From 3481f0c2dc47fd5b25c321bf28d12ed1b6e5ffde Mon Sep 17 00:00:00 2001
From: Leonardo Matos <leomp120894@gmail.com>
Date: Thu, 18 Aug 2022 21:41:38 -0300
Subject: [PATCH] fix(cli): Fix GCloud IAM roles with temporary
 `serviceUsageAdmin` for first deploy

---
 packages/cli/src/config-gcloud.ts | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/packages/cli/src/config-gcloud.ts b/packages/cli/src/config-gcloud.ts
index aba1d0643..0cfc19c1a 100644
--- a/packages/cli/src/config-gcloud.ts
+++ b/packages/cli/src/config-gcloud.ts
@@ -32,6 +32,7 @@ const siginGcloudAndSetIAM = async (projectId: string, pwd: string) => {
     'roles/iam.serviceAccountUser',
     'roles/run.viewer',
     'roles/serviceusage.apiKeysViewer',
+    'roles/serviceusage.serviceUsageAdmin',
   ];
   const serviceAccount = await checkServiceAccountExists(projectId);
   if (!serviceAccount) {
@@ -47,17 +48,23 @@ const siginGcloudAndSetIAM = async (projectId: string, pwd: string) => {
 
   let mustUpdatePolicy = false;
   roles.forEach((role) => {
-    const roleFound = bindings.find(
-      (binding: { [key: string]: string | string[] }) => binding.role === role,
-    );
+    const roleFound = bindings.find((binding) => binding.role === role);
     const memberServiceAccount = `serviceAccount:${getAccountEmail(projectId)}`;
     if (!roleFound) {
-      const newBinding = {
+      const newBinding: { [key: string]: any } = {
         members: [
           memberServiceAccount,
         ],
         role,
       };
+      if (role === 'roles/serviceusage.serviceUsageAdmin') {
+        const roleExpiration = Date.now() + 1000 * 60 * 60 * 12;
+        newBinding.condition = {
+          expression: `request.time < timestamp("${new Date(roleExpiration).toISOString()}")`,
+          title: 'Enable APIs on first deploy',
+          description: null,
+        };
+      }
       bindings.push(newBinding);
       mustUpdatePolicy = true;
     } else {