SrSSKJr SSKJr SSKJr SSKJr SSKJ r SSK J r SSK J r SS KJr SS KJr SSKJr SS KJr SS KJr SS KJr SSKJr SrSrSrSr"SS\R<5rSr Sr!"SS\"5r#g)z0Utilities for Eventarc gke-destinations command.)absolute_import)division)unicode_literals) exceptions) projects_api)common) serviceusage)apis)util)log) properties) console_io)retryz us-central1zfake-trigger-id)zroles/container.developerzroles/iam.serviceAccountAdminzroles/compute.vieweri Nc\rSrSrSrSrg)!GKEDestinationInitializationError)zSError when failing to initialize project for Cloud Run for Anthos/GKE destinations.N)__name__ __module__ __qualname____firstlineno____doc____static_attributes__r7lib/googlecloudsdk/api_lib/eventarc/gke_destinations.pyrr)s[rrcbAAAU[R:H=(d U[R:H$)aWhether to retry the request when receiving errors. Args: exc_type: type of the raised exception. exc_value: the instance of the raise the exception. exc_traceback: Traceback, traceback encapsulating the call stack at the the point where the exception occurred. state: RetryerState, state of the retryer. Returns: True if exception and is due to NOT_FOUND or INVALID_ARGUMENT. )apitools_exceptionsHttpBadRequestErrorHttpNotFoundError)exc_type exc_value exc_tracebackstates r_ShouldRetryHttpErrorr$-s3 )== = < );; ;=rc[RRRR SS9n[ R "X5nUS$)aiGets (or creates) the P4SA for Eventarc in the given project. If the P4SA does not exist for this project, it will be created. Otherwise, the email address of the existing P4SA will be returned. Args: service_name: str, name of the service for the P4SA, e.g. eventarc.googleapis.com Returns: Email address of the Eventarc P4SA for the given project. Trequiredemail)r VALUEScoreprojectGetr GenerateServiceIdentity) service_name project_nameresponses r_GetOrCreateP4SAr1?sD""''//33T3B,  1 1, M( ' rcd\rSrSrSrSrSrSrSr\ R"S\ SS \ S 9S 5r S rg )GKEDestinationsClientQzMWrapper client for setting up Eventarc Cloud Run for Anthos/GKE destinations.c[R"U5Ul[R"[R UR5nUR UlURUl g)N) r GetApiVersion _api_versionr GetClientInstanceAPI_NAMEMESSAGES_MODULE _messagesprojects_locations_triggers_service)self release_trackclients r__init__GKEDestinationsClient.__init__TsK,,];D  # #FOOT5F5F GF++DN66DMrcUR5 [R"UR 5n[ U5nU(d [S5eURU[5 g![Ra Njf=f)aForce create the Eventarc P4SA, and grant IAM roles to it. 1) First, trigger the P4SA JIT provision by trying to create an empty trigger, ignore the HttpBadRequestError exception, then call GenerateServiceIdentity to verify that P4SA creation is completed. 2) Then grant necessary roles needed to the P4SA for creating GKE triggers. Raises: GKEDestinationInitializationError: P4SA failed to be created. zGFailed to initialize project for Cloud Run for Anthos/GKE destinations.N) _CreateEmptyTriggerrrrGetApiServiceNamer7r1r_BindRolesToServiceAccount_ROLES)r>r. p4sa_emails rInitServiceAccount(GKEDestinationsClient.InitServiceAccountZst   ++D,=,=>L!,/J  - S  ##J7  2 2   sA&&A=<A=c[RRRR SS9nSR U[ 5nURRU[S9nURRU5$)zAttempt to create an empty trigger in us-central1 to kick off P4SA JIT provision. The create request will always fail due to the empty trigger message payload, but it will trigger the P4SA JIT provision. Returns: A long-running operation for create. Tr&zprojects/{}/locations/{})parent triggerId) r r)r*r+r,format _LOCATIONr;.EventarcProjectsLocationsTriggersCreateRequest _TRIGGER_IDr=Create)r>r+rLreqs rrD)GKEDestinationsClient._CreateEmptyTriggersso$$,,00$0?G ' . .w BF .. G G H .C ==   $$rcHSR[U5Vs/sHnSRU5PM sn5n[RR SRX55 [ R"SSSSS9 [R"[RRRRSS95nS RU5nUVs/sHo6U4PM nnURXW5 [RR S 5 g s snfs snf) zBinds roles to the provided service account. Args: sa_email: str, the service account to bind roles to. roles: iterable, the roles to be bound to the service account.  z- {}zTo use Eventarc with Cloud Run for Anthos/GKE destinations, Eventarc Service Agent [{}] needs to be bound to the following required roles: {}FTz$ Would you like to bind these roles?)defaultthrow_if_unattended prompt_string cancel_on_nor&zserviceAccount:{}zRoles successfully bound.N)joinsortedrNr statusPrintrPromptContinue projects_util ParseProjectr r)r*r+r,_AddIamPolicyBindingsWithRetry)r>sa_emailrolesroleformatted_roles project_ref member_str member_roless rrF0GKEDestinationsClient._BindRolesToServiceAccountsii Ot!4 OPOJJ AAG B'(  =   ,,&&**D*9;K$++H5J38954&5L9'' BJJ01#!P:s D D g?d) max_retrials max_wait_msexponential_sleep_multipliersleep_msshould_retry_ifc.[R"X5$)zAdds iam bindings to project_ref's iam policy, with retry. Args: project_ref: The project for the binding member_roles: List of 2-tuples of the form [(member, role), ...]. Returns: The updated IAM Policy )rAddIamPolicyBindings)r>rgris rrb4GKEDestinationsClient._AddIamPolicyBindingsWithRetrys  , ,[ GGr)r7r;r=N)rrrrrrArIrDrFrRetryOnException_MAX_WAIT_TIME_IN_MSr$rbrrrrr3r3QsIU7 82 %24 &#&+ - H - Hrr3N)$r __future__rrrapitools.base.pyrr+googlecloudsdk.api_lib.cloudresourcemanagerrgooglecloudsdk.api_lib.eventarcrgooglecloudsdk.api_lib.servicesr googlecloudsdk.api_lib.utilr #googlecloudsdk.command_lib.projectsr r`googlecloudsdk.corer r googlecloudsdk.core.consolergooglecloudsdk.core.utilrrOrQrGrv InternalErrorrr$r1objectr3rrrrs{7&'>D28,E*#*2*    "!\ (@(@\=$$[HF[Hr