TL;DR

None of the possible values for initial_group_config match groups initially created via the admin console (UI). This leads to a replacement of the group.

Expected behavior

• I can use this module with groups created via admin console.
• I can specify the group resource identically to already existing groups so that I'm not forced to replace groups I gonna manage via terraform
• I can set initial_group_config to a value which doesn't lead to group replacement.

Observed behavior

I'm about to import google groups to my terraform state. The groups were created manually via the admin console.

The parameter initial_group_config defaults to "EMPTY" if left undefined in the terraform resource definition. "EMPTY" or any other possible value (INITIAL_GROUP_CONFIG_UNSPECIFIED, WITH_INITIAL_OWNER ) forces the group to be recreated/replaced.

Without replacing the groups its not possible to use this module for groups initially created outside of terraform.

Temporary workaround

I forked this module and added initial_group_config to lifecycle.ignore_changes.

Possible Fix

I think it should be fixed by making this line dynamic depending on whether INITIAL_GROUP_CONFIG_UNSPECIFIED is set.

Terraform Configuration

1. Create a google group `foobar` with email `foo@bar.de` via admin.google.com.
2. Add `email@address.de` as owner.
3. Import (`terraform import`) group to `module.foobar.google_cloud_identity_group.group` and membership to `module.foobar.google_cloud_identity_group_membership.owners["[email protected]"]
4. Apply terraform


module "foobar" {
  source      = "terraform-google-modules/group/google"
  version     = "0.6.1"
  customer_id = "foo"

  id           = "[email protected]"
  display_name = "foobar"
  types        = ["default"]
  owners = [
    "[email protected]",
  ]
}

