#!/usr/bin/env bash

export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_USER=$(gcloud config get-value core/account) # set current user
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
export IDNS=${PROJECT_ID}.svc.id.goog # workload identity domain

export GCP_REGION="us-central1"
export GCP_ZONE="us-central1-a"

export SHARED_BUCKET="mike-test-team-bucket1" # CHANGEME
export PRIVATE_BUCKET="mike-test-private-bucket1" # CHANGEME

export RESTRICTED_USER="CHANGEME"

# enable apis
gcloud services enable compute.googleapis.com \
    storage.googleapis.com

# create two storage buckets
gsutil mb -b on gs://${SHARED_BUCKET}
gsutil mb -b on gs://${PRIVATE_BUCKET}

# copy files to respective buckets
gsutil cp clouds.jpg gs://${SHARED_BUCKET}/
gsutil cp questions.jpg gs://${PRIVATE_BUCKET}/

# add IAM member to project, but restrict access to private bucket
gcloud beta projects add-iam-policy-binding $PROJECT_ID \
    --member="user:${RESTRICTED_USER}" \
    --role='roles/storage.objectViewer' \
    --condition="expression=resource.name.startsWith(\"projects/$PROJECT_ID/buckets/$SHARED_BUCKET\"),title=no-private-bucket"