├── .dockerignore ├── .github ├── release-please.yml ├── renovate.json ├── trusted-contribution.yml └── workflows │ ├── lint.yaml │ └── stale.yml ├── .gitignore ├── CHANGELOG.md ├── CODEOWNERS ├── CONTRIBUTING.md ├── LICENSE ├── Makefile ├── README.md ├── build ├── int.cloudbuild.yaml └── lint.cloudbuild.yaml ├── examples └── simple_example │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── kitchen.yml ├── main.tf ├── outputs.tf ├── test ├── .gitignore ├── fixtures │ └── simple_example │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf ├── integration │ └── simple_example │ │ ├── controls │ │ └── gcloud.rb │ │ └── inspec.yml └── setup │ ├── .gitignore │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── variables.tf └── versions.tf /.dockerignore: -------------------------------------------------------------------------------- 1 | .git 2 | .terraform 3 | .terraform.d 4 | .kitchen 5 | terraform.tfstate.d 6 | test/fixtures/*/.terraform 7 | test/fixtures/*/terraform.tfstate.d 8 | examples/.kitchen 9 | examples/*/.terraform 10 | examples/*/terraform.tfstate.d 11 | -------------------------------------------------------------------------------- /.github/release-please.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | releaseType: terraform-module 16 | handleGHRelease: true 17 | -------------------------------------------------------------------------------- /.github/renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": ["github>GoogleCloudPlatform/cloud-foundation-toolkit//infra/terraform/test-org/github/resources/renovate"] 4 | } 5 | -------------------------------------------------------------------------------- /.github/trusted-contribution.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023-2025 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # NOTE: This file is automatically generated from: 16 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github 17 | 18 | annotations: 19 | - type: comment 20 | text: "/gcbrun" 21 | trustedContributors: 22 | - release-please[bot] 23 | - renovate[bot] 24 | - renovate-bot 25 | - forking-renovate[bot] 26 | - dependabot[bot] 27 | -------------------------------------------------------------------------------- /.github/workflows/lint.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2023-2025 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # NOTE: This file is automatically generated from values at: 16 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/org/locals.tf 17 | 18 | name: 'lint' 19 | 20 | on: 21 | workflow_dispatch: 22 | pull_request: 23 | types: [opened, edited, reopened, synchronize] 24 | branches: [main] 25 | 26 | permissions: 27 | contents: read 28 | 29 | concurrency: 30 | group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}' 31 | cancel-in-progress: true 32 | 33 | jobs: 34 | lint: 35 | name: 'lint' 36 | runs-on: 'ubuntu-latest' 37 | steps: 38 | - uses: 'actions/checkout@v4' 39 | - id: variables 40 | run: | 41 | MAKEFILE=$(find . -name Makefile -print -quit) 42 | if [ -z "$MAKEFILE" ]; then 43 | echo dev-tools=gcr.io/cloud-foundation-cicd/cft/developer-tools:1 >> "$GITHUB_OUTPUT" 44 | else 45 | VERSION=$(grep "DOCKER_TAG_VERSION_DEVELOPER_TOOLS := " $MAKEFILE | cut -d\ -f3) 46 | IMAGE=$(grep "DOCKER_IMAGE_DEVELOPER_TOOLS := " $MAKEFILE | cut -d\ -f3) 47 | REGISTRY=$(grep "REGISTRY_URL := " $MAKEFILE | cut -d\ -f3) 48 | echo dev-tools=${REGISTRY}/${IMAGE}:${VERSION} >> "$GITHUB_OUTPUT" 49 | fi 50 | - run: docker run --rm -v ${{ github.workspace }}:/workspace ${{ steps.variables.outputs.dev-tools }} module-swapper 51 | - run: docker run --rm -v ${{ github.workspace }}:/workspace ${{ steps.variables.outputs.dev-tools }} /usr/local/bin/test_lint.sh 52 | commitlint: 53 | runs-on: ubuntu-latest 54 | steps: 55 | - uses: actions/checkout@v4 56 | with: 57 | fetch-depth: 0 58 | - name: Setup node 59 | uses: actions/setup-node@v4 60 | with: 61 | node-version: lts/* 62 | - name: Install commitlint 63 | run: | 64 | npm install -D @commitlint/cli@19.8.1 @commitlint/config-conventional@19.8.1 65 | echo "module.exports = { extends: ['@commitlint/config-conventional'], rules: {'subject-case': [0]} };" > commitlint.config.js 66 | npx commitlint --version 67 | - name: Validate PR commits with commitlint 68 | if: github.event_name == 'pull_request' 69 | run: 'echo "${{ github.event.pull_request.title }}" | npx commitlint --verbose' 70 | -------------------------------------------------------------------------------- /.github/workflows/stale.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2022-2025 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # NOTE: This file is automatically generated from: 16 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github 17 | 18 | name: "Close stale issues" 19 | on: 20 | schedule: 21 | - cron: "0 23 * * *" 22 | 23 | jobs: 24 | stale: 25 | if: github.repository_owner == 'GoogleCloudPlatform' || github.repository_owner == 'terraform-google-modules' 26 | runs-on: ubuntu-latest 27 | steps: 28 | - uses: actions/stale@v9 29 | with: 30 | repo-token: ${{ secrets.GITHUB_TOKEN }} 31 | stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' 32 | stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' 33 | exempt-issue-labels: 'triaged' 34 | exempt-pr-labels: 'dependencies,autorelease: pending' 35 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # OSX leaves these everywhere on SMB shares 2 | ._* 3 | 4 | # OSX trash 5 | .DS_Store 6 | 7 | # Python 8 | *.pyc 9 | 10 | # Emacs save files 11 | *~ 12 | \#*\# 13 | .\#* 14 | 15 | # Vim-related files 16 | [._]*.s[a-w][a-z] 17 | [._]s[a-w][a-z] 18 | *.un~ 19 | Session.vim 20 | .netrwhist 21 | 22 | ### https://raw.github.com/github/gitignore/90f149de451a5433aebd94d02d11b0e28843a1af/Terraform.gitignore 23 | 24 | # Local .terraform directories 25 | **/.terraform/* 26 | 27 | # .tfstate files 28 | *.tfstate 29 | *.tfstate.