Cloud Identity Group datasources

[benv666]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Issue #3479 has been closed, and while it implements the resources to create groups and members it does not add any data sources.
Due to Azure AD sync our google groups are created and managed externally, but we would like to iterate over groups and especially group members using terraform to create resources for each group member.

It would be great to have these data sources available.

New or Affected Resource(s)

• google_cloud_identity_group
• google_cloud_identity_group_members

Potential Terraform Configuration

data "google_cloud_identity_group" "group" {
  group_id = "group@mydomain.com"
}

data "google_cloud_identity_group_members" "members" {
  group_id    = data.google_cloud_identity_group.group.id
}

resource "foo" "bar" {
  for_each = data.google_cloud_identity_group_members.members
  name = each.key
  ...
}

References

• Cloud Identity Group resources #3479

[megan07]

Hi @benv666 ! Sorry, I didn't see you had opened this - I had started working on the datasources yesterday and was hoping it wouldn't take me as long as it did, but alas, I've got the PR out for them. I didn't make the group singular, I misunderstood that that's what you were looking for. Let me know if this will work or if you need a singular data source for google_cloud_identity_group. Thanks!

[benv666]

Hi @megan07! Awesome!
The data source for group does not need to be singular - in fact, this probably makes more sense.
I'll give it a try on monday, thanks!

[benv666]

Hi @megan07,

Somehow I can't seem to get terraform authenticated in a proper fashion to be able to list my organization's groups, let alone its members.
Listing groups always returns an empty list (strangely no errors).
Also trying to create a new group under our org returns a 403 error.

I'm running terraform using GCLOUD_KEYFILE_JSON=serviceaccount.json terraform plan under a service account with in my opinion every permission that could be relevant (even tried Org Admin), but no dice.
Can you tell me what permissions are required in order to make this work? Are there any magic values involved? :)
I've created a new group set to allow viewing members etc by "all organization", also gives 403.

Thanks!

[megan07]

Hi @benv666!
Great question, I struggled through this a bit too. I chose the GROUP_ADMIN role that's listed here https://support.google.com/cloudidentity/answer/2405986?hl=en. If you follow these links it should show you how you can assign it to your service account with the Admin API.

[benv666]

Hi @megan07!
Thanks for the link, jumped through some hoops to get access on admin.google.com (why is this not possible from inside GCP -- GSuite is entirely unused as far as we're concerned), but so far we've been unable to add a service account as admin. How did you manage to do that?
Even with the gserviceaccount.com domain as whitelisted domain it seems impossible to assign group admin to anything but a real user inside the org domain. The best thing we've managed to do so far is add the serviceaccount as a group member, but that seems like an ugly hack at best.
Suggestions?

[megan07]

Hi @benv666! Admittedly I didn't read through that link, sorry. It sounds like there isn't any public-facing documentation on this, so I will summarize what I did.

1. I logged into the project I have my service-account in and noted it's "Unique ID"
2. I went to this API explorer link and put my Customer ID in and hit EXECUTE

• This can be found by logging into admin.google.com -> Security -> Set up SSO with Google as SAML IdP -> then listed under SSO URL (the value after idpid=). There might be an easier way, but that's how I found it :)

3. I scrolled through the response for the roleName=_GROUPS_ADMIN_ROLE and noted the roleId
4. I exited out of that API Explorer pop-up and went to the left navigation on the same SDK page and found "RoleAssignments" -> "insert" and in the "Try this API" I put the Customer ID in the "customer" box, and filled out the request body with assignedTo equal to the Unique ID from step 1,roleID equal to the role id noted in step 3, and scopeType equal to "CUSTOMER"
5. I verified it by doing a list of "RoleAssignment" and seeing that RoleAssignment there.

That should be all you need to allow that service account to create and list groups. If you are still struggling, please let me know!

[benv666]

Hi @megan07!

Thanks again for your explanation -- at first we could not find the _GROUPS_ADMIN_ROLE in the response, so we decided to create a new role, which did show up in the response.
After adding the RoleAssignment it works as expected, currently tested it like this to generate a map of members per group:

data "google_cloud_identity_groups" "map" {
  provider = google-beta
  parent   = "customers/XXXXXX"
}
data "google_cloud_identity_group_memberships" "map" {
  for_each = local.groupmap
  provider = google-beta
  group    = each.value.name
}
locals {
  groupmap = {
    for group in data.google_cloud_identity_groups.map.groups : group["group_key"].0["id"] => group
  }
  groupmapmembers = {
    for group, vals in data.google_cloud_identity_group_memberships.map : group => {
      for member in vals.memberships : member.member_key.0.id => (length(regexall("@gcpgroups\\.", member.member_key.0.id)) != 0 ? "group" :
        (length(regexall("gserviceaccount\\.com$", member.member_key.0.id)) != 0 ? "serviceAccount" : "user")
      )
    }
  }
}

which generates something like:

groupmapmembers = {
  "GCP-Test@gcpgroups.mydomain.com" = {
    "user123@mydomain.com" = "user"
  }
  "CloudOps@gcpgroups.mydomain.com" = {
    "user1@mydomain.com" = "user"
    "user2@us.mydomain.com" = "user"
    "GCP-Test@gcpgroups.mydomain.com" = "group"
  }
}

Thanks again!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!