delete install image after customization instance has been started (#93)

* deleting install image after customization instance has been started * removed zone argument, reduced to single line, repositioned -q * service account is per-purpose instead of per-cluster * grant access to bucket before run ; revoke access to bucket, private key material and secret list access after the run * reduced noise following successful image creation message
GoogleCloudDataproc · Oct 7, 2024 · aa4fd5e · aa4fd5e
1 parent 42834b1
commit aa4fd5e
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 12 deletions.
diff --git a/custom_image_utils/shell_script_generator.py b/custom_image_utils/shell_script_generator.py
@@ -120,6 +120,9 @@
 
   touch /tmp/{run_id}/vm_created
 
+  # clean up intermediate install image
+  gcloud compute images delete -q {image_name}-install --project={project_id}
+
   echo 'Waiting for customization script to finish and VM shutdown.'
   gcloud compute instances tail-serial-port-output {image_name}-install \
       --project={project_id} \
@@ -148,6 +151,7 @@
     --source-disk={image_name}-install \
     {storage_location_flag} \
     --family={family}
+
   touch /tmp/{run_id}/image_created
 }}
 

diff --git a/examples/secure-boot/cuda.sh b/examples/secure-boot/cuda.sh
@@ -17,15 +17,15 @@
 set -ex
 
 export PROJECT_ID="$(jq    -r .PROJECT_ID    env.json)"
-export CLUSTER_NAME="$(jq  -r .CLUSTER_NAME  env.json)"
+export PURPOSE="$(jq       -r .PURPOSE       env.json)"
 export BUCKET="$(jq        -r .BUCKET        env.json)"
 export IMAGE_VERSION="$(jq -r .IMAGE_VERSION env.json)"
 export ZONE="$(jq          -r .ZONE          env.json)"
 
 custom_image_zone="${ZONE}"
 disk_size_gb="50" # greater than or equal to 30
 
-SA_NAME="sa-${CLUSTER_NAME}"
+SA_NAME="sa-${PURPOSE}"
 GSA="${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"
 
 gcloud config set project ${PROJECT_ID}
@@ -40,23 +40,33 @@ metadata="${metadata},private_secret_name=${private_secret_name}"
 metadata="${metadata},secret_project=${secret_project}"
 metadata="${metadata},secret_version=${secret_version}"
 
-# Instructions for creating the service account can be found here:
-# https://github.com/LLC-Technologies-Collier/dataproc-repro/blob/78945b5954ab47aac56f55ac22b3c35569d154e0/shared-functions.sh#L759
+if gcloud iam service-accounts list --filter email="${GSA}" 2>&1 | grep 'Listed 0 items.' ; then
+  # Create service account for this purpose
+  echo "creating pre-init customization service account ${GSA}"
+  gcloud iam service-accounts create "${SA_NAME}" \
+    --description="Service account for pre-init customization" \
+    --display-name="${SA_NAME}"
+fi
+
+# Grant service account access to bucket
+gcloud storage buckets add-iam-policy-binding "gs://${BUCKET}" \
+  --member="serviceAccount:${GSA}" \
+  --role="roles/storage.objectViewer"
 
 # Grant the service account access to list secrets for the project
 gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
   --member="serviceAccount:${GSA}" \
   --role="roles/secretmanager.viewer"
 
-# grant service account permission to access the private secret
+# Grant service account permission to access the private secret
 gcloud secrets add-iam-policy-binding "${private_secret_name}" \
-    --member="serviceAccount:${GSA}" \
-    --role="roles/secretmanager.secretAccessor"
+  --member="serviceAccount:${GSA}" \
+  --role="roles/secretmanager.secretAccessor"
 
-# grant service account permission to access the public secret
+# Grant service account permission to access the public secret
 gcloud secrets add-iam-policy-binding "${public_secret_name}" \
-    --member="serviceAccount:${GSA}" \
-    --role="roles/secretmanager.secretAccessor"
+  --member="serviceAccount:${GSA}" \
+  --role="roles/secretmanager.secretAccessor"
 
 # If no OS family specified, default to debian
 if [[ "${IMAGE_VERSION}" != *-* ]] ; then
@@ -95,5 +105,18 @@ python generate_custom_image.py \
     --no-smoke-test \
     --gcs-bucket "${BUCKET}" \
     --shutdown-instance-timer-sec=30
-
 set +x
+# Revoke permission to access the private secret
+gcloud secrets remove-iam-policy-binding "${private_secret_name}" \
+  --member="serviceAccount:${GSA}" \
+  --role="roles/secretmanager.secretAccessor" > /dev/null 2>&1
+
+# Revoke access to bucket
+gcloud storage buckets remove-iam-policy-binding "gs://${BUCKET}" \
+  --member="serviceAccount:${GSA}" \
+  --role="roles/storage.objectViewer" > /dev/null 2>&1
+
+# Revoke access to list secrets for the project
+gcloud projects remove-iam-policy-binding "${PROJECT_ID}" \
+  --member="serviceAccount:${GSA}" \
+  --role="roles/secretmanager.viewer" > /dev/null 2>&1
diff --git a/examples/secure-boot/env.json.sample b/examples/secure-boot/env.json.sample
@@ -1,6 +1,6 @@
 {
   "PROJECT_ID":"example-yyyy-nn",
-  "CLUSTER_NAME":"my-dataproc-cluster-name",
+  "PURPOSE":"pre-init",
   "BUCKET":"my-bucket-name",
   "IMAGE_VERSION":"2.2-debian12",
   "ZONE":"us-west4-a"