* 30 | 31 | # Crash log files 32 | crash.log 33 | 34 | # Kitchen files 35 | **/inspec.lock 36 | **/.kitchen 37 | **/kitchen.local.yml 38 | **/Gemfile.lock 39 | 40 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most 41 | # .tfvars files are managed as part of configuration and so should be included in 42 | # version control. 43 | **/*.tfvars 44 | 45 | credentials.json 46 | 47 | # tf lock file 48 | .terraform.lock.hcl 49 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | All notable changes to this project will be documented in this file. 4 | 5 | The format is based on 6 | [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 7 | and this project adheres to 8 | [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 9 | This changelog is generated automatically based on [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/). 10 | 11 | ## [0.8.0](https://github.com/terraform-google-modules/terraform-google-group/compare/v0.7.0...v0.8.0) (2025-09-26) 12 | 13 | 14 | ### Features 15 | 16 | * **deps:** Update Terraform Google Provider to v7 (major) ([#84](https://github.com/terraform-google-modules/terraform-google-group/issues/84)) ([c7a0852](https://github.com/terraform-google-modules/terraform-google-group/commit/c7a0852e9a751c4cbc5171086c8d8277dd2e30b8)) 17 | 18 | 19 | ### Bug Fixes 20 | 21 | * **TF>=v1.3:** Update cft/developer-tools Docker tag to v1.25 ([#78](https://github.com/terraform-google-modules/terraform-google-group/issues/78)) ([fb21894](https://github.com/terraform-google-modules/terraform-google-group/commit/fb2189412cf3093115ff6231c49e0aab593c5f03)) 22 | 23 | ## [0.7.0](https://github.com/terraform-google-modules/terraform-google-group/compare/v0.6.1...v0.7.0) (2024-08-29) 24 | 25 | 26 | ### Features 27 | 28 | * **deps:** Update Terraform Google Provider to v6 (major) ([#73](https://github.com/terraform-google-modules/terraform-google-group/issues/73)) ([65e8c6b](https://github.com/terraform-google-modules/terraform-google-group/commit/65e8c6bcb754b3e849c4ce76101a43d8acdd1877)) 29 | 30 | ## [0.6.1](https://github.com/terraform-google-modules/terraform-google-group/compare/v0.6.0...v0.6.1) (2024-01-03) 31 | 32 | 33 | ### Bug Fixes 34 | 35 | * upgraded versions.tf to include minor bumps from tpg v5 ([#56](https://github.com/terraform-google-modules/terraform-google-group/issues/56)) ([bd41d84](https://github.com/terraform-google-modules/terraform-google-group/commit/bd41d849d284258fc479175fe324a7d1ab16a45c)) 36 | 37 | ## [0.6.0](https://github.com/terraform-google-modules/terraform-google-group/compare/v0.5.0...v0.6.0) (2023-05-09) 38 | 39 | 40 | ### Features 41 | 42 | * adds group types var to the root module ([#49](https://github.com/terraform-google-modules/terraform-google-group/issues/49)) ([dec1114](https://github.com/terraform-google-modules/terraform-google-group/commit/dec11146023c5de7ad637b4056360f507a9829fc)) 43 | 44 | ## [0.5.0](https://github.com/terraform-google-modules/terraform-google-group/compare/v0.4.0...v0.5.0) (2023-05-04) 45 | 46 | 47 | ### Features 48 | 49 | * adds group name as an output ([#47](https://github.com/terraform-google-modules/terraform-google-group/issues/47)) ([17f509f](https://github.com/terraform-google-modules/terraform-google-group/commit/17f509fce3a33c442cc616ee764efc0609682760)) 50 | 51 | ## [0.4.0](https://www.github.com/terraform-google-modules/terraform-google-group/compare/v0.3.0...v0.4.0) (2021-11-17) 52 | 53 | 54 | ### Features 55 | 56 | * update TPG version constraints to allow 4.0 ([#27](https://www.github.com/terraform-google-modules/terraform-google-group/issues/27)) ([8619bb3](https://www.github.com/terraform-google-modules/terraform-google-group/commit/8619bb32531b3f35305d539fc2fab892496aec4f)) 57 | 58 | ## [0.3.0](https://www.github.com/terraform-google-modules/terraform-google-group/compare/v0.2.0...v0.3.0) (2021-07-14) 59 | 60 | 61 | ### Features 62 | 63 | * Enable support for the initial_group_config parameter ([#22](https://www.github.com/terraform-google-modules/terraform-google-group/issues/22)) ([10625fb](https://www.github.com/terraform-google-modules/terraform-google-group/commit/10625fb6a1a30026e3c9fc2e14656c75b075a402)) 64 | 65 | ## [0.2.0](https://www.github.com/terraform-google-modules/terraform-google-group/compare/v0.1.1...v0.2.0) (2021-03-16) 66 | 67 | 68 | ### ⚠ BREAKING CHANGES 69 | 70 | * add Terraform 0.13 constraint and module attribution (#17) 71 | 72 | ### Features 73 | 74 | * add Terraform 0.13 constraint and module attribution ([#17](https://www.github.com/terraform-google-modules/terraform-google-group/issues/17)) ([be74f6b](https://www.github.com/terraform-google-modules/terraform-google-group/commit/be74f6be2df28ad05070646604b6645908957efa)) 75 | 76 | ### [0.1.1](https://www.github.com/terraform-google-modules/terraform-google-group/compare/v0.1.0...v0.1.1) (2020-12-11) 77 | 78 | 79 | ### Bug Fixes 80 | 81 | * Correct order of roles to specify in memberships ([#6](https://www.github.com/terraform-google-modules/terraform-google-group/issues/6)) ([7db3c49](https://www.github.com/terraform-google-modules/terraform-google-group/commit/7db3c49bc31cbbe3c9fdb75962289058ce00985b)) 82 | 83 | ## [0.1.0](https://github.com/terraform-google-modules/terraform-google-group/releases/tag/v0.1.0) - 20XX-YY-ZZ 84 | 85 | ### Features 86 | 87 | - Initial release 88 | 89 | [0.1.0]: https://github.com/terraform-google-modules/terraform-google-group/releases/tag/v0.1.0 90 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | # NOTE: This file is automatically generated from values at: 2 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/org/locals.tf 3 | 4 | * @terraform-google-modules/cft-admins 5 | 6 | # NOTE: GitHub CODEOWNERS locations: 7 | # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-and-branch-protection 8 | 9 | CODEOWNERS @terraform-google-modules/cft-admins 10 | .github/CODEOWNERS @terraform-google-modules/cft-admins 11 | docs/CODEOWNERS @terraform-google-modules/cft-admins 12 | 13 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | This document provides guidelines for contributing to the module. 