feat: copy over code from old mp module

[westonplatter]

what

• Copy over changes from poorly named MP repo
  • https://github.com/masterpointio/terraform-users-groups-automation-googleworkspace
• Copy over doc changes from a PR on that repo

references

• MP automate google setup

Summary by CodeRabbit

• New Features

  • Introduced comprehensive support for managing Google Workspace users, groups, group settings, and group memberships via Terraform.
  • Added detailed input variables for users and groups, including advanced validation and configuration options.
  • Provided extensive usage examples and sample configurations for both new and existing organizations.

• Documentation

  • Rewrote and expanded the README with module-specific usage instructions, authentication guidance, and input schemas.
  • Updated all documentation links and badges to reflect the new module repository.

• Bug Fixes

  • Improved input validation for user and group attributes, including email formats and password requirements.

• Tests

  • Added tests to validate user and group input variables, including email, password, group membership, and settings.

• Chores

  • Updated provider requirements to use the googleworkspace provider (version >= 0.7.0).
  • Removed outdated outputs and example resources related to previous random resource usage.

[coderabbitai]

Walkthrough

This update introduces a comprehensive overhaul of the Terraform module, shifting its focus from a generic template using the "random" provider to a specialized module for managing Google Workspace users, groups, group settings, and memberships. The changes include detailed input variable schemas for users and groups, extensive validation logic, and the removal of all previous random resource references. New example configurations and import templates are added, along with provider setup instructions and test files to validate input correctness. The documentation and changelog are rewritten to reflect the new module purpose, and all outputs related to the old random resource are removed.

Note

⚡️ AI Code Reviews for VS Code, Cursor, Windsurf

CodeRabbit now has a plugin for VS Code, Cursor and Windsurf. This brings AI code reviews directly in the code editor. Each commit is reviewed immediately, finding bugs before the PR is raised. Seamless context handoff to your AI code agent ensures that you can easily incorporate review feedback.
Learn more here.

---

Note

⚡️ Faster reviews with caching

CodeRabbit now supports caching for code and dependencies, helping speed up reviews. This means quicker feedback, reduced wait times, and a smoother review experience overall. Cached data is encrypted and stored securely. This feature will be automatically enabled for all accounts on May 16th. To opt out, configure Review - Disable Cache at either the organization or repository level. If you prefer to disable all data retention across your organization, simply turn off the Data Retention setting under your Organization Settings.
Enjoy the performance boost—your workflow just got faster.

✨ Finishing Touches

🧪 Generate Unit Tests

• Create PR with Unit Tests
• Commit Unit Tests in branch feat/transfer-initial-release-code
• Post Copyable Unit Tests in Comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai auto-generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 4

🔭 Outside diff range comments (3)

examples/import-existing-org/users.yaml (1)

1-19: 🛠️ Refactor suggestion

Add missing password field to user definitions.
The user variable schema enforces a password attribute (validated in tests/variables_users.tftest.hcl). Include it in your default template or per-user entries, for example:

_default_user: &default_user
  is_admin: false
  password: "ChangeMe123!"
  groups:
    team: { role: "member" }

README.md (2)

99-101: ⚠️ Potential issue

Remove leftover module reference.
The Modules section still references cloudposse/label/null, which appears to be boilerplate. Please update or remove this entry so it accurately reflects your module’s actual dependencies (if any).

---

116-127: ⚠️ Potential issue

Prune irrelevant input documentation.
The Inputs table includes Cloud Posse template variables (additional_tag_map, context, etc.) that aren’t part of this module. Please remove or replace these entries so only the real inputs (users, groups, provider configs, etc.) are documented.

♻️ Duplicate comments (3)

examples/complete/versions.tf (1)

5-8: Duplicate: pin to patch-level provider versions.
As above, replace the exact 0.7.0 lock with ~> 0.7.0 to permit safe patch updates while avoiding unintended breaking changes.

examples/import-existing-org/providers.tf (2)

2-4: Simplify comment formatting
The double # # prefixes are redundant. Please switch to a single # for clarity and consistency across the example.

---

7-8: Avoid hardcoded credential paths
Embedding a local file path and email directly reduces portability and may expose sensitive details. Refer to the variables approach suggested in examples/complete/providers.tf.