### Terraform Version

```sh
Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v5.26.0

### Additional information

_No response_

Something like the following

variable "customer_id" {
  description = "..."
  type        = string
  validation {
    condition     = can(regex("^customers/C0[a-z0-9]{7}$", var.customer_id))
    error_message = "Customer ID must be in the form customers/C0xxxxxxx."
  }
}

I'm using this group module to create and manage groups.

I am a Super Admin on Google Workspace. I created a Service Account in a given project and granted Group Admin on Google Workspace to that Service Account.

This service account has Service Account Token Creator permission to my user. The Service Account has permissions to the project (right now, it's even set to owner, but I will restrict it when I get it working).

What I want to do is to use Service Account Impersonation to create and manage groups. This is what my provider.tf looks like:

provider "google-beta" {
  billing_project       = var.billing_project
  user_project_override = true
}

provider "google" {
  alias = "tokengen"
}

data "google_client_config" "default" {
  provider = google.tokengen
}

data "google_service_account_access_token" "sa" {
  provider               = google.tokengen
  target_service_account = "[email protected]"
  lifetime               = "600s"

  scopes = [
    "https://www.googleapis.com/auth/cloud-platform",
  ]
}

data "google_service_account_access_token" "service_account_state_bucket" {
  provider               = google.tokengen
  target_service_account = "[email protected]"
  lifetime               = "600s"

  scopes = [
    "https://www.googleapis.com/auth/cloud-platform"
  ]
}

provider "google" {
  access_token = data.google_service_account_access_token.sa.access_token
  project      = "mgm"
}

If I comment out the last bit of code (below), Terraform works. But I'm assuming it's using my gcloud credentials, instead of the SA:

provider "google" {
  access_token = data.google_service_account_access_token.sa.access_token
  project      = "mgm"
}

This is the error I get when trying to run with the SA, with customer_id set but not domain:

│ Error: Error when reading or editing CloudIdentityGroup "groups/xxxxxxx": googleapi: Error 403: Your application has 
authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the 
cloudidentity.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account 
through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in 
your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may 
need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-
User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.
│ Details:
│ [   
│   { 
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "googleapis.com",                                     
│     "metadata": {                                                            
│       "consumer": "projects/123456789",                  
│       "service": "cloudidentity.googleapis.com"                
│     },
│     "reason": "SERVICE_DISABLED"
│   }                                                
│ ]                                                  
│                                                    
│   with module.group["[email protected]"].google_cloud_identity_group.group,
│   on .terraform/modules/group/main.tf line 35, in resource "google_cloud_identity_group" "group":
│   35: resource "google_cloud_identity_group" "group" {                                                                  
│                                                       

and, if I have domain set, but not customer_id, I get:

╷
│ Error: Organization not found: domainhere.com
│
│   with module.group["[email protected]"].data.google_organization.org[0],
│   on .terraform/modules/group/main.tf line 17, in data "google_organization" "org":
│   17: data "google_organization" "org" {
│

Hi,

After creating a group with this module, I'm finding the email address with:

data "google_cloud_identity_group_memberships" "all_members" {
   group = "group/xxx"
}

locals {
   member_existance = data.google_cloud_identity_group_memberships.all_members.memberships[*].member_key[0].id
}

And I got this error:
This object does not have an attribute named "member_key".

I see that member_key is just optional attribute and it's display if we use it directly with:
resource "google_cloud_identity_group_membership" "memberships"
like here: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_identity_group_membership

How can I solve it? Many thanks.

TL;DR

Org with accounts, groups, etc, managed through Terraform (terraform apply working fine)

An user had his account removed from the organization (through Admin panel). This user was in a group managed through Terraform, using this module.

Terraform fails with:

│ Error: Error when reading or editing CloudIdentityGroupMembership "groups/xxxxxxx/memberships/1231233333333331123123": googleapi: Error 403: Error(2028): Permission denied for resource groups/xxxxxx/memberships/12312312321 (or it may not exist).

Expected behavior

Terraform (and this module) identify the missing resource and offer to recreate or remove from the state file.

Observed behavior

Terraform fails and blocks the module usage.

Terraform Configuration

module "group" {
  source  = "terraform-google-modules/group/google"
  version = "~> 0.3"

  id           = var.iam_group.group_id
  display_name = var.iam_group.display_name
  description  = var.iam_group.description
  domain       = var.groups_domain
  owners       = var.iam_group.owners
  managers     = var.iam_group.managers
  members      = var.iam_group.members
}



   team_xpto = {
     group_id     = "[email protected]",
     display_name = "(TF) Team XPTO Team",
     description  = "Terraform managed group for Team XPTO team",
     owners       = [],
     managers     = [],
     members      = [
                      "[email protected]",     
                      "[email protected]",    
                      "[email protected]",       
                      "[email protected]",        <<<--- user removed, for example
                    ],
   },


variable "group_obj"{
  type = map(object({
    group_id     = string
    display_name = string
    description  = string
    owners       = list(string)
    managers     = list(string)
    members      = list(string)
  })) 
}

Terraform Version

Terraform v1.0.9
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v3.90.1
+ provider registry.terraform.io/hashicorp/google-beta v3.90.1
+ provider registry.terraform.io/hashicorp/null v3.1.0

and

source  = "terraform-google-modules/group/google"
version = "~> 0.3"

Additional information

No response

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): Update cft/developer-tools Docker tag to v1.21
• chore(deps): Update Terraform terraform-google-modules/project-factory/google to v15

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

It's now supported in the underlying Terraform resource hashicorp/terraform-provider-google#7986.

TL;DR

I'd like to use terraform to manage several public google groups for an open source project. It's unclear whether or how this module might be used for groups in the googlegroups.com domain.

Terraform Resources

terraform-google-modules/group/google

Detailed design

I have a terraform repo that currently manages aws and github resources for a small number of users in an open source project (https://biocommons.org). To continue this direction, I would like to now add 6 public google groups now (e.g., biocommons-announce).

The goal is ultimately to be able to add and remove people, especially those with privileged project roles, using IAC rather than a UI.

TL;DR

Defining a group with a user in both the owners set and the managers set yields an error because the membership relation already exists.

Expected behavior

Any one of:

• Expected user to have all associated roles
• Exclusivity noted as needed during "plan" phase
• Documentation noting that exclusivity is required for success

Observed behavior

Error:
Error: Error creating GroupMembership: googleapi: Error 409: Error(4003): Cannot create membership '#####@#####.com in 'groups/#########' because it already exists.

Terraform Configuration

provider "google" {
  project     = "###projectname"
  region      = "###region"
}

provider "google-beta" {
  billing_project       = "###projectname"
  user_project_override = true
}
module "gcp-users-group" {
  source  = "terraform-google-modules/group/google"
  version = "~> 0.4"

  id           = "[email protected]"
  display_name = "GCP Users"
  description  = "Users - managed by Terraform"
  domain       = "domain.com"
  owners       = ["[email protected]"]
  managers     = ["[email protected]"]
  members      = ["[email protected]"]
}

Terraform Version

Terraform v1.3.4
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v4.54.0
+ provider registry.terraform.io/hashicorp/google-beta v4.53.1

### Additional information

_No response_

TL;DR

The variables should have proper types instead of "" for all of their defaults.

Expected behavior

Using the module works with TF_VAR_... environment variables.

Observed behavior

Module errors out:

 Error: Invalid for_each argument

   on main.tf line 80, in resource "google_cloud_identity_group_membership" "members":
   80:   for_each = var.members
     ├────────────────
     │ var.members is "[\"foo\",\"bar\",\"baz\"]"
│
│ The given "for_each" argument value is unsuitable: the "for_each" argument
│ must be a map, or set of strings, and you have provided a value of type
│ string.

Terraform Configuration

#I am using terragrunt, which inputs variables as env vars:


terraform {
  source = "git::https://github.com/terraform-google-modules/terraform-google-group.git?ref=v0.4.0"
}

include "root" {
  path = find_in_parent_folders()
}

inputs = {
  id           = "[email protected]"
  display_name = "my-group"
  description  = "foo-group"
  domain       = "example.com"
  managers     = [ "[email protected]" ]
  owners       = []
  members      = [
    "[email protected]",
    "[email protected]",
    "[email protected]",
}

Terraform Version

1.3.6

terragrunt 0.42.3

Additional information

No response

so https://www.hashicorp.com/blog/custom-variable-validation-in-terraform-0-13 can be used

TL;DR

Using the terraform-google-modules provider to manage GWS groups it's not able to find my GCP/GWS organisation, however, I specified it in the domain attribute. I'm not seeing any open issues online (here/stack overflow) about this apologies if it's something on my end.
Authenticating via service account with the relevant permissions assigned.

Expected behavior

Terraform should create & manage GWS groups

Observed behavior

│ Error: Organization not found: testdomain.com
│
│ with module.group.data.google_organization.org[0],
│ on .terraform/modules/group/main.tf line 17, in data "google_organization" "org":
│ 17: data "google_organization" "org" {
│

Terraform Configuration

module "group" {
  source  = "terraform-google-modules/group/google"
  version = "~> 0.6"
  
  id           = var.group_id
  display_name = var.name
  description  = "Test Google Group via Terraform"
  domain       = "testdomain.com"
  owners       = var.owners
  managers     = var.managers
  members      = var.members
}

Terraform Version

v1.5.7

Additional information

No response