4 | 5 | ## Dependencies 6 | 7 | The following dependencies must be installed on the development system: 8 | 9 | - [Docker Engine][docker-engine] 10 | - [Google Cloud SDK][google-cloud-sdk] 11 | - [make] 12 | 13 | ## Generating Documentation for Inputs and Outputs 14 | 15 | The Inputs and Outputs tables in the READMEs of the root module, 16 | submodules, and example modules are automatically generated based on 17 | the `variables` and `outputs` of the respective modules. These tables 18 | must be refreshed if the module interfaces are changed. 19 | 20 | ### Execution 21 | 22 | Run `make generate_docs` to generate new Inputs and Outputs tables. 23 | 24 | ## Integration Testing 25 | 26 | Integration tests are used to verify the behaviour of the root module, 27 | submodules, and example modules. Additions, changes, and fixes should 28 | be accompanied with tests. 29 | 30 | The integration tests are run using [Kitchen][kitchen], 31 | [Kitchen-Terraform][kitchen-terraform], and [InSpec][inspec]. These 32 | tools are packaged within a Docker image for convenience. 33 | 34 | The general strategy for these tests is to verify the behaviour of the 35 | [example modules](./examples/), thus ensuring that the root module, 36 | submodules, and example modules are all functionally correct. 37 | 38 | ### Test Environment 39 | The easiest way to test the module is in an isolated test project. The setup for such a project is defined in [test/setup](./test/setup/) directory. 40 | 41 | To use this setup, you need a service account with these permissions (on a Folder or Organization): 42 | - Project Creator 43 | - Project Billing Manager 44 | 45 | The project that the service account belongs to must have the following APIs enabled (the setup won't 46 | create any resources on the service account's project): 47 | - Cloud Resource Manager 48 | - Cloud Billing 49 | - Service Usage 50 | - Identity and Access Management (IAM) 51 | 52 | Export the Service Account credentials to your environment like so: 53 | 54 | ``` 55 | export SERVICE_ACCOUNT_JSON=$(< credentials.json) 56 | ``` 57 | 58 | You will also need to set a few environment variables: 59 | ``` 60 | export TF_VAR_org_id="your_org_id" 61 | export TF_VAR_folder_id="your_folder_id" 62 | export TF_VAR_billing_account="your_billing_account_id" 63 | ``` 64 | 65 | With these settings in place, you can prepare a test project using Docker: 66 | ``` 67 | make docker_test_prepare 68 | ``` 69 | 70 | ### Noninteractive Execution 71 | 72 | Run `make docker_test_integration` to test all of the example modules 73 | noninteractively, using the prepared test project. 74 | 75 | ### Interactive Execution 76 | 77 | 1. Run `make docker_run` to start the testing Docker container in 78 | interactive mode. 79 | 80 | 1. Run `kitchen_do create ` to initialize the working 81 | directory for an example module. 82 | 83 | 1. Run `kitchen_do converge ` to apply the example module. 84 | 85 | 1. Run `kitchen_do verify ` to test the example module. 86 | 87 | 1. Run `kitchen_do destroy ` to destroy the example module 88 | state. 89 | 90 | ## Linting and Formatting 91 | 92 | Many of the files in the repository can be linted or formatted to 93 | maintain a standard of quality. 94 | 95 | ### Execution 96 | 97 | Run `make docker_test_lint`. 98 | 99 | [docker-engine]: https://www.docker.com/products/docker-engine 100 | [flake8]: http://flake8.pycqa.org/en/latest/ 101 | [gofmt]: https://golang.org/cmd/gofmt/ 102 | [google-cloud-sdk]: https://cloud.google.com/sdk/install 103 | [hadolint]: https://github.com/hadolint/hadolint 104 | [inspec]: https://inspec.io/ 105 | [kitchen-terraform]: https://github.com/newcontext-oss/kitchen-terraform 106 | [kitchen]: https://kitchen.ci/ 107 | [make]: https://en.wikipedia.org/wiki/Make_(software) 108 | [shellcheck]: https://www.shellcheck.net/ 109 | [terraform-docs]: https://github.com/segmentio/terraform-docs 110 | [terraform]: https://terraform.io/ 111 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Please note that this file was generated from [terraform-google-module-template](https://github.com/terraform-google-modules/terraform-google-module-template). 16 | # Please make sure to contribute relevant changes upstream! 17 | 18 | # Make will use bash instead of sh 19 | SHELL := /usr/bin/env bash 20 | 21 | DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25 22 | DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools 23 | REGISTRY_URL := gcr.io/cloud-foundation-cicd 24 | 25 | # Enter docker container for local development 26 | .PHONY: docker_run 27 | docker_run: 28 | docker run --rm -it \ 29 | -e SERVICE_ACCOUNT_JSON \ 30 | -v "$(CURDIR)":/workspace \ 31 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 32 | /bin/bash 33 | 34 | # Execute prepare tests within the docker container 35 | .PHONY: docker_test_prepare 36 | docker_test_prepare: 37 | docker run --rm -it \ 38 | -e SERVICE_ACCOUNT_JSON \ 39 | -e TF_VAR_org_id \ 40 | -e TF_VAR_folder_id \ 41 | -e TF_VAR_billing_account \ 42 | -v "$(CURDIR)":/workspace \ 43 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 44 | /usr/local/bin/execute_with_credentials.sh prepare_environment 45 | 46 | # Clean up test environment within the docker container 47 | .PHONY: docker_test_cleanup 48 | docker_test_cleanup: 49 | docker run --rm -it \ 