🧹 Nitpick comments (18)

outputs.tf (1)

1-2: Empty outputs file: consider removing or defining outputs.
The outputs.tf is now empty after removing the random_pet_name output. If you don’t need to expose any outputs from this module, delete the file to keep the repo tidy. Otherwise, consider adding outputs for key resources (e.g., user emails, group IDs) to improve module usability.

versions.tf (1)

5-8: Recommend stricter version constraint for provider.
Rather than version = ">= 0.7.0", use a constraint like ~> 0.7.0 to allow safe patch-level updates while preventing unexpected breaking changes in future minor versions.

examples/import-existing-org/versions.tf (1)

5-8: Pin to patch-level provider versions.
Locking exactly to 0.7.0 will block any patch releases. Consider using ~> 0.7.0 so you can receive non-breaking patch upgrades without pulling in potentially breaking changes.

examples/import-existing-org/users.yaml (1)

2-6: Quote YAML scalar values to avoid parse issues.
Wrap member in quotes within the inline map to ensure it’s parsed as a string:

groups:
  team: { role: "member" }

examples/complete/providers.tf (2)

2-4: Simplify comment formatting
The double # # prefixes are redundant. Please switch to a single # for clarity and consistency across the example.

---

7-8: Avoid hardcoded credential paths
Embedding a local file path and email directly reduces portability and may expose sensitive details. Consider introducing Terraform variables and referencing them instead.

 provider "googleworkspace" {
-  credentials             = "/Users/my_user/Downloads/my-google-project-credentials-1234567890.json"
-  impersonated_user_email = "my_impersonated_user_email@my_domain.com"
+  credentials             = var.credentials_path
+  impersonated_user_email = var.impersonated_user_email
   oauth_scopes = [
     ...
   ]
 }

And at the top of your example (e.g., in variables.tf):

variable "credentials_path" {
  description = "Path to Google service account credentials JSON file."
  type        = string
}
variable "impersonated_user_email" {
  description = "Admin user email to impersonate for Google Workspace operations."
  type        = string
}

examples/import-existing-org/main.tf (1)

5-7: Consider naming clarity for locals
Leading underscores in local._all_groups and local._all_users are fine, but using more descriptive names (e.g., all_groups_raw, all_users_raw) can improve readability for new users.

examples/import-existing-org/groups.yaml (1)

15-22: Use a more descriptive key for the group
The key team is generic; renaming it to something like engineering_team or matching the email alias makes the mapping clearer in Terraform.

examples/complete/main.tf (2)

43-47: Redundant merge for empty overrides
The platform group uses merge(local.default_group_settings, {}). You can simplify by directly assigning local.default_group_settings when there are no overrides:

-    "platform" = {
-      name     = "Platform"
-      email    = "platform@example.com"
-      settings = merge(local.default_group_settings, {})
-    },
+    "platform" = {
+      name     = "Platform"
+      email    = "platform@example.com"
+      settings = local.default_group_settings
+    },

---

18-26: Module name clarity
Using module "googleworkspace" can be confused with the provider name. Consider renaming to module "users_groups" or module "googleworkspace_users_groups" to better reflect its purpose.

tests/variables_groups.tftest.hcl (1)

49-89: Consider extending group settings tests with negative scenarios.
The current tests verify a valid specific block and default omission. It would be helpful to add a test case that injects an invalid or unsupported settings attribute (e.g., a typo in allow_web_postingg or wrong type) to ensure your variable schema or custom validations catch unsupported keys early.

variables.tf (1)

5-6: Update variable description to reflect map type.
The description "List of users" may mislead readers since users is declared as a map(object(...)), not a list. Consider changing it to "Map of user objects" for clarity.

tests/variables_users.tftest.hcl (1)

94-114: Ensure test string truly exceeds 100 characters.
The hard-coded long string may or may not be >100 characters, leading to flaky tests. It’s more reliable to generate it programmatically, for example:

password = repeat("a", 101)

This guarantees the length requirement is correctly tested.

README.md (1)

7-14: Fix potentially broken Unicode anchor.
The “Learn more about Masterpoint below” link uses a Unicode anchor that might not resolve reliably. Consider simplifying the section title and anchor to plain ASCII, e.g., [below](#who-we-are).

main.tf (4)

6-9: Improve naming for locals
Leading underscores in local names suggest internal/private usage, but all locals are module-scoped. Rename local._user_with_groups to local.users_with_groups for clarity and consistency.

---

45-49: Remove unmanaged attribute from ignore_changes
The ignore_changes block includes languages, but this resource does not set or manage a languages attribute. Remove it to avoid confusion or unintended behavior.

---

55-56: Reevaluate explicit depends_on on groups
The depends_on = [googleworkspace_group.defaults] enforces ordering, but Terraform already infers dependencies from references in locals. Remove this explicit depends_on unless strict sequencing is required.

