You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
## what
- Copy over changes from poorly named MP repo
-
https://github.com/masterpointio/terraform-users-groups-automation-googleworkspace
- Copy over doc changes from [a
PR](masterpointio/terraform-users-groups-automation-googleworkspace#3)
on that repo
## references
- [MP automate google
setup](https://www.notion.so/masterpoint/Managing-GSuite-Users-via-IaC-1d0859758a568029b956f2ab8c9a2651)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Introduced comprehensive support for managing Google Workspace users,
groups, group settings, and group memberships via Terraform.
- Added detailed input variables for users and groups, including
advanced validation and configuration options.
- Provided extensive usage examples and sample configurations for both
new and existing organizations.
- **Documentation**
- Rewrote and expanded the README with module-specific usage
instructions, authentication guidance, and input schemas.
- Updated all documentation links and badges to reflect the new module
repository.
- **Bug Fixes**
- Improved input validation for user and group attributes, including
email formats and password requirements.
- **Tests**
- Added tests to validate user and group input variables, including
email, password, group membership, and settings.
- **Chores**
- Updated provider requirements to use the googleworkspace provider
(version >= 0.7.0).
- Removed outdated outputs and example resources related to previous
random resource usage.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
***gha:** oidc aws credentials if AWS provider is used ([#29](https://github.com/masterpointio/terraform-module-template/issues/29)) ([4f8f1ad](https://github.com/masterpointio/terraform-module-template/commit/4f8f1adec3274960a11ee7277296e88d662c8036))
* setup connection to notion db ([#21](https://github.com/masterpointio/terraform-module-template/issues/21)) ([857df50](https://github.com/masterpointio/terraform-module-template/commit/857df5042fbde3d3e9ffbfc964eae9f7a7927cb0))
💡 Learn more about Masterpoint [below](#who-we-are-𐦂𖨆𐀪𖠋).
8
8
9
9
## Purpose and Functionality
10
10
11
-
This repository serves as a template for creating Terraform modules, providing a standardized structure and essential files for efficient module development. It's designed to ensure consistency and our best practices across Terraform projects.
11
+
Use this [child module](https://opentofu.org/docs/language/modules/#child-modules)to manage Google Workspace users, groups, and roles.
12
12
13
-
## Usage
14
-
15
-
### Prerequisites (optional)
13
+
If you want to use this module with an existing Google Workspace, see the [import-existing-org](examples/import-existing-org) example, which demonstrates how to import your existing Google users and groups.
16
14
17
-
TODO
15
+
## Usage
18
16
19
17
### Step-by-Step Instructions
20
18
21
-
TODO
19
+
There are two provider authentication methods available:
20
+
21
+
1. Authenticate using a Google Cloud service account key file.
22
+
2. Authenticate using a Google Cloud service account key file and impersonate a real user with Super Admin privileges.
23
+
24
+
We recommend method (2), impersonating a Super Admin, as this allows you to grant Admin privileges to users (service accounts cannot do this). To set this up, follow the [Domain-Wide Delegation authentication instructions](https://github.com/hashicorp/terraform-provider-googleworkspace/blob/main/docs/index.md#using-domain-wide-delegation).
25
+
26
+
Follow the provider [authentication setup instructions](https://github.com/hashicorp/terraform-provider-googleworkspace/blob/main/docs/index.md#google-workspace-provider).