50 | -e SERVICE_ACCOUNT_JSON \ 51 | -e TF_VAR_org_id \ 52 | -e TF_VAR_folder_id \ 53 | -e TF_VAR_billing_account \ 54 | -v "$(CURDIR)":/workspace \ 55 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 56 | /usr/local/bin/execute_with_credentials.sh cleanup_environment 57 | 58 | # Execute integration tests within the docker container 59 | .PHONY: docker_test_integration 60 | docker_test_integration: 61 | docker run --rm -it \ 62 | -e SERVICE_ACCOUNT_JSON \ 63 | -v "$(CURDIR)":/workspace \ 64 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 65 | /usr/local/bin/test_integration.sh 66 | 67 | # Execute lint tests within the docker container 68 | .PHONY: docker_test_lint 69 | docker_test_lint: 70 | docker run --rm -it \ 71 | -e EXCLUDE_LINT_DIRS \ 72 | -v "$(CURDIR)":/workspace \ 73 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 74 | /usr/local/bin/test_lint.sh 75 | 76 | # Generate documentation 77 | .PHONY: docker_generate_docs 78 | docker_generate_docs: 79 | docker run --rm -it \ 80 | -v "$(CURDIR)":/workspace \ 81 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 82 | /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs' 83 | 84 | # Alias for backwards compatibility 85 | .PHONY: generate_docs 86 | generate_docs: docker_generate_docs 87 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # terraform-google-group 2 | 3 | This module manages Cloud Identity Groups and Memberships using the 4 | [Cloud Identity Group API](https://cloud.google.com/identity/docs/groups). 5 | 6 | ## Usage 7 | 8 | Basic usage of this module is as follows: 9 | 10 | ```hcl 11 | # Required if using User ADCs (Application Default Credentials) for Cloud Identity API. 12 | provider "google-beta" { 13 | user_project_override = true 14 | billing_project = "" 15 | } 16 | 17 | module "group" { 18 | source = "terraform-google-modules/group/google" 19 | version = "~> 0.8" 20 | 21 | id = "example-group@example.com" 22 | display_name = "example-group" 23 | description = "Example group" 24 | domain = "example.com" 25 | owners = ["foo@example.com"] 26 | managers = ["example-sa@my-project.iam.gserviceaccount.com"] 27 | members = ["another-group@example.com"] 28 | } 29 | ``` 30 | 31 | Functional examples are included in the [examples](./examples/) directory. 32 | 33 | 34 | ## Inputs 35 | 36 | | Name | Description | Type | Default | Required | 37 | |------|-------------|------|---------|:--------:| 38 | | customer\_id | Customer ID of the organization to create the group in. One of domain or customer\_id must be specified | `string` | `""` | no | 39 | | description | Description of the group | `string` | `""` | no | 40 | | display\_name | Display name of the group | `string` | `""` | no | 41 | | domain | Domain of the organization to create the group in. One of domain or customer\_id must be specified | `string` | `""` | no | 42 | | id | ID of the group. For Google-managed entities, the ID must be the email address the group | `string` | n/a | yes | 43 | | initial\_group\_config | The initial configuration options for creating a Group. See the API reference for possible values. Possible values are INITIAL\_GROUP\_CONFIG\_UNSPECIFIED, WITH\_INITIAL\_OWNER, and EMPTY. | `string` | `"EMPTY"` | no | 44 | | managers | Managers of the group. Each entry is the ID of an entity. For Google-managed entities, the ID must be the email address of an existing group, user or service account | `list(string)` | `[]` | no | 45 | | members | Members of the group. Each entry is the ID of an entity. For Google-managed entities, the ID must be the email address of an existing group, user or service account | `list(string)` | `[]` | no | 46 | | owners | Owners of the group. Each entry is the ID of an entity. For Google-managed entities, the ID must be the email address of an existing group, user or service account | `list(string)` | `[]` | no | 47 | | types | The type of the group to be created. More info: https://cloud.google.com/identity/docs/groups#group_properties | `list(string)` | 
[
  "default"
]
| no | 48 | 49 | ## Outputs 50 | 51 | | Name | Description | 52 | |------|-------------| 53 | | id | ID of the group. For Google-managed entities, the ID is the email address the group | 54 | | name | Name of the group with the domain removed. For Google-managed entities, the ID is the email address the group | 55 | | resource\_name | Resource name of the group in the format: groups/{group\_id}, where group\_id is the unique ID assigned to the group. | 56 | 57 | 58 | 59 | ## Limitations 60 | 61 | The provider is still under development, the following are known issues or 62 | limitations: 63 | 64 | * Updating a `google_cloud_identity_group_membership` to remove a role fails 65 | with an error 66 | ([link](https://github.com/hashicorp/terraform-provider-google/issues/7616)). 67 | 68 | * Updating a `google_cloud_identity_group_membership` to change the role of a 69 | member fails with the following error due to Terraform trying to create the 70 | new role assignment before/at the same time as the old one is removed. 71 | Rerunning the same deployment twice might resolve the issue. 72 | 73 | ```bash 74 | Error: Error creating GroupMembership: googleapi: Error 409: Error(4003): Cannot create membership 'user@example.com' in 'groups/xxx' because it already exists. 75 | Details: 76 | [ 77 | { 78 | "@type": "type.googleapis.com/google.rpc.ResourceInfo", 79 | "description": "Error(4003): Cannot create membership 'user@example.com' in 'groups/xxx' because it already exists.", 80 | "owner": "domain:cloudidentity.googleapis.com", 81 | "resourceType": "cloudidentity.googleapis.com/Membership" 82 | }, 83 | { 84 | "@type": "type.googleapis.com/google.rpc.DebugInfo", 85 | "detail": "[ORIGINAL ERROR] generic::already_exists: Error(4003): Cannot create membership 'user@example.com' in 'groups/xxx' because it already exists.