Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cloud Identity Group module #182

Merged
merged 7 commits into from
Feb 13, 2021
Merged

Cloud Identity Group module #182

merged 7 commits into from
Feb 13, 2021

Conversation

juliocc
Copy link
Collaborator

@juliocc juliocc commented Dec 10, 2020

No description provided.

@juliocc juliocc requested a review from ludoo December 10, 2020 13:52
This module allows creating a Cloud Identity group and assigning owners, managers and members.

## Usage
To use this module you must either run terraform as a user that has the Super Admin role in Cloud Identity or [enable domain-wide delegation](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) to the service account used by terraform. If you use a service account, you must also grant that service account the Groups Admin role in Cloud Identity.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A Cloud Identity custom admin with groups admin privileges is enough and a better recommendation.
Note that a Service Account can be given custom admin privileges.
https://workspaceupdates.googleblog.com/2020/08/service-accounts-in-google-groups-beta.html

Copy link
Collaborator Author

@juliocc juliocc Dec 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need a custom admin? Isn't that exactly what the predefined "Groups Admin" role provides?

## Usage
To use this module you must either run terraform as a user that has the Super Admin role in Cloud Identity or [enable domain-wide delegation](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) to the service account used by terraform. If you use a service account, you must also grant that service account the Groups Admin role in Cloud Identity.

Please note that the underlying terraform resources only allow the creation of groups with members that are part of the organization. If you want to create memberships for identities outside your own organization, you have to manually allow members outside your organization in the Cloud Identity admin console.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: potentially external members can be allowed after setting allowExternalMembers - this can't be easily automated with TF yet as the provisioner doesn't support the admin-sdk.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the terraform resource uses the Directory API, which doesn't support the allowExternalMembers option.

@juliocc juliocc closed this Dec 10, 2020
@xingao267
Copy link
Member

There is an existing group module https://github.com/terraform-google-modules/terraform-google-group

@juliocc juliocc reopened this Dec 10, 2020
@juliocc
Copy link
Collaborator Author

juliocc commented Dec 10, 2020

Reopening after removing support for OWNER and MANAGER members.

@morgante
Copy link
Contributor

Why do we need a duplicate module of https://github.com/terraform-google-modules/terraform-google-group?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants