Documentation ¶
Overview ¶
Package listgroups extract all groups from a GCI directory using the Admin SDK API
Triggered by ¶
Cloud Scheduler Job, through PubSub messages.
Instances ¶
few, one per directory customer ID.
Output ¶
PubSub messages to a dedicated topic formated like Cloud Asset Inventory feed messages.
Cardinality ¶
- one-several: one extraction job is scalled into x queries.
- x = (number of domains in GCI directory) x (36 email prefixes).
- email prefixes: a..z 0..9.
Automatic retrying ¶
Yes.
Is recurssive ¶
Yes.
Domain Wide Delegation ¶
Yes. The service account used to run this cloud function must have domain wide delegation and the following Oauth scopes:
- https://www.googleapis.com/auth/admin.directory.group.readonly
- https://www.googleapis.com/auth/admin.directory.domain.readonly
Key rotation strategy ¶
- A new service account key is created during the cloud function deployment in Cloud Build.
- The json key file is available to the cloud function as a local source file and is not persisted in git.
- The cloud function init function deletes any key but the current one.
- So, how to rotate service accout key? just redeploy the cloud function.
GCI authentication notes ¶
- Read the service account json key file created during the cloud function deployment.
- Get a google jwt JSON Web token configuration from: Key JSON file, Scopes, GCI User to impersonate, aka subject, aka the super admin.
- Get an HTTP client from the jwtConfig.
- Get a clientOption from the HTTP client.
- Get a service from admin directory package fron the client option.
GCI request notes ¶
- "my_customer": As an account administrator, you can also use the my_customer alias to represent your account's customerId.
- Prefer to use the "directory_customer_id" instead of "my_customer" to narrow the execution time of the function in case of multiple directories, e.g. sandboxes / managed
Implementation example
package p import ( "context" "github.com/BrunoReboul/ram/services/listgroups" "github.com/BrunoReboul/ram/utilities/ram" ) var global listgroups.Global var ctx = context.Background() // EntryPoint is the function to be executed for each cloud function occurence func EntryPoint(ctxEvent context.Context, PubSubMessage ram.PubSubMessage) error { return listgroups.EntryPoint(ctxEvent, PubSubMessage, &global) } func init() { listgroups.Initialize(ctx, &global) }
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func EntryPoint ¶
EntryPoint is the function to be executed for each cloud function occurence
func Initialize ¶
Initialize is to be executed in the init() function of the cloud function to optimize the cold start
Types ¶
type Global ¶
type Global struct {
// contains filtered or unexported fields
}
Global structure for global variables to optimize the cloud function performances
type InstanceDeployment ¶ added in v0.0.24
type InstanceDeployment struct { DumpTimestamp time.Time `yaml:"dumpTimestamp"` Artifacts struct { JobName string `yaml:"jobName"` TopicName string `yaml:"topicName"` Schedule string } Core *deploy.Core Settings struct { Service struct { GSU gsu.Parameters IAM iamgt.Parameters GCB gcb.Parameters GCF gcf.Parameters KeyJSONFileName string `yaml:"keyJSONFileName"` LogEventEveryXPubSubMsg uint64 `yaml:"logEventEveryXPubSubMsg"` MaxResultsPerPage int64 `yaml:"maxResultsPerPage"` OutputTopicName string `yaml:"outputTopicName"` } Instance struct { GCI struct { DirectoryCustomerID string `yaml:"directoryCustomerID"` SuperAdminEmail string `yaml:"superAdminEmail"` } SCH sch.Parameters } } }
InstanceDeployment settings and artifacts structure
func NewInstanceDeployment ¶ added in v0.0.24
func NewInstanceDeployment() *InstanceDeployment
NewInstanceDeployment create deployment structure with default settings set
func (*InstanceDeployment) Deploy ¶ added in v0.0.24
func (instanceDeployment *InstanceDeployment) Deploy() (err error)
Deploy a service instance
func (*InstanceDeployment) ReadValidate ¶ added in v0.0.24
func (instanceDeployment *InstanceDeployment) ReadValidate() (err error)
ReadValidate reads and validates service and instance settings
func (*InstanceDeployment) Situate ¶ added in v0.0.24
func (instanceDeployment *InstanceDeployment) Situate() (err error)
Situate complement settings taking in account the situation for service and instance settings
Source Files ¶
- core.go
- doc.go
- meth_instancedeployment_deploy.go
- meth_instancedeployment_deploygaeapp.go
- meth_instancedeployment_deploygcffunction.go
- meth_instancedeployment_deploygpstopic.go
- meth_instancedeployment_deploygrmprojectbindings.go
- meth_instancedeployment_deploygsuapi.go
- meth_instancedeployment_deployiamprojectroles.go
- meth_instancedeployment_deployiamserviceaccount.go
- meth_instancedeployment_deployschjob.go
- meth_instancedeployment_getserviceaccountkey.go
- meth_instancedeployment_readvalidate.go
- meth_instancedeployment_situate.go
- type_instancedeployment.go