---

65-69: Consider adding a delete timeout
If you plan to destroy groups, specifying a delete timeout may help avoid hangs:

timeouts {
  create = each.value.timeouts.create
  update = each.value.timeouts.update
  delete = each.value.timeouts.delete
}

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 06933d4 and 3faa656.

📒 Files selected for processing (17)

• CHANGELOG.md (0 hunks)
• README.md (5 hunks)
• examples/complete/main.tf (1 hunks)
• examples/complete/providers.tf (1 hunks)
• examples/complete/versions.tf (1 hunks)
• examples/import-existing-org/groups.yaml (1 hunks)
• examples/import-existing-org/imports.tf (1 hunks)
• examples/import-existing-org/main.tf (1 hunks)
• examples/import-existing-org/providers.tf (1 hunks)
• examples/import-existing-org/users.yaml (1 hunks)
• examples/import-existing-org/versions.tf (1 hunks)
• main.tf (1 hunks)
• outputs.tf (1 hunks)
• tests/variables_groups.tftest.hcl (1 hunks)
• tests/variables_users.tftest.hcl (1 hunks)
• variables.tf (1 hunks)
• versions.tf (1 hunks)

💤 Files with no reviewable changes (1)

• CHANGELOG.md

🧰 Additional context used

📓 Path-based instructions (1)

`**/*.tf`: You're a Terraform expert who has thoroughly studied all the documentation from Hashicorp https://developer.hashicorp.com/terraform/docs and OpenTofu https://opentofu.or...

**/*.tf: You're a Terraform expert who has thoroughly studied all the documentation from Hashicorp https://developer.hashicorp.com/terraform/docs and OpenTofu https://opentofu.org/docs/.
You have a strong grasp of Terraform syntax and prioritize providing accurate and insightful code suggestions.
As a fan of the Cloud Posse / SweetOps ecosystem, you incorporate many of their best practices https://docs.cloudposse.com/best-practices/terraform/ while balancing them with general Terraform guidelines.

• outputs.tf
• versions.tf
• examples/import-existing-org/versions.tf
• examples/complete/versions.tf
• examples/import-existing-org/main.tf
• examples/complete/providers.tf
• examples/complete/main.tf
• examples/import-existing-org/providers.tf
• examples/import-existing-org/imports.tf
• variables.tf
• main.tf

🔇 Additional comments (9)

examples/import-existing-org/main.tf (1)

1-8: Well-structured YAML decoding and filtering
Great use of yamldecode with a for expression to drop prototype entries. This makes the example clear and maintainable.

examples/import-existing-org/groups.yaml (1)

2-14: Well-defined default settings with YAML anchors
Your anchor-based defaults (_default_active_settings) are a clean way to DRY out group settings. Nicely done!

examples/complete/main.tf (1)

1-15: Solid default group settings block
Defining local.default_group_settings once and merging overrides is a great pattern that keeps your example concise and DRY.

main.tf (6)

11-21: Locals for group_members are well-formed
The nested loops with flatten correctly produce a map of membership objects keyed by "group_email/user_primary_email".

---

24-43: Resource googleworkspace_user.defaults covers all user attributes
The resource iterates over var.users and maps each attribute appropriately, including lifecycle rules to avoid unwanted updates on sensitive fields.

---

58-69: Group resource implementation is solid
The googleworkspace_group.defaults resource properly iterates over var.groups and applies create and update timeouts.

---

71-103: Group settings resource looks comprehensive
googleworkspace_group_settings.defaults correctly applies merged settings per group and depends on group creation.

---

115-119: Lifecycle ignore_changes is appropriate
Ignoring delivery_settings prevents unwanted drift in delivery settings made by end users.

---

121-122: Explicit depends_on for membership ordering
Specifying depends_on = [googleworkspace_group.defaults, googleworkspace_user.defaults] ensures memberships are created only after both groups and users exist, which is critical for a predictable apply.

[coderabbitai]

🛠️ Refactor suggestion

Validate membership role and type in variables
You convert role and type to uppercase here. Ensure you enforce allowed values in variables.tf (e.g., OWNER, MANAGER, MEMBER for roles) to prevent invalid inputs from causing apply errors.

🤖 Prompt for AI Agents

In main.tf around lines 110 to 113, you convert the membership `role` and `type`
to uppercase but do not validate their allowed values. To fix this, update
variables.tf to include validation blocks for these variables, specifying
allowed values such as `OWNER`, `MANAGER`, `MEMBER` for `role` and appropriate
values for `type`. This ensures invalid inputs are caught early and prevents
apply errors.