27
+
28
+
Once you've completed the setup process, your provider block should look like this:
29
+
30
+
```hcl
31
+
provider "googleworkspace" {
32
+
# Use 'my_customer' as an alias for your account's customerId to ensure compatibility with Google's API
33
+
# For example, custom schemas on the user object will fail if the customer_id is set to your actual customer_id
34
+
# For more details: https://developers.google.com/workspace/admin/directory/reference/rest/v1/schemas/get
| <aname="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats)| Describe additional descriptors to be output in the `descriptors` output map.<br/>Map of maps. Keys are names of descriptors. Values are maps of the form<br/>`{<br/> format = string<br/> labels = list(string)<br/>}`<br/>(Type is `any` so the map values can later be enhanced to provide additional options.)<br/>`format` is a Terraform format string to be passed to the `format()` function.<br/>`labels` is a list of labels, in order, to pass to `format()` function.<br/>Label values will be normalized before being passed to `format()` so they will be<br/>identical to how they appear in `id`.<br/>Default is `{}` (`descriptors` output will be empty). |`any`|`{}`| no |
60
122
| <aname="input_enabled"></a> [enabled](#input\_enabled)| Set to false to prevent the module from creating any resources |`bool`|`null`| no |
61
123
| <aname="input_environment"></a> [environment](#input\_environment)| ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' |`string`|`null`| no |
| <aname="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit)| Limit `id` to this many characters (minimum 6).<br/>Set to `0` for unlimited length.<br/>Set to `null` for keep the existing setting, which defaults to `0`.<br/>Does not affect `id_full`. |`number`|`null`| no |
63
126
| <aname="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case)| Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br/>Does not affect keys of tags passed in via the `tags` input.<br/>Possible values: `lower`, `title`, `upper`.<br/>Default value: `title`. |`string`|`null`| no |
64
127
| <aname="input_label_order"></a> [label\_order](#input\_label\_order)| The order in which the labels (ID elements) appear in the `id`.<br/>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br/>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. |`list(string)`|`null`| no |
65
128
| <aname="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case)| Controls the letter case of ID elements (labels) as included in `id`,<br/>set as tag values, and output by this module individually.<br/>Does not affect values of tags passed in via the `tags` input.<br/>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br/>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br/>Default value: `lower`. |`string`|`null`| no |
66
129
| <aname="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags)| Set of labels (ID elements) to include as tags in the `tags` output.<br/>Default is to include all labels.<br/>Tags with empty values will not be included in the `tags` output.<br/>Set to `[]` to suppress all generated tags.<br/>**Notes:**<br/> The value of the `name` tag, if included, will be the `id`, not the `name`.<br/> Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br/> changed in later chained modules. Attempts to change it will be silently ignored. |`set(string)`| <pre>[<br/> "default"<br/>]</pre> | no |
67
-
| <aname="input_length"></a> [length](#input\_length)| The length of the random name |`number`|`2`| no |
68
130
| <aname="input_name"></a> [name](#input\_name)| ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br/>This is the only ID element not also included as a `tag`.<br/>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. |`string`|`null`| no |
69
131
| <aname="input_namespace"></a> [namespace](#input\_namespace)| ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique |`string`|`null`| no |
70
132
| <aname="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars)| Terraform regular expression (regex) string.<br/>Characters matching the regex will be removed from the ID elements.<br/>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. |`string`|`null`| no |
71
133
| <aname="input_stage"></a> [stage](#input\_stage)| ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' |`string`|`null`| no |
72
134
| <aname="input_tags"></a> [tags](#input\_tags)| Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br/>Neither the tag keys nor the tag values will be modified by this module. |`map(string)`|`{}`| no |
73
135
| <aname="input_tenant"></a> [tenant](#input\_tenant)| ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for |`string`|`null`| no |
136
+
| <a name="input_users"></a> [users](#input\_users) | List of users | <pre>map(object({<br/> # addresses<br/> aliases : optional(list(string), []),<br/> archived : optional(bool, false),<br/> change_password_at_next_login : optional(bool),<br/> # custom_schemas<br/> # emails<br/> # external_ids<br/> family_name : string,<br/> given_name : string,<br/> groups : optional(map(object({<br/> role : optional(string, "MEMBER"),<br/> delivery_settings : optional(string, "ALL_MAIL"),<br/> type : optional(string, "USER"),<br/> })), {}),<br/> # ims<br/> include_in_global_address_list : optional(bool),<br/> ip_allowlist : optional(bool),<br/> is_admin : optional(bool),<br/> # keywords<br/> # languages<br/> # locations<br/> org_unit_path : optional(string),<br/> # organizations<br/> # phones<br/> # posix_accounts<br/> primary_email : string,<br/> recovery_email : optional(string),<br/> recovery_phone : optional(string),<br/> # relations<br/> # ssh_public_keys<br/> suspended : optional(bool),<br/> # timeouts<br/> # websites<br/><br/> # User attributes with unique constraints<br/><br/> # password and hash_function<br/> # If a hashFunction is specified, the password must be a valid hash key.<br/> # If it's not specified, the password should be in clear text and between<br/> # 8–100 ASCII characters.<br/> # https://developers.google.com/workspace/admin/directory/v1/guides/manage-users<br/> hash_function : optional(string),<br/> password : optional(string),<br/> }))</pre> | `{}` | no |
74
137
75
138
## Outputs
76
139
77
-
| Name | Description |
78
-
|------|-------------|
79
-
| <aname="output_random_pet_name"></a> [random\_pet\_name](#output\_random\_pet\_name)| The generated random pet name |
0 commit comments