\ncom.google.ccc.hosted.api.oneplatform.cloudidentity.error.exceptions.OpAlreadyExistsException: Error(4003): Cannot create membership 'user@example.com' in 'groups/xxx' because it already exists. [google.rpc.error_details_ext] { message: \"Error(4003): Cannot create membership \\'user@example.com\\' in \\'groups/xxx\\' because it already exists.\" details { [type.googleapis.com/google.rpc.ResourceInfo] { resource_type: \"cloudidentity.googleapis.com/Membership\" owner: \"domain:cloudidentity.googleapis.com\" description: \"Error(4003): Cannot create membership \\'user@example.com\\' in \\'groups/xxx\\' because it already exists.\" } } }" 86 | } 87 | ] 88 | ``` 89 | 90 | * Only 91 | [Google Groups](https://cloud.google.com/identity/docs/groups#group_properties) 92 | are supported. 93 | 94 | * Last `OWNER` cannot be removed from a Google Group. 95 | 96 | ## Requirements 97 | 98 | These sections describe requirements for using this module. 99 | 100 | ### Software 101 | 102 | The following dependencies must be available: 103 | 104 | * [Terraform][terraform] v0.13 105 | * [Terraform Provider for GCP][terraform-provider-gcp] plugin v2.0 106 | 107 | ### Permissions 108 | 109 | A service account or user account needs the following roles to provision the 110 | resources of this module: 111 | 112 | #### Google Cloud IAM roles 113 | 114 | * Service Usage Consumer: `roles/serviceusage.serviceUsageConsumer` on the 115 | billing project 116 | * Organization Viewer: `roles/resourcemanager.organizationViewer` if using 117 | `domain` instead of `customer_id` 118 | 119 | The [Project Factory module][project-factory-module] and the 120 | [IAM module][iam-module] may be used in combination to provision a service 121 | account with the necessary roles applied. 122 | 123 | #### Google Workspace (formerly known as G Suite) roles 124 | 125 | * [Group Admin role](https://support.google.com/a/answer/2405986?hl=en) 126 | 127 | To make the service account a Group Admin, you must have Google Workspace Super 128 | Admin access for your domain. Follow 129 | [Assigning an admin role to the service account](https://cloud.google.com/identity/docs/how-to/setup#assigning_an_admin_role_to_the_service_account) 130 | for instructions. 131 | 132 | To create groups as an end user, the caller is required to authenticate as a 133 | member of the domain, i.e. you cannot use this module to create a group under 134 | `bar.com` with a `foo.com` user identity. 135 | 136 | After the groups have been created, the organization’s Super Admin, Group Admin 137 | or any custom role with Groups privilege can always modify and delete the groups 138 | and their memberships. In addition, the group’s OWNER and MANAGER can edit 139 | membership, and OWNER can delete the group. Documentation around the three group 140 | default roles (OWNER, MANAGER and MEMBER) can be found 141 | [here](https://support.google.com/a/answer/167094?hl=en). 142 | 143 | ### APIs 144 | 145 | A project with the following APIs enabled must be used to host the resources of 146 | this module: 147 | 148 | * Cloud Identity API: `cloudidentity.googleapis.com` 149 | 150 | The [Project Factory module][project-factory-module] can be used to provision a 151 | project with the necessary APIs enabled. 152 | 153 | To use the Cloud Identity Groups API, you must have Google Groups for Business 154 | enabled for your domain and allow end users to create groups. 155 | 156 | ## Contributing 157 | 158 | Refer to the [contribution guidelines](./CONTRIBUTING.md) for information on 159 | contributing to this module. 160 | 161 | [iam-module]: https://registry.terraform.io/modules/terraform-google-modules/iam/google 162 | [project-factory-module]: https://registry.terraform.io/modules/terraform-google-modules/project-factory/google 163 | [terraform-provider-gcp]: https://www.terraform.io/docs/providers/google/index.html 164 | [terraform]: https://www.terraform.io/downloads.html 165 | -------------------------------------------------------------------------------- /build/int.cloudbuild.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | timeout: 3600s 16 | steps: 17 | - id: swap-module-refs 18 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 19 | args: ['module-swapper'] 20 | - id: prepare 21 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 22 | args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && prepare_environment'] 23 | env: 24 | - 'TF_VAR_org_id=$_ORG_ID' 25 | - 'TF_VAR_folder_id=$_FOLDER_ID' 26 | - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' 27 | - id: create 28 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 29 | args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create'] 30 | - id: converge 31 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 32 | args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge'] 33 | - id: verify 34 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 35 | args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify'] 36 | - id: destroy 37 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 38 | args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy'] 39 | tags: 40 | - 'ci' 41 | - 'integration' 42 | substitutions: 43 | _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' 44 | _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.25' 45 | -------------------------------------------------------------------------------- /build/lint.cloudbuild.