DeviaVir / terraform-provider-gsuite

A @HashiCorp Terraform provider for managing G Suite resources.
MIT License
271 stars 77 forks source link

As a non admin user can i use this provider? #178

Open damaya opened 3 years ago

damaya commented 3 years ago

Hi @DeviaVir I have tested the provider, and it works so good using admin credentials. Thanks for this.

However i have this question: Does this provider work if we use impersonated email without admin privileges, or do you have some workaround in progress, or we are limited by the same scope of the Google api itself?

Scenario

  1. As a non admin user e.g developerx@anycompany.com i am able to create groups from the Gsuite workspace https://groups.google.com/all-groups

  2. As the same non admin user developerx@anycompany.com i use the gcloud credentials and the plan works as expected, but i cannot import any of pre-existed groups, as it just through this provider i could not create/manage none of the gsuite resources i created before manually.

  3. Taking point 1,2 i am using the provider like this, and as i said before, it worked perfect using an admin user, but in the second scenario, it did not,

    provider "gsuite" {
    oauth_scopes = [
    "https://www.googleapis.com/auth/admin.directory.group",
    "https://www.googleapis.com/auth/apps.groups.settings",
    ]
    
    impersonated_user_email = var.impersonated_user_email
    credentials = var.gsuite_credentials
    }

where impersonated_user_email is developerx@anycompany.com, and credentials is the path with json data i get when i authenticate with gcloud, example "/home/developerx/.config/gcloud/application_default_credentials.json"

  1. Importing a pre existing Group:

Having this resource coded lilke:

resource "gsuite_group" "test" {
  email       = "test@anycompany.com"
  name        = "Test"
}

And being sure the group already exists with mail "test@anycompany.com" , i run the import command like

terraform import gsuite_group.test "test@anycompany.com"

The error when importing a pre-existing group (which i can see from GCP account and from Gsuite workspace) is this:

Error: [ERROR] Error fetching group. Make sure the group exists: Get "https://admin.googleapis.com/admin/directory/v1/groups/test%40anydomain.com?alt=json&prettyPrint=false": private key should be a PEM or plain PKCS1 or PKCS8; parse error: asn1: syntax error: sequence truncated

DeviaVir commented 3 years ago

Are you sure var.gsuite_credentials is the JSON blob export of the service account key?

damaya commented 3 years ago

Hi @DeviaVir, yes i did, in fact all worked perfect for an admin user, but not for a non admin. Thanks so much for your response.

damaya commented 3 years ago

Hi @DeviaVir thanks again for your latest feedback and help, i have tried but seems if a user is not admin within the organization cannot e.g take or import existing groups even if is authenticated with same credentials used from web console, would you please give me more hints about this use cases or limits, maybe i can check and understanding this could make some contribution in the next future, thanks in advance.