Support security group in google_cloud_identity_group

[xingao267]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Currently, only Google groups are supported in the google_cloud_identity_group resource. We should support security group as well https://cloud.google.com/identity/docs/groups#group_types. To support this, we should allow specifying multiple labels in the resource (https://github.com/GoogleCloudPlatform/magic-modules/blob/master/products/cloudidentity/api.yaml#L110).

New or Affected Resource(s)

• google_cloud_identity_group

Potential Terraform Configuration

# Propose what you think the configuration to take advantage of this feature should look like.
# We may not use it verbatim, but it's helpful in understanding your intent.

References

• 0000

[xingao267]

API doc for how to upgrade a group to security group https://cloud.google.com/identity/docs/how-to/update-group-to-security-group

[xingao267]

From the API doc, it seems I need to first create a regular Google group, and then update it to be a security group by adding an additional label. Is it possible with Terraform to create a security group in one terraform apply execution?

[danopia]

To confirm, Security Groups must be PATCHed into existence from a normal group. Otherwise this error is returned:

Error 400: Cannot create a security group directly

I attempted to describe the change to Terraform, which sees it as requiring replacement:

  # module.asdf.google_cloud_identity_group.self must be replaced
-/+ resource "google_cloud_identity_group" "self" {
      ~ create_time  = "2021-02-24T16:21:37.499934Z" -> (known after apply)
      ~ id           = "groups/asdfasdf" -> (known after apply)
      ~ labels       = { # forces replacement
          + "cloudidentity.googleapis.com/groups.security"         = ""
            # (1 unchanged element hidden)
        }
      ~ name         = "groups/asdfasdf" -> (known after apply)
      ~ update_time  = "2021-02-24T16:21:37.499934Z" -> (known after apply)
        # (2 unchanged attributes hidden)

      ~ group_key {
            id = "asdf@asdf.com"
        }
    }

So, if this provider learns how to PATCH group labels then that would be enough for basic support. However it would require two terraform apply passes as stated above. Addressing this would likely require adding some special casing 😄

[melinath]

More details on https://github.com/hashicorp/terraform-provider-google/issues/10570

[melinath]

b/245963372

[jai]

For some additional background: https://github.com/hashicorp/terraform-provider-googleworkspace/issues/113

[supergrilo-cw]

Friends, first of all, thank you for the provider support. Do you know when security label support will be available on workspace?