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | steps: 16 | - name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 17 | id: 'lint' 18 | args: ['/usr/local/bin/test_lint.sh'] 19 | tags: 20 | - 'ci' 21 | - 'lint' 22 | substitutions: 23 | _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' 24 | _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.25' 25 | -------------------------------------------------------------------------------- /examples/simple_example/README.md: -------------------------------------------------------------------------------- 1 | # Simple Example 2 | 3 | This example illustrates how to use the `group` module. 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | domain | Domain of the organization to create the group in | `string` | n/a | yes | 11 | | project\_id | The ID of the project in which to provision resources and used for billing | `string` | n/a | yes | 12 | | suffix | Suffix of the groups to create | `string` | n/a | yes | 13 | 14 | ## Outputs 15 | 16 | | Name | Description | 17 | |------|-------------| 18 | | group\_id | n/a | 19 | | group\_name | n/a | 20 | 21 | 22 | 23 | To provision this example, run the following from within this directory: 24 | - `terraform init` to get the plugins 25 | - `terraform plan` to see the infrastructure plan 26 | - `terraform apply` to apply the infrastructure build 27 | - `terraform destroy` to destroy the built infrastructure 28 | -------------------------------------------------------------------------------- /examples/simple_example/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # Required if using User ADCs (Application Default Credentials) for Cloud Identity API. 18 | # provider "google-beta" { 19 | # version = "~> 3.0" 20 | # user_project_override = true 21 | # billing_project = var.project_id 22 | # } 23 | 24 | resource "google_service_account" "manager" { 25 | project = var.project_id 26 | account_id = "example-manager" 27 | display_name = "example-manager" 28 | } 29 | 30 | resource "google_service_account" "member" { 31 | project = var.project_id 32 | account_id = "example-member" 33 | display_name = "example-member" 34 | } 35 | 36 | module "inner_group" { 37 | source = "terraform-google-modules/group/google" 38 | version = "~> 0.7" 39 | 40 | id = "group-module-test-inner-group-${var.suffix}@${var.domain}" 41 | display_name = "group-module-test-inner-group-${var.suffix}" 42 | description = "Group module test inner group ${var.suffix}" 43 | domain = var.domain 44 | managers = ["${google_service_account.manager.account_id}@${var.project_id}.iam.gserviceaccount.com"] 45 | members = ["${google_service_account.member.account_id}@${var.project_id}.iam.gserviceaccount.com"] 46 | } 47 | 48 | module "group" { 49 | source = "terraform-google-modules/group/google" 50 | version = "~> 0.7" 51 | 52 | id = "group-module-test-group-${var.suffix}@${var.domain}" 53 | display_name = "group-module-test-group-${var.suffix}" 54 | description = "Group module test group ${var.suffix}" 55 | domain = var.domain 56 | members = [module.inner_group.id] 57 | } 58 | -------------------------------------------------------------------------------- /examples/simple_example/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "group_id" { 18 | value = module.group.id 19 | } 20 | 21 | output "group_name" { 22 | value = module.group.name 23 | } 24 | -------------------------------------------------------------------------------- /examples/simple_example/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources and used for billing" 19 | type = string 20 | } 21 | 22 | variable "domain" { 23 | description = "Domain of the organization to create the group in" 24 | type = string 25 | } 26 | 27 | variable "suffix" { 28 | description = "Suffix of the groups to create" 29 | type = string 30 | } 31 | -------------------------------------------------------------------------------- /kitchen.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | --- 16 | driver: 17 | name: terraform 18 | 19 | provisioner: 20 | name: terraform 21 | 22 | verifier: 23 | name: terraform 24 | 25 | platforms: 26 | - name: default 27 | 28 | suites: 29 | - name: simple_example 30 | driver: 31 | root_module_directory: test/fixtures/simple_example/ 32 | verify_version: false 33 | verifier: 34 | color: false 35 | systems: 36 | - name: simple_example local 37 | backend: local 38 | controls: 39 | - gcloud 40 | -------------------------------------------------------------------------------- /main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | data "google_organization" "org" { 18 | count = var.domain != "" ? 1 : 0 19 | domain = var.domain 20 | } 21 | 22 | locals { 23 | customer_id = var.domain != "" ? data.google_organization.org[0].directory_customer_id : var.customer_id 24 | label_keys = { 25 | "default" = "cloudidentity.googleapis.com/groups.discussion_forum" 26 | "dynamic" = "cloudidentity.googleapis.com/groups.dynamic" 27 | "security" = "cloudidentity.googleapis.com/groups.security" 28 | "external" = "system/groups/external" 29 | # Placeholders according to https://cloud.google.com/identity/docs/groups#group_properties. 30 | # Not supported by provider yet. 31 | "posix" = "cloudidentity.googleapis.com/groups.posix" 32 | } 33 | } 34 | 35 | resource "google_cloud_identity_group" "group" { 36 | provider = google-beta 37 | display_name = var.display_name 38 | description = var.description 39 | 40 | parent = "customers/${local.customer_id}" 41 | 42 | initial_group_config = var.initial_group_config 43 | 44 | group_key { 45 | id = var.id 46 | } 47 | 48 | labels = { for t in var.types : local.label_keys[t] => "" } 49 | } 50 | 51 | resource "google_cloud_identity_group_membership" "owners" { 52 | for_each = toset(var.owners) 53 | 54 | provider = google-beta 55 | group = google_cloud_identity_group.group.id 56 | 57 | preferred_member_key { id = each.key } 58 | 59 | # MEMBER role must be specified. The order of roles should not be changed. 