ISAS Implementation for User- and Group Management in Google Workspace (formerly GSuite).
- Terraform installed
Google SDK Documentation about Delegation
Go to IAM service accounts and create a Service account.
- enter Service account name
- add yourself to 'Grant users access to this service account'
In the Service account overview open the 'Actions' menu on the right of the dedicated service account and choose Manage keys. Click on 'Add key' and create a new key in JSON format, this key will be used for Terraform.
In the Service account overview open the 'Actions' menu on the right of the dedicated service account and choose Manage details.
Open this part below and Enable GSuite Domain-wide Delegation.
- Enter Product name, f.e. Terraform GSuite service
- the impersonated user account will do the terraform job and needs admin permission.
- copy ID for next step
Now go to Google Admin Console and open the Burger menu on the left. Choose Security > API controls.
Get the Service account with the ID provided before (Service account details), then add the following oauth scopes:
https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.userschema, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/apps.groups.settings
provider "gsuite" {
impersonated_user_email = "[email protected]"
credentials = "/path/to/google_credentials.json"
oauth_scopes = [
"https://www.googleapis.com/auth/admin.directory.group",
"https://www.googleapis.com/auth/apps.groups.settings",
"https://www.googleapis.com/auth/admin.directory.user",
"https://www.googleapis.com/auth/admin.directory.userschema",
]
}
It is also possible to use a *.tfvars file to define variables for the credentials and exclude this file in .gitignore.
role:
email: '[email protected]'
name: 'Example Role'
Group member have to be defined within the group definition.
role:
email: '[email protected]'
name: 'Example Role'
groups:
- alt_role
In this example the group 'alt_role' will be a member of the group 'role'.
jane:
family_name: 'Doe'
given_name: 'Jane'
primary_email: '[email protected]'
recovery_email: '[email protected]'
recovery_phone: '+10000'
org_unit_path: /
is_suspended: false
suspension_reason: ''
roles:
- role
This is an example usage with local yaml files (see Terraform yamldecode for details). It is also possible to use any other sources like Github, which are defined by Terraform (see Terraform module sources for details).
locals {
groups = yamldecode(file("${path.module}/groups.yaml"))
users = yamldecode(file("${path.module}/users.yaml"))
}
module "gworkspace" {
source = "https://github.com/strg-at/terraform-google-workspace-module.git"
providers = {
gsuite = gsuite
}
groups = local.groups
users = local.users
}
See Terraform docs for details.
- Jasmin Müller (:octocat: jazzlyn) - first implementation