-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathsetup-gcp.ps1
More file actions
229 lines (191 loc) · 7.39 KB
/
setup-gcp.ps1
File metadata and controls
229 lines (191 loc) · 7.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
# LegalMind GCP Deployment Setup Script (Windows PowerShell)
# This script automates the setup of Google Cloud resources
$ErrorActionPreference = "Stop"
function Write-Info {
param([string]$Message)
Write-Host "[INFO] $Message" -ForegroundColor Green
}
function Write-Warning {
param([string]$Message)
Write-Host "[WARNING] $Message" -ForegroundColor Yellow
}
function Write-Error {
param([string]$Message)
Write-Host "[ERROR] $Message" -ForegroundColor Red
}
# Check prerequisites
Write-Info "Checking prerequisites..."
$prerequisites = @("gcloud", "docker", "npm")
foreach ($tool in $prerequisites) {
if (-not (Get-Command $tool -ErrorAction SilentlyContinue)) {
Write-Error "$tool is not installed. Please install it first."
exit 1
}
}
Write-Info "Prerequisites check passed!"
# Get project ID
$PROJECT_ID = Read-Host "Enter your Google Cloud Project ID"
if ([string]::IsNullOrEmpty($PROJECT_ID)) {
Write-Error "Project ID cannot be empty"
exit 1
}
Write-Info "Using project: $PROJECT_ID"
# Set the project
gcloud config set project $PROJECT_ID
# Enable required APIs
Write-Info "Enabling Google Cloud APIs..."
$apis = @(
"run.googleapis.com",
"firestore.googleapis.com",
"storage-api.googleapis.com",
"cloudbuild.googleapis.com",
"containerregistry.googleapis.com",
"firebase.googleapis.com",
"artifactregistry.googleapis.com",
"iam.googleapis.com",
"iamcredentials.googleapis.com",
"cloudresourcemanager.googleapis.com",
"aiplatform.googleapis.com",
"generativeai.googleapis.com"
)
foreach ($api in $apis) {
gcloud services enable $api --quiet
}
Write-Info "APIs enabled successfully!"
# Create service account for Cloud Run
Write-Info "Creating service account for Cloud Run..."
$SERVICE_ACCOUNT_EMAIL = "legalmind-backend@${PROJECT_ID}.iam.gserviceaccount.com"
try {
gcloud iam service-accounts describe $SERVICE_ACCOUNT_EMAIL 2>$null
Write-Warning "Service account already exists: $SERVICE_ACCOUNT_EMAIL"
} catch {
gcloud iam service-accounts create legalmind-backend `
--display-name="LegalMind Backend Service Account" `
--description="Service account for LegalMind backend on Cloud Run"
Write-Info "Service account created: $SERVICE_ACCOUNT_EMAIL"
}
# Grant roles to service account
Write-Info "Granting roles to service account..."
$roles = @(
"roles/datastore.user",
"roles/storage.objectAdmin",
"roles/secretmanager.secretAccessor",
"roles/logging.logWriter",
"roles/aiplatform.user"
)
foreach ($role in $roles) {
gcloud projects add-iam-policy-binding $PROJECT_ID `
--member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" `
--role="$role" `
--quiet
Write-Info "Granted role: $role"
}
# Create GitHub Actions service account
Write-Info "Setting up GitHub Actions integration..."
$GITHUB_SA_EMAIL = "github-actions@${PROJECT_ID}.iam.gserviceaccount.com"
try {
gcloud iam service-accounts describe $GITHUB_SA_EMAIL 2>$null
Write-Warning "GitHub Actions service account already exists: $GITHUB_SA_EMAIL"
} catch {
gcloud iam service-accounts create github-actions `
--display-name="GitHub Actions Service Account" `
--description="Service account for GitHub Actions CI/CD"
Write-Info "GitHub Actions service account created: $GITHUB_SA_EMAIL"
}
# Grant necessary roles to GitHub Actions SA
Write-Info "Granting roles to GitHub Actions service account..."
$github_roles = @(
"roles/run.admin",
"roles/storage.admin",
"roles/container.developer"
)
foreach ($role in $github_roles) {
gcloud projects add-iam-policy-binding $PROJECT_ID `
--member="serviceAccount:$GITHUB_SA_EMAIL" `
--role="$role" `
--quiet
Write-Info "Granted role: $role"
}
# Setup Workload Identity Federation
Write-Info "Setting up Workload Identity Federation for GitHub..."