60 | roles { name = "OWNER" } 61 | roles { name = "MEMBER" } 62 | } 63 | 64 | resource "google_cloud_identity_group_membership" "managers" { 65 | for_each = toset(var.managers) 66 | 67 | provider = google-beta 68 | group = google_cloud_identity_group.group.id 69 | 70 | preferred_member_key { id = each.key } 71 | 72 | # MEMBER role must be specified. The order of roles should not be changed. 73 | roles { name = "MEMBER" } 74 | roles { name = "MANAGER" } 75 | } 76 | 77 | resource "google_cloud_identity_group_membership" "members" { 78 | for_each = toset(var.members) 79 | 80 | provider = google-beta 81 | group = google_cloud_identity_group.group.id 82 | 83 | preferred_member_key { id = each.key } 84 | roles { name = "MEMBER" } 85 | } 86 | -------------------------------------------------------------------------------- /outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "id" { 18 | value = google_cloud_identity_group.group.group_key[0].id 19 | description = "ID of the group. For Google-managed entities, the ID is the email address the group" 20 | } 21 | 22 | output "name" { 23 | value = split("@", google_cloud_identity_group.group.group_key[0].id)[0] 24 | description = "Name of the group with the domain removed. For Google-managed entities, the ID is the email address the group" 25 | } 26 | 27 | output "resource_name" { 28 | value = google_cloud_identity_group.group.name 29 | description = "Resource name of the group in the format: groups/{group_id}, where group_id is the unique ID assigned to the group." 30 | } 31 | -------------------------------------------------------------------------------- /test/.gitignore: -------------------------------------------------------------------------------- 1 | source.sh 2 | -------------------------------------------------------------------------------- /test/fixtures/simple_example/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "example" { 18 | source = "../../../examples/simple_example" 19 | 20 | project_id = var.project_id 21 | domain = var.domain 22 | suffix = var.suffix 23 | } 24 | -------------------------------------------------------------------------------- /test/fixtures/simple_example/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "project_id" { 18 | description = "The ID of the project in which to provision resources and used for billing" 19 | value = var.project_id 20 | } 21 | 22 | output "domain" { 23 | description = "Domain of the organization to create the group in" 24 | value = var.domain 25 | } 26 | 27 | output "suffix" { 28 | description = "Suffix of the groups to create" 29 | value = var.suffix 30 | } 31 | -------------------------------------------------------------------------------- /test/fixtures/simple_example/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources and used for billing" 19 | type = string 20 | } 21 | 22 | variable "domain" { 23 | description = "Domain of the organization to create the group in" 24 | type = string 25 | } 26 | 27 | variable "suffix" { 28 | description = "Suffix of the groups to create" 29 | type = string 30 | } 31 | -------------------------------------------------------------------------------- /test/integration/simple_example/controls/gcloud.rb: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | control "gcloud" do 16 | title "gcloud" 17 | 18 | describe command("gcloud beta identity groups describe group-module-test-group-#{attribute("suffix")}@#{attribute("domain")} --project=#{attribute("project_id")}") do 19 | its(:exit_status) { should eq 0 } 20 | its(:stderr) { should eq "" } 21 | end 22 | 23 | describe command("gcloud beta identity groups describe group-module-test-inner-group-#{attribute("suffix")}@#{attribute("domain")} --project=#{attribute("project_id")}") do 24 | its(:exit_status) { should eq 0 } 25 | its(:stderr) { should eq "" } 26 | end 27 | 28 | describe command("gcloud beta identity groups memberships describe --group-email group-module-test-group-#{attribute("suffix")}@#{attribute("domain")} --member-email group-module-test-inner-group-#{attribute("suffix")}@#{attribute("domain")} --project=#{attribute("project_id")}") do 29 | its(:exit_status) { should eq 0 } 30 | its(:stderr) { should eq "" } 31 | end 32 | 33 | describe command("gcloud beta identity groups memberships describe --group-email group-module-test-inner-group-#{attribute("suffix")}@#{attribute("domain")} --member-email example-manager@#{attribute("project_id")}.iam.gserviceaccount.com --project=#{attribute("project_id")}") do 34 | its(:exit_status) { should eq 0 } 35 | its(:stderr) { should eq "" } 36 | end 37 | 38 | describe command("gcloud beta identity groups memberships describe --group-email group-module-test-inner-group-#{attribute("suffix")}@#{attribute("domain")} --member-email example-member@#{attribute("project_id")}.iam.gserviceaccount.com --project=#{attribute("project_id")}") do 39 | its(:exit_status) { should eq 0 } 40 | its(:stderr) { should eq "" } 41 | end 42 | 43 | end 44 | 45 | -------------------------------------------------------------------------------- /test/integration/simple_example/inspec.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: simple_example 16 | depends: 17 | - name: inspec-gcp 18 | git: https://github.com/inspec/inspec-gcp.git 19 | tag: v0.10.0 20 | attributes: 21 | - name: project_id 22 | required: true 23 | type: string 24 | - name: domain 25 | required: true 26 | type: string 27 | - name: suffix 28 | required: true 29 | type: string 30 | -------------------------------------------------------------------------------- /test/setup/.gitignore: -------------------------------------------------------------------------------- 1 | terraform.tfvars 2 | source.sh 3 | -------------------------------------------------------------------------------- /test/setup/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | // Have to add the random ID here and pass the value to tests instead of directly 18 | // generate a random ID in tests because for_each in the module will complain 19 | // the random ID is not known until apply. 