Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cloud Identity Group datasources #6704

Closed
benv666 opened this issue Jun 26, 2020 · 8 comments · Fixed by GoogleCloudPlatform/magic-modules#3714
Closed

Cloud Identity Group datasources #6704

benv666 opened this issue Jun 26, 2020 · 8 comments · Fixed by GoogleCloudPlatform/magic-modules#3714
Assignees

Comments

@benv666
Copy link

benv666 commented Jun 26, 2020

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Issue #3479 has been closed, and while it implements the resources to create groups and members it does not add any data sources.
Due to Azure AD sync our google groups are created and managed externally, but we would like to iterate over groups and especially group members using terraform to create resources for each group member.

It would be great to have these data sources available.

New or Affected Resource(s)

  • google_cloud_identity_group
  • google_cloud_identity_group_members

Potential Terraform Configuration

data "google_cloud_identity_group" "group" {
  group_id = "[email protected]"
}

data "google_cloud_identity_group_members" "members" {
  group_id    = data.google_cloud_identity_group.group.id
}

resource "foo" "bar" {
  for_each = data.google_cloud_identity_group_members.members
  name = each.key
  ...
}

References

@megan07
Copy link
Contributor

megan07 commented Jun 26, 2020

Hi @benv666 ! Sorry, I didn't see you had opened this - I had started working on the datasources yesterday and was hoping it wouldn't take me as long as it did, but alas, I've got the PR out for them. I didn't make the group singular, I misunderstood that that's what you were looking for. Let me know if this will work or if you need a singular data source for google_cloud_identity_group. Thanks!

@benv666
Copy link
Author

benv666 commented Jun 27, 2020

Hi @megan07! Awesome!
The data source for group does not need to be singular - in fact, this probably makes more sense.
I'll give it a try on monday, thanks!

@megan07 megan07 self-assigned this Jun 27, 2020
@benv666
Copy link
Author

benv666 commented Jun 29, 2020

Hi @megan07,

Somehow I can't seem to get terraform authenticated in a proper fashion to be able to list my organization's groups, let alone its members.
Listing groups always returns an empty list (strangely no errors).
Also trying to create a new group under our org returns a 403 error.

I'm running terraform using GCLOUD_KEYFILE_JSON=serviceaccount.json terraform plan under a service account with in my opinion every permission that could be relevant (even tried Org Admin), but no dice.
Can you tell me what permissions are required in order to make this work? Are there any magic values involved? :)
I've created a new group set to allow viewing members etc by "all organization", also gives 403.

Thanks!

@megan07
Copy link
Contributor

megan07 commented Jun 29, 2020

Hi @benv666!
Great question, I struggled through this a bit too. I chose the GROUP_ADMIN role that's listed here https://support.google.com/cloudidentity/answer/2405986?hl=en. If you follow these links it should show you how you can assign it to your service account with the Admin API.

@benv666
Copy link
Author

benv666 commented Jun 29, 2020

Hi @megan07!
Thanks for the link, jumped through some hoops to get access on admin.google.com (why is this not possible from inside GCP -- GSuite is entirely unused as far as we're concerned), but so far we've been unable to add a service account as admin. How did you manage to do that?
Even with the gserviceaccount.com domain as whitelisted domain it seems impossible to assign group admin to anything but a real user inside the org domain. The best thing we've managed to do so far is add the serviceaccount as a group member, but that seems like an ugly hack at best.
Suggestions?

@megan07
Copy link
Contributor

megan07 commented Jun 29, 2020

Hi @benv666! Admittedly I didn't read through that link, sorry. It sounds like there isn't any public-facing documentation on this, so I will summarize what I did.

  1. I logged into the project I have my service-account in and noted it's "Unique ID"
  2. I went to this API explorer link and put my Customer ID in and hit EXECUTE
  • This can be found by logging into admin.google.com -> Security -> Set up SSO with Google as SAML IdP -> then listed under SSO URL (the value after idpid=). There might be an easier way, but that's how I found it :)
  1. I scrolled through the response for the roleName=_GROUPS_ADMIN_ROLE and noted the roleId
  2. I exited out of that API Explorer pop-up and went to the left navigation on the same SDK page and found "RoleAssignments" -> "insert" and in the "Try this API" I put the Customer ID in the "customer" box, and filled out the request body with assignedTo equal to the Unique ID from step 1,roleID equal to the role id noted in step 3, and scopeType equal to "CUSTOMER"
  3. I verified it by doing a list of "RoleAssignment" and seeing that RoleAssignment there.

That should be all you need to allow that service account to create and list groups. If you are still struggling, please let me know!

@benv666
Copy link
Author

benv666 commented Jun 30, 2020

Hi @megan07!

Thanks again for your explanation -- at first we could not find the _GROUPS_ADMIN_ROLE in the response, so we decided to create a new role, which did show up in the response.
After adding the RoleAssignment it works as expected, currently tested it like this to generate a map of members per group:

data "google_cloud_identity_groups" "map" {
  provider = google-beta
  parent   = "customers/XXXXXX"
}
data "google_cloud_identity_group_memberships" "map" {
  for_each = local.groupmap
  provider = google-beta
  group    = each.value.name
}
locals {
  groupmap = {
    for group in data.google_cloud_identity_groups.map.groups : group["group_key"].0["id"] => group
  }
  groupmapmembers = {
    for group, vals in data.google_cloud_identity_group_memberships.map : group => {
      for member in vals.memberships : member.member_key.0.id => (length(regexall("@gcpgroups\\.", member.member_key.0.id)) != 0 ? "group" :
        (length(regexall("gserviceaccount\\.com$", member.member_key.0.id)) != 0 ? "serviceAccount" : "user")
      )
    }
  }
}

which generates something like:

groupmapmembers = {
  "[email protected]" = {
    "[email protected]" = "user"
  }
  "[email protected]" = {
    "[email protected]" = "user"
    "[email protected]" = "user"
    "[email protected]" = "group"
  }
}

Thanks again!

@ghost
Copy link

ghost commented Jul 30, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked and limited conversation to collaborators Jul 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants