Open
Conversation
- Add provisionUser flag to GoogleConfig; set on LEAD_MAINTAINERS, CORE_MAINTAINERS, and REGISTRY_MAINTAINERS roles - Add firstName, lastName, googleEmailPrefix, and existingGWSUser fields to Member interface - Provision GWS user accounts with random passwords, orgUnitPath for auto-licensing, and changePasswordAtNextLogin - Import existing users into Pulumi state via existingGWSUser flag to avoid recreating accounts that already exist - Export initial passwords as Pulumi secret stack output (pulumi stack output --show-secrets newGWSUserPasswords) - Update group membership logic to prefer GWS email over personal email - Add @pulumi/random dependency for password generation - Add validation for googleEmailPrefix uniqueness and completeness - Add tests for provisionUser roles and Google user fields
Pulumi PreviewClick to expand preview output |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds Google Workspace user account provisioning so that members in certain roles automatically get a
@modelcontextprotocol.ioaccount, managed via Pulumi IaC.Changes
New capabilities
firstName,lastName, andgoogleEmailPrefixin roles withprovisionUser: trueget a GWS user account created automaticallyexistingGWSUser: trueare imported into Pulumi state (via{ import: primaryEmail }) to avoid recreating accounts that already exist in Google WorkspacechangePasswordAtNextLogin: true. Passwords are exported as a Pulumi secret stack output (pulumi stack output --show-secrets newGWSUserPasswords)orgUnitPath: "/Members"— configure this OU in Google Admin Console with auto-license assignment for Workspace BusinessemailfieldRoles with
provisionUser: trueLEAD_MAINTAINERS(new Google config added)CORE_MAINTAINERS(new Google config added)REGISTRY_MAINTAINERS(existing Google config updated)Members with GWS user fields (all existing users)
domdomegg,dsp-ant,jspahrsummers,rdimitrov,tadasant,tobyFiles modified
src/config/roles.tsprovisionUsertoGoogleConfig, set on 3 rolessrc/config/utils.tsfirstName,lastName,googleEmailPrefix,existingGWSUsertoMembersrc/config/users.tssrc/google.tsorgUnitPathscripts/validate-config.tsgoogleEmailPrefixuniqueness and completenessscripts/test-config.tspackage.json@pulumi/randomdependencyDeployment notes
/MembersOU in Google Admin Console and configure auto-license assignment for Workspace Businesspulumi up— existing users will be imported, no new users created yetexistingGWSUser: trueflags from members (they are only needed for the first deploy)firstName,lastName,googleEmailPrefixto a member in aprovisionUserrole. After deploy, retrieve password withpulumi stack output --show-secrets newGWSUserPasswordsVerification
npm run validatepasses (with expected warnings for members missing profile fields)npm run testpasses (22/22)