$POOL_ID = "github-pool"
$PROVIDER_ID = "github-provider"
try {
gcloud iam workload-identity-pools describe $POOL_ID --location=global 2>$null
Write-Warning "Workload Identity Pool already exists: $POOL_ID"
} catch {
gcloud iam workload-identity-pools create $POOL_ID `
--project=$PROJECT_ID `
--location=global `
--display-name="GitHub Actions Pool"
Write-Info "Created Workload Identity Pool: $POOL_ID"
}
# Get the pool resource name
$WORKLOAD_IDENTITY_POOL_ID = gcloud iam workload-identity-pools describe $POOL_ID `
--location=global `
--format='value(name)'
# Check if provider exists
try {
gcloud iam workload-identity-pools providers describe $PROVIDER_ID `
--location=global `
--workload-identity-pool=$POOL_ID 2>$null
Write-Warning "Workload Identity Provider already exists: $PROVIDER_ID"
} catch {
gcloud iam workload-identity-pools providers create-oidc $PROVIDER_ID `
--project=$PROJECT_ID `
--location=global `
--workload-identity-pool=$POOL_ID `
--display-name="GitHub Provider" `
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.environment=assertion.environment,attribute.repository=assertion.repository" `
--issuer-uri="https://token.actions.githubusercontent.com"
Write-Info "Created Workload Identity Provider: $PROVIDER_ID"
}
# Configure service account impersonation
Write-Info "Configuring Workload Identity impersonation..."
gcloud iam service-accounts add-iam-policy-binding $GITHUB_SA_EMAIL `
--role=roles/iam.workloadIdentityUser `
--member="principalSet://iam.googleapis.com/projects/$PROJECT_ID/locations/global/workloadIdentityPools/$POOL_ID/attribute.repository/smirk-dev/gemini-hackathon" `
--quiet
Write-Info "Workload Identity configured!"
# Create Cloud Storage buckets if they don't exist
Write-Info "Setting up Cloud Storage buckets..."
$DOCUMENTS_BUCKET = "$PROJECT_ID-documents"
$ARTIFACTS_BUCKET = "$PROJECT_ID-artifacts"
foreach ($bucket in $DOCUMENTS_BUCKET, $ARTIFACTS_BUCKET) {
try {
gsutil ls -b "gs://$bucket" 2>$null
Write-Warning "Bucket already exists: gs://$bucket"
} catch {
gsutil mb -p $PROJECT_ID "gs://$bucket"
Write-Info "Created bucket: gs://$bucket"
}
}
# Display summary
Write-Host ""
Write-Host "===============================================" -ForegroundColor Cyan
Write-Info "GCP Setup Complete!"
Write-Host "===============================================" -ForegroundColor Cyan
Write-Host ""
Write-Info "Project ID: $PROJECT_ID"
Write-Info "Cloud Run Service Account: $SERVICE_ACCOUNT_EMAIL"
Write-Info "GitHub Actions Service Account: $GITHUB_SA_EMAIL"
Write-Info "Workload Identity Pool: $WORKLOAD_IDENTITY_POOL_ID"
Write-Host ""
Write-Warning "Next Steps:"
Write-Host ""
Write-Host "1. Save these values as GitHub Secrets:"
Write-Host " - GCP_PROJECT_ID: $PROJECT_ID"
Write-Host " - WIF_PROVIDER: $WORKLOAD_IDENTITY_POOL_ID"
Write-Host " - WIF_SERVICE_ACCOUNT: $GITHUB_SA_EMAIL"
Write-Host ""
Write-Host "2. Create Firebase Service Account key:"
Write-Host " gcloud iam service-accounts keys create firebase-key.json \" -ForegroundColor Gray
Write-Host " --iam-account=$SERVICE_ACCOUNT_EMAIL" -ForegroundColor Gray
Write-Host ""
Write-Host "3. Deploy backend:"
Write-Host " git push origin main"
Write-Host ""
Write-Host "4. View deployment status:"
Write-Host " gcloud run services list --region us-central1"
Write-Host ""
Write-Host "===============================================" -ForegroundColor Cyan