20 | provider "random" { 21 | } 22 | 23 | resource "random_id" "random_group_suffix" { 24 | byte_length = 2 25 | } 26 | 27 | data "terraform_remote_state" "org" { 28 | backend = "gcs" 29 | config = { 30 | bucket = "cft-infra-test-tfstate" 31 | prefix = "state/org" 32 | } 33 | } 34 | 35 | data "google_organization" "org" { 36 | organization = "organizations/${var.org_id}" 37 | } 38 | 39 | resource "google_organization_iam_member" "sa_org" { 40 | for_each = toset([ 41 | "roles/resourcemanager.organizationViewer" 42 | ]) 43 | 44 | org_id = var.org_id 45 | role = each.value 46 | member = "serviceAccount:${data.terraform_remote_state.org.outputs.ci_gsuite_sa_email}" 47 | } 48 | 49 | # Create a temporary project to host group member service accounts to pass to the examples. 50 | module "project" { 51 | source = "terraform-google-modules/project-factory/google" 52 | version = "~> 18.0" 53 | 54 | name = "ci-group" 55 | random_project_id = "true" 56 | org_id = var.org_id 57 | folder_id = var.folder_id 58 | billing_account = var.billing_account 59 | 60 | activate_apis = [ 61 | "cloudresourcemanager.googleapis.com", 62 | "serviceusage.googleapis.com" 63 | ] 64 | } 65 | 66 | resource "google_project_iam_member" "sa_project" { 67 | for_each = toset([ 68 | "roles/iam.serviceAccountAdmin" 69 | ]) 70 | 71 | project = module.project.project_id 72 | role = each.value 73 | member = "serviceAccount:${data.terraform_remote_state.org.outputs.ci_gsuite_sa_email}" 74 | } 75 | -------------------------------------------------------------------------------- /test/setup/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "project_id" { 18 | value = module.project.project_id 19 | } 20 | 21 | output "domain" { 22 | value = data.google_organization.org.domain 23 | } 24 | 25 | output "suffix" { 26 | value = random_id.random_group_suffix.hex 27 | } 28 | -------------------------------------------------------------------------------- /test/setup/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "org_id" { 18 | description = "The numeric organization id" 19 | } 20 | 21 | variable "folder_id" { 22 | description = "The folder to deploy in" 23 | } 24 | 25 | variable "billing_account" { 26 | description = "The billing account id associated with the project, e.g. XXXXXX-YYYYYY-ZZZZZZ" 27 | } 28 | -------------------------------------------------------------------------------- /test/setup/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = ">= 3.53.0" 23 | } 24 | google-beta = { 25 | source = "hashicorp/google-beta" 26 | version = ">= 3.53.0" 27 | } 28 | random = { 29 | source = "hashicorp/random" 30 | version = ">= 3.0" 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "id" { 18 | type = string 19 | description = "ID of the group. For Google-managed entities, the ID must be the email address the group" 20 | } 21 | 22 | variable "display_name" { 23 | type = string 24 | description = "Display name of the group" 25 | default = "" 26 | } 27 | 28 | variable "description" { 29 | type = string 30 | description = "Description of the group" 31 | default = "" 32 | } 33 | 34 | variable "domain" { 35 | type = string 36 | description = "Domain of the organization to create the group in. One of domain or customer_id must be specified" 37 | default = "" 38 | } 39 | 40 | variable "customer_id" { 41 | type = string 42 | description = "Customer ID of the organization to create the group in. One of domain or customer_id must be specified" 43 | default = "" 44 | } 45 | 46 | variable "owners" { 47 | type = list(string) 48 | description = "Owners of the group. Each entry is the ID of an entity. For Google-managed entities, the ID must be the email address of an existing group, user or service account" 49 | default = [] 50 | } 51 | 52 | variable "managers" { 53 | type = list(string) 54 | description = "Managers of the group. Each entry is the ID of an entity. For Google-managed entities, the ID must be the email address of an existing group, user or service account" 55 | default = [] 56 | } 57 | 58 | variable "members" { 59 | type = list(string) 60 | description = "Members of the group. Each entry is the ID of an entity. For Google-managed entities, the ID must be the email address of an existing group, user or service account" 61 | default = [] 62 | } 63 | 64 | variable "initial_group_config" { 65 | type = string 66 | description = "The initial configuration options for creating a Group. See the API reference for possible values. Possible values are INITIAL_GROUP_CONFIG_UNSPECIFIED, WITH_INITIAL_OWNER, and EMPTY." 67 | default = "EMPTY" 68 | } 69 | 70 | variable "types" { 71 | type = list(string) 72 | description = "The type of the group to be created. More info: https://cloud.google.com/identity/docs/groups#group_properties" 73 | default = ["default"] 74 | validation { 75 | condition = alltrue( 76 | [for t in var.types : contains(["default", "dynamic", "security", "external"], t)] 77 | ) 78 | error_message = "Valid values for group types are \"default\", \"dynamic\", \"security\", \"external\"." 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.67, < 8" 24 | } 25 | google-beta = { 26 | source = "hashicorp/google-beta" 27 | version = ">= 3.67, < 8" 28 | } 29 | } 30 | 31 | provider_meta "google" { 32 | module_name = "blueprints/terraform/terraform-google-group/v0.8.0" 33 | } 34 | 35 | provider_meta "google-beta" { 36 | module_name = "blueprints/terraform/terraform-google-group/v0.8.0" 37 | } 38 | 39 | } 40 | --------------------------------------------------------------------------------