Skip to content

getstrm/pace-extensions

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
provisioning
provisioning
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Pace Extensions

BigQuery IAM Sync

Includes:

  • creation of a user groups table in BigQuery with corresponding authorized view
  • cloud function for bigquery to sync user groups
  • scheduler to run the cloud function

Instructions

The BigQuery IAM Sync requires a super-admin account to apply. First step is to "trust" the Google Auth Library. Go to admin console. Click Add App and select based on Client-ID. The corresponding app-id is 764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com. Complete the wizard to make it a trusted app.

The following APIs need to be enabled:

The BigQuery IAM Sync makes use of the ADC for Google. You need to create oauth credentials for a Desktop application in the Google Cloud Console:

  • Go to the APIs & Services console, make sure you select the correct project
  • Click on Create Credentials and select OAuth client ID
  • Select Desktop application as the application type
  • Click on Create and download the credentials file

In order to create the terraform resources, log in locally as the super-admin account with the --client-id-file flag set to the oauth credentials file and the --scopes flag with the following scopes: https://www.googleapis.com/auth/admin.directory.rolemanagement, https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly https://www.googleapis.com/auth/cloud-platform

for example:

gcloud auth application-default login \
 --client-id-file=<path/to/credentials/file.json> \
 --scopes=https://www.googleapis.com/auth/admin.directory.rolemanagement,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/cloud-platform

After login set the quota project you want to use:

gcloud auth application-default set-quota-project <YOUR_PROJECT>

Upon executing terraform apply, either enter the correct values for the variables or create an .envrc file with the following content beforehand:

export TF_VAR_region="<REGION>"
export TF_VAR_project="<PROJECT>"
export TF_VAR_organization_id="<ORGANIZATION_ID>"
export TF_VAR_customer_id="<CUSTOMER_ID>"
export TF_VAR_scheduler_region="<SCHEDULER_REGION>"
export TF_VAR_cron_schedule="<CRON_SCHEDULE>"
  • CUSTOMER_ID is the customer-id of the organization in the Google admin console.
  • SCHEDULER_REGION is the region where the cloud function will be deployed. This could potentially be the same as the region variable, but cloud scheduler is not available in all regions. Check if your region is available here.
  • CRON_SCHEDULE is the schedule for the cloud scheduler in cron format. For example, 0 0 * * * would invoke every day at midnight.

BigQuery IAM Check

Includes:

  • provisioning for a google_bigquery_connection using terraform
  • cloud function udf for bigquery to check permissions, with service account key mounted as secret from Secret Manager

Instructions

The BigQuery IAM Check requires a super-admin account to apply. First step is to "trust" the Google Auth Library. Go to admin console. Click Add App and select based on Client-ID. The corresponding app-id is 764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com. Complete the wizard to make it a trusted app.

The following APIs need to be enabled:

The BigQuery IAM Check makes use of the ADC for Google. You need to create oauth credentials for a Desktop application in the Google Cloud Console:

  • Go to the APIs & Services console, make sure you select the correct project
  • Click on Create Credentials and select OAuth client ID
  • Select Desktop application as the application type
  • Click on Create and download the credentials file

In order to create the terraform resources, log in locally as the super-admin account with the --client-id-file flag set to the oauth credentials file and the --scopes flag with the following scopes: https://www.googleapis.com/auth/admin.directory.rolemanagement, https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly https://www.googleapis.com/auth/cloud-platform

for example:

gcloud auth application-default login \
 --client-id-file=<path/to/credentials/file.json> \
 --scopes=https://www.googleapis.com/auth/admin.directory.rolemanagement,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/cloud-platform

After login set the quota project you want to use:

gcloud auth application-default set-quota-project <YOUR_PROJECT>

Upon executing terraform apply, either enter the correct values for the variables or create an .envrc file with the following content beforehand:

export TF_VAR_region="<REGION>"
export TF_VAR_project="<PROJECT>"
export TF_VAR_organization_id="<ORGANIZATION_ID>"
export TF_VAR_customer_id="<CUSTOMER_ID>"

CUSTOMER_ID is the customer-id of the organization in the Google admin console.

About

Extensions repository for PACE integrations

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages