From 6d210f72a933b0be92cf4ee2570d7b7628975917 Mon Sep 17 00:00:00 2001 From: Jonas Kauke Date: Fri, 13 Mar 2026 15:18:02 +0100 Subject: [PATCH 1/2] feat: assign cleanup SA deleter permissions --- cli/cmd/bootstrap_gcp.go | 5 +++++ internal/bootstrap/gcp/gcp.go | 13 +++++++++++++ 2 files changed, 18 insertions(+) diff --git a/cli/cmd/bootstrap_gcp.go b/cli/cmd/bootstrap_gcp.go index f522419a..66bc5223 100644 --- a/cli/cmd/bootstrap_gcp.go +++ b/cli/cmd/bootstrap_gcp.go @@ -89,11 +89,16 @@ func AddBootstrapGcpCmd(parent *cobra.Command, opts *GlobalOptions) { flags.StringArrayVar(&bootstrapGcpCmd.CodesphereEnv.Experiments, "experiments", gcp.DefaultExperiments, "Experiments to enable in Codesphere installation (optional)") flags.StringArrayVar(&bootstrapGcpCmd.CodesphereEnv.FeatureFlags, "feature-flags", []string{}, "Feature flags to enable in Codesphere installation (optional)") + // OpenBao flags.StringVar(&bootstrapGcpCmd.CodesphereEnv.OpenBaoURI, "openbao-uri", "", "URI for OpenBao (optional)") flags.StringVar(&bootstrapGcpCmd.CodesphereEnv.OpenBaoEngine, "openbao-engine", "cs-secrets-engine", "OpenBao engine name (default: cs-secrets-engine)") flags.StringVar(&bootstrapGcpCmd.CodesphereEnv.OpenBaoUser, "openbao-user", "admin", "OpenBao username (optional)") flags.StringVar(&bootstrapGcpCmd.CodesphereEnv.OpenBaoPassword, "openbao-password", "", "OpenBao password (optional)") + // Cleanup + flags.StringVar(&bootstrapGcpCmd.CodesphereEnv.CleanupSaName, "cleanup-sa-name", "oms-infra-github-actions", "Name of the service account responsible for automatic cleanup in GHA (default: gcp-bootstrap-cleanup-sa)") + flags.StringVar(&bootstrapGcpCmd.CodesphereEnv.CleanupSaProjecID, "cleanup-sa-project-id", "oms-infra", "GCP ProjectID of the service account responsible for automatic cleanup in GHA (default: oms-infra)") + util.MarkFlagRequired(bootstrapGcpCmd.cmd, "project-name") util.MarkFlagRequired(bootstrapGcpCmd.cmd, "billing-account") util.MarkFlagRequired(bootstrapGcpCmd.cmd, "base-domain") diff --git a/internal/bootstrap/gcp/gcp.go b/internal/bootstrap/gcp/gcp.go index 11a2ba5e..dce4825d 100644 --- a/internal/bootstrap/gcp/gcp.go +++ b/internal/bootstrap/gcp/gcp.go @@ -177,6 +177,10 @@ type CodesphereEnvironment struct { Region string `json:"region"` Zone string `json:"zone"` DNSZoneName string `json:"dns_zone_name"` + + // Cleanup + CleanupSaName string `json:"cleanup_sa_email"` + CleanupSaProjecID string `json:"cleanup_sa_project_id"` } func NewGCPBootstrapper( @@ -600,6 +604,15 @@ func (b *GCPBootstrapper) EnsureIAMRoles() error { } err = b.ensureIAMRoleWithRetry(b.Env.ProjectID, "artifact-registry-writer", b.Env.ProjectID, []string{"roles/artifactregistry.writer"}) + if err != nil { + return nil + } + + err = b.GCPClient.AssignIAMRole(b.Env.ProjectID, b.Env.CleanupSaName, b.Env.CleanupSaProjecID, []string{"roles/resourcemanager.projectDeleter"}) + if err != nil { + return err + } + return err } From f9f16824eddbbc3eb55c5f9f84dbe5d29b83f9b5 Mon Sep 17 00:00:00 2001 From: joka134 <27293650+joka134@users.noreply.github.com> Date: Fri, 13 Mar 2026 14:19:20 +0000 Subject: [PATCH 2/2] chore(docs): Auto-update docs and licenses Signed-off-by: joka134 <27293650+joka134@users.noreply.github.com> --- docs/oms_beta_bootstrap-gcp.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/oms_beta_bootstrap-gcp.md b/docs/oms_beta_bootstrap-gcp.md index 93003eb1..efe5c43e 100644 --- a/docs/oms_beta_bootstrap-gcp.md +++ b/docs/oms_beta_bootstrap-gcp.md @@ -19,6 +19,8 @@ oms beta bootstrap-gcp [flags] ``` --base-domain string Base domain for Codesphere (required) --billing-account string GCP Billing Account ID (required) + --cleanup-sa-name string Name of the service account responsible for automatic cleanup in GHA (default: gcp-bootstrap-cleanup-sa) (default "oms-infra-github-actions") + --cleanup-sa-project-id string GCP ProjectID of the service account responsible for automatic cleanup in GHA (default: oms-infra) (default "oms-infra") --custom-pg-ip string Custom PostgreSQL IP (optional) --datacenter-id int Datacenter ID (default: 1) (default 1) --dns-project-id string GCP Project ID for Cloud DNS (optional)