Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloud Identity Group module #182

Merged
merged 7 commits into from
Feb 13, 2021
Merged

Cloud Identity Group module #182

merged 7 commits into from
Feb 13, 2021

Conversation

juliocc
Copy link
Collaborator

@juliocc juliocc commented Dec 10, 2020

No description provided.

@juliocc juliocc requested a review from ludoo December 10, 2020 13:52
sruffilli
sruffilli requested changes Dec 10, 2020
View reviewed changes
modules/cloud-identity-group/README.md Outdated
This module allows creating a Cloud Identity group and assigning owners, managers and members.

## Usage
To use this module you must either run terraform as a user that has the Super Admin role in Cloud Identity or [enable domain-wide delegation](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) to the service account used by terraform. If you use a service account, you must also grant that service account the Groups Admin role in Cloud Identity.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A Cloud Identity custom admin with groups admin privileges is enough and a better recommendation.
Note that a Service Account can be given custom admin privileges.
https://workspaceupdates.googleblog.com/2020/08/service-accounts-in-google-groups-beta.html

Copy link
Collaborator Author

@juliocc juliocc Dec 10, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need a custom admin? Isn't that exactly what the predefined "Groups Admin" role provides?

modules/cloud-identity-group/README.md
## Usage
To use this module you must either run terraform as a user that has the Super Admin role in Cloud Identity or [enable domain-wide delegation](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) to the service account used by terraform. If you use a service account, you must also grant that service account the Groups Admin role in Cloud Identity.

Please note that the underlying terraform resources only allow the creation of groups with members that are part of the organization. If you want to create memberships for identities outside your own organization, you have to manually allow members outside your organization in the Cloud Identity admin console.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: potentially external members can be allowed after setting allowExternalMembers - this can't be easily automated with TF yet as the provisioner doesn't support the admin-sdk.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the terraform resource uses the Directory API, which doesn't support the allowExternalMembers option.

@juliocc
Copy link
Collaborator Author

juliocc commented Dec 10, 2020

Closing this PR since the Cloud Identity resources are broken. See

@juliocc juliocc closed this Dec 10, 2020
@xingao267
Copy link
Member

There is an existing group module https://github.com/terraform-google-modules/terraform-google-group

@juliocc juliocc reopened this Dec 10, 2020
@juliocc
Copy link
Collaborator Author

juliocc commented Dec 10, 2020

Reopening after removing support for OWNER and MANAGER members.

@morgante
Copy link
Contributor

Why do we need a duplicate module of https://github.com/terraform-google-modules/terraform-google-group?

@ludoo ludoo merged commit be8c61a into master Feb 13, 2021
@juliocc juliocc deleted the ci-group branch February 16, 2021 12:28
@stevenproctor stevenproctor mentioned this pull request Mar 2, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sruffilli sruffilli sruffilli requested changes

@ludoo ludoo Awaiting requested review from ludoo

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@juliocc @xingao267 @morgante @sruffilli @ludoo