WorkloadIdentityPool().PoolId() project := wifConfig.Gcp().ProjectId() + description := fmt.Sprintf(wifDescription, wifConfig.DisplayName()) return fmt.Sprintf(` # Create workload identity pool: gcloud iam workload-identity-pools create %s \ --project=%s \ --location=global \ - --description="Workload Identity Pool for %s" \ + --description="%s" \ --display-name="%s" -`, name, project, poolDescription, name) +`, name, project, description, name) } func createIdentityProviderScriptContent(wifConfig *cmv1.WifConfig) string { @@ -138,6 +139,7 @@ func createIdentityProviderScriptContent(wifConfig *cmv1.WifConfig) string { audiences := wifConfig.Gcp().WorkloadIdentityPool().IdentityProvider().AllowedAudiences() issuerUrl := wifConfig.Gcp().WorkloadIdentityPool().IdentityProvider().IssuerUrl() providerId := wifConfig.Gcp().WorkloadIdentityPool().IdentityProvider().IdentityProviderId() + description := fmt.Sprintf(wifDescription, wifConfig.DisplayName()) return fmt.Sprintf(` # Create workload identity provider: @@ -150,7 +152,7 @@ gcloud iam workload-identity-pools providers create-oidc %s \ --allowed-audiences="%s" \ --attribute-mapping="google.subject=assertion.sub" \ --workload-identity-pool=%s -`, providerId, providerId, poolDescription, issuerUrl, strings.Join(audiences, ","), poolId) +`, providerId, providerId, description, issuerUrl, strings.Join(audiences, ","), poolId) } // This returns the gcloud commands to create a service account, bind roles, and grant access @@ -202,10 +204,10 @@ func createServiceAccountScript(wifConfig *cmv1.WifConfig) string { project := wifConfig.Gcp().ProjectId() serviceAccountID := sa.ServiceAccountId() serviceAccountName := wifConfig.DisplayName() + "-" + serviceAccountID - serviceAccountDesc := poolDescription + " for WIF config " + wifConfig.DisplayName() + description := fmt.Sprintf(wifDescription, wifConfig.DisplayName()) //nolint:lll sb.WriteString(fmt.Sprintf("gcloud iam service-accounts create %s --display-name=%s --description=\"%s\" --project=%s\n", - serviceAccountID, serviceAccountName, serviceAccountDesc, project)) + serviceAccountID, serviceAccountName, description, project)) } return sb.String() } @@ -219,10 +221,10 @@ func createCustomRoleScript(wifConfig *cmv1.WifConfig) string { project := wifConfig.Gcp().ProjectId() permissions := strings.Join(role.Permissions(), ",") roleName := roleId - serviceAccountDesc := roleDescription + " for WIF config " + wifConfig.DisplayName() + roleDesc := wifRoleDescription //nolint:lll sb.WriteString(fmt.Sprintf("gcloud iam roles create %s --project=%s --title=%s --description=\"%s\" --stage=GA --permissions=%s\n", - roleId, project, roleName, serviceAccountDesc, permissions)) + roleId, project, roleName, roleDesc, permissions)) } } } @@ -302,7 +304,7 @@ func grantSupportAccessScriptContent(wifConfig *cmv1.WifConfig) string { roleId := role.RoleId() permissions := strings.Join(role.Permissions(), ",") roleName := roleId - roleDesc := roleDescription + " for WIF config " + wifConfig.DisplayName() + roleDesc := wifRoleDescription //nolint:lll sb.WriteString(fmt.Sprintf("gcloud iam roles create %s --project=%s --title=%s --description=\"%s\" --stage=GA --permissions=%s\n", roleId, project, roleName, roleDesc, permissions))