Is there a KCC resource for adding GSAs to google groups?

[red8888]

This would be sooo awesome if this was possible.

I currently use G Suite groups to control access to GCP resources. I have been putting my GCP service accounts in groups and assigning the groups access.

With KCC I have also been experimenting with dynamically creating new GSAs as part of deployments (with the IAMServiceAccount resource).

It would be very cool if I could also add these dynamically created GSAs to a google group with KCC as well

[caieo]

Hi @red8888, I think we might be working on something for this case. We're working on supporting the CloudIdentityGroup and CloudIdentityGroupMember resources, which will should allow you to manage google groups declaratively. Take a look at the public documentation here and let us know if this is in line with what you're asking for!

[red8888]

Amazing! I think thats what I want? but the whole gsuite/GCP integration has me confused.

I say "G Suite" groups because I manage these groups in G Suite, but my G Suite domain is connected to my GCP org. I can view these groups in the GCP console now thanks to this beta feature: https://cloud.google.com/iam/docs/groups-in-cloud-console

So are these "Cloud Identity Groups" I'm working with here?

Also, it looks like there is a terraform resource for this now too: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_identity_group

Are all of these the the same "groups"?

Thanks!

[maqiuyujoyce]

Hi @red8888 , thank you for your follow up. Sorry for all those overloading terms, because I myself also found them confusing.

I did some research and found that G Suite Groups should be Google Groups for Business which allows people in the organization to create and manage their own groups. And from the documentation for Groups API, The Cloud Identity Groups API only works with Google Groups for Business. So I think your G Suite groups are the Cloud Identity Groups this API manages. But I'm not an expert on G Suite/Google groups, so if it doesn't work, please let us know and we'll check with/direct you to the domain experts.

And yes, the Terraform cloud_identity_group resource, the CloudIdentityGroup resource we plan to support, and the Groups that the Groups API manages are the same.

[tedelwartowski-bestbuy]

Hello, I noticed that config connector now includes support for CloudIdentityGroup, however this does not look at allow managing group memberships. Is there any ETA on when group membership will be available?

[maqiuyujoyce]

Hi @tedelwartowski-bestbuy , the ETA is highly variable at this moment, but we're looking at sometime in Q4 (October-December) as a tentative date.

[tedelwartowski-bestbuy]

@maqiuyujoyce - we now have a very specific use case for the inclusion of group management in our automation; do you have any additional information on when group membership would be available?

[maqiuyujoyce]

Hi @tedelwartowski-bestbuy , thanks for the follow up! The resource implementation is on track and ETA is by EOY.

[xiaobaitusi]

Hi all, with the release of v1.69.0, the CloudIdentityMembership resource has been added.