in src/cli/utils/cicd.py [0:0]
def ensure_apis_enabled(project_id: str, apis: list[str]) -> None:
"""Check and enable required APIs and set up necessary permissions.
Args:
project_id: GCP project ID where APIs should be enabled
apis: List of API service names to check and enable
"""
console.print("\nš Checking required APIs...")
for api in apis:
try:
# Check if API is enabled
result = run_command(
[
"gcloud",
"services",
"list",
f"--project={project_id}",
f"--filter=config.name:{api}",
"--format=json",
],
capture_output=True,
)
services = json.loads(result.stdout)
if not services: # API not enabled
console.print(f"š” Enabling {api}...")
run_command(
["gcloud", "services", "enable", api, f"--project={project_id}"]
)
console.print(f"ā
Enabled {api}")
else:
console.print(f"ā
{api} already enabled")
except subprocess.CalledProcessError as e:
console.print(f"ā Failed to check/enable {api}: {e!s}", style="bold red")
raise
# Get the Cloud Build service account
console.print("\nš Setting up service account permissions...")
try:
result = run_command(
["gcloud", "projects", "get-iam-policy", project_id, "--format=json"],
capture_output=True,
)
project_number = run_command(
[
"gcloud",
"projects",
"describe",
project_id,
"--format=value(projectNumber)",
],
capture_output=True,
).stdout.strip()
cloudbuild_sa = (
f"service-{project_number}@gcp-sa-cloudbuild.iam.gserviceaccount.com"
)
# Grant Secret Manager Admin role to Cloud Build service account
console.print(f"š¦ Granting Secret Manager Admin role to {cloudbuild_sa}...")
run_command(
[
"gcloud",
"projects",
"add-iam-policy-binding",
project_id,
f"--member=serviceAccount:{cloudbuild_sa}",
"--role=roles/secretmanager.admin",
"--condition=None",
]
)
console.print("ā
Permissions granted to Cloud Build service account")
except subprocess.CalledProcessError as e:
console.print(
f"ā Failed to set up service account permissions: {e!s}", style="bold red"
)
raise
# Add a small delay to allow API enablement and IAM changes to propagate
time.sleep(10)