-
Notifications
You must be signed in to change notification settings - Fork 909
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cloud Identity Group module #182
Conversation
This module allows creating a Cloud Identity group and assigning owners, managers and members. | ||
|
||
## Usage | ||
To use this module you must either run terraform as a user that has the Super Admin role in Cloud Identity or [enable domain-wide delegation](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) to the service account used by terraform. If you use a service account, you must also grant that service account the Groups Admin role in Cloud Identity. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A Cloud Identity custom admin with groups admin privileges is enough and a better recommendation.
Note that a Service Account can be given custom admin privileges.
https://workspaceupdates.googleblog.com/2020/08/service-accounts-in-google-groups-beta.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need a custom admin? Isn't that exactly what the predefined "Groups Admin" role provides?
## Usage | ||
To use this module you must either run terraform as a user that has the Super Admin role in Cloud Identity or [enable domain-wide delegation](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) to the service account used by terraform. If you use a service account, you must also grant that service account the Groups Admin role in Cloud Identity. | ||
|
||
Please note that the underlying terraform resources only allow the creation of groups with members that are part of the organization. If you want to create memberships for identities outside your own organization, you have to manually allow members outside your organization in the Cloud Identity admin console. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: potentially external members can be allowed after setting allowExternalMembers - this can't be easily automated with TF yet as the provisioner doesn't support the admin-sdk.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the terraform resource uses the Directory API, which doesn't support the allowExternalMembers option.
Closing this PR since the Cloud Identity resources are broken. See |
There is an existing group module https://github.com/terraform-google-modules/terraform-google-group |
Reopening after removing support for OWNER and MANAGER members. |
Why do we need a duplicate module of https://github.com/terraform-google-modules/terraform-google-group? |
No description provided.