Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cloud Identity Group resources #3479

Closed
rrey opened this issue Apr 23, 2019 · 8 comments · Fixed by GoogleCloudPlatform/magic-modules#3696, #6681 or hashicorp/terraform-provider-google-beta#2224

Comments

@rrey
Copy link

rrey commented Apr 23, 2019

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

I have a customer with an Active Directory (in Azure) and we are initiating a project in GCP.
We created an Organization and Google Engineers advised us to configue the provisioning of Cloud Identity with Azure AD. We did this and we now can use the AD user to connect to GCP.

The group management needs to be made at Cloud Identity level, and we were unable to find resources for cloud identity in the google provider.

Since the API exists, would it be possible to create the Terraform resources and datasources allowing to manage cloud identity ?

New or Affected Resource(s)

  • google_cloud_identity_group

Potential Terraform Configuration

resource "google_cloud_identity_group" "admin" {
    name = "admin-group"
    displayName = "Admin Group"
}

resource "google_cloud_identity_group" "sub_group" {
    name = "non-admin-group"
    displayName = "Non-Admin Group"
    parent = "groups/${google_cloud_identity_group.admin.id}"
}

References

Cloud Identity API doc: https://cloud.google.com/identity/docs/reference/rest/

@rrey
Copy link
Author

rrey commented Jun 19, 2019

Hello there, any feedback please ?

@megan07 megan07 self-assigned this Aug 26, 2019
@megan07
Copy link
Contributor

megan07 commented Aug 27, 2019

Hi @rrey ! Thank you for opening this issue. In order to create a Google Cloud Identity Group, an Identity Source needs to be created in Cloud Search first. Do you have access to Cloud Search through a G-Suite Business license, or are you only using Cloud Identity?

@rrey
Copy link
Author

rrey commented Aug 28, 2019

Hi @megan07 !

We don't have access to Cloud Search and we are only using Cloud Identity at this time.
We created all the Groups manually in Cloud Identity, having a terraform provider would allow us to
automate all this !!

@megan07
Copy link
Contributor

megan07 commented Aug 28, 2019

Thank you for your quick response! I’ve been digging into this a little bit, and my understanding from reading this (https://cloud.google.com/identity/docs/concepts/groups) is that there are two different APIs. The one linked above would be if you are trying to map groups to an external identity source, in which case you’d need to create an identity source in Cloud Search. However, from my understanding, I think you’re trying to create the Google Group managed by Admin Console and using this API https://developers.google.com/admin-sdk/directory/v1/guides/manage-groups. If that is the case, I will refer you to a Gsuite provider here as we have separate providers between Gsuite and GCP.
Let me know if this works for you or if we need to continue exploring.
Thanks!

@danawillow
Copy link
Contributor

Removing the waiting-response label so this doesn't get lost in automation, but if anyone who is subscribed to this could answer @megan07's question, that would help give us the information we need to get this prioritized.

@wchamber
Copy link

It looks like the Cloud Identiy Group API has beta support for Google Groups in addition to the Identity Groups that need an identity source. There's still some dependency on a GSuite integration, but it looks like GCP is building out functionality here. Labels on groups seem like a new feature not present in the GSuite Admin SDK.

https://cloud.google.com/identity/docs/how-to/groups#manage_google_groups_beta

@benv666
Copy link

benv666 commented Jun 25, 2020

Note sure if this should be a new ticket instead, but the datasources (as mentioned in the issue description) still seem to be unimplemented.
Since we're using an external AD group sync we would like to iterate over the members of existing groups, but since they are not managed in terraform it would be great to have datasources to get a list of groups and their members.

@ghost
Copy link

ghost commented Jul 25, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked and limited conversation to collaborators Jul 25, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.