Skip to content

Guide

This page provides a description of Dapla Team CLI's different functionalities as well as example uses. More documentation can be found in the command reference. Documentation for pull request ('pr' commands) can be found on [Confluence]: https://statistics-norway.atlassian.net/l/cp/bvmKVRt9

Setting up

Follow the installation instructions before continuing here.

Health Check

NOTE: If you are using dpteam on Jupyter, you do not need to run a health check.

The first thing you should do after installing Dapla Team CLI is to run the command dpteam doctor. This will run checks on your system, ensuring that everything is configured correctly. If something is missing, it will inform you about what you need to do.

Authentication

NOTE: If you are using dpteam on Jupyter, you do not need to authenticate, this is done automatically for you.

Some functions of the CLI require authentication against Keycloak in order to work. dpteam doctor should have informed you if this is missing, but if it did not, or you need to reauthenticate, you can run dpteam auth login to do so. If you wish to see your authentication status, use dpteam auth status.

Teams and groups

Dapla Team CLI lets you manage your Dapla team easily.

List members

To list members of a team, run the command

dpteam groups list-members [--team-name team-name]

If you don't supply a team name, you will be prompted to enter one with autocompletion.

If your current working directory is an IaC repo, the CLI will automatically detect it and deduce the team name.

Recommendation: Use the autocompletion prompt.

Example

I want to list the members of team demo-enhjoern-a. I run the command dpteam groups list-members, start typing the team name, and use the TAB key to choose demo-enhjoern-a from the autocomplete list. The CLI returns a list of all the members, grouped by their group (support, developers, ...).

GCP roles and bucket access

The CLI makes it easy to give groups time-restricted GCP roles and bucket access. It generates the relevant Terraform files for you and automatically creates a new GitHub branch from which you can easily create a pull request. Simply use the command

dpteam tf iam-bindings --team-name <team-name>

If you don't supply a team name, you will be prompted to enter one with autocompletion.

If your current working directory is an IaC repo, the CLI will automatically detect it and deduce the team name.

Recommendation: Use the autocompletion prompt.

The command supports autocompletion for common roles and gives you an interactive prompt for choosing a time frame and selecting bucket permissions.

You can add bindings for however many combinations of group, expiration times, bucket access and roles. If there are any existing bindings for a given group, it will not remove them unless you are adding bindings for that particular bucket/role.

If you wish to test the command without creating a new GitHub branch, you can do a dry-run by supplying the option --no-github.

Example

I want to give demo-enhjoern-a-data-admins the role roles/secretManager.admin as well as write access to the demo-enhjoern-a-kilde bucket until the end of today. In addition, I want demo-enhjoern-a-developers to have the role roles/cloudsql.admin until the end of tomorrow. I run dpteam tf iam-bindings, start writing the team name and use TAB to autocomplete. I select the data-admins option, write secret and use TAB to autocomplete the role. When prompted for bucket access, I select write access for the kilde bucket using Space, and confirm with Enter. I select "Until end of today" for the timeframe. The CLI then asks if I want to configure bindings for another group, I say yes and repeat the process for the developers group. I give a reason for these new bindings and the CLI creates a new GitHub branch with my new IAM bindings. I create a pull request from this new branch and run atlantis plan and atlantis apply.

GCP Secrets

The CLI lets you manage your team's GCP secrets easily.

Create a secret

To create a secret, simply run

dpteam secrets create --project_id <project-id> --secret-id <secret-id>
--payload <secret payload>

If any of the options are omitted, you will be prompted for them by the CLI.

Example

I want to add a secret to my team demo-enhjoern-a, which has the project ID demo-enhjoern-a-1234. I run the command dpteam secrets create and supply the project ID, the secret ID and the secret payload. The CLI creates the secret for me.