Skip to content

Commit b177167

Browse files
jackwotherspoonjackwotherspoon
authored
feat: add group_roles request param for mapping group role names (#67)
1 parent cdb715f commit b177167

7 files changed

Lines changed: 444 additions & 120 deletions

File tree

README.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -224,12 +224,22 @@ An example JSON payload:
224224
{
225225
"iam_groups": ["group@test.com", "group2@test.com"],
226226
"sql_instances": ["project:region:instance"],
227+
"group_roles": {
228+
"group@test.com": "engineering",
229+
"group2@test.com": "accounting"
230+
},
227231
"private_ip": false
228232
}
229233
```
230234
Where:
231235
- **iam_groups**: List of all IAM Groups to manage IAM database users of.
232236
- **sql_instances**: List of all Cloud SQL instances to configure.
237+
- **group_roles**(optional): Dictionary of IAM group emails as keys and group database
238+
role names as values. The group database role name is the database role
239+
that will be granted/revoked within GroupSync to each member of the
240+
corresponding IAM group. Group role names default to the IAM group email
241+
without the domain (everything before the @, i.e "iam-group@test.com"
242+
would have a default group role name of "iam-group".
233243
- **private_ip** (optional): Boolean flag for private or public IP addresses.
234244

235245
**Note:** These are placeholder values and should be replaced with proper IAM groups and Cloud SQL instance connection names.

app.py

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@
1818
from google.auth.transport.requests import Request
1919
import logging
2020
import google.cloud.logging
21-
from iam_groups_authn.sync import groups_sync
21+
from iam_groups_authn.sync import GroupRoleMaxLengthError, groups_sync
2222

2323
# define OAuth2 scopes
2424
SCOPES = [
@@ -65,6 +65,13 @@ async def run_groups_authn():
6565
400,
6666
)
6767

68+
group_roles = body.get("group_roles", dict())
69+
if type(group_roles) is not dict:
70+
return (
71+
"Incorrect type for request parameter: `group_roles`, should be dict/JSON",
72+
400,
73+
)
74+
6875
# try reading in private_ip param, default to False
6976
private_ip = body.get("private_ip", False)
7077
if type(private_ip) is not bool:
@@ -83,7 +90,13 @@ async def run_groups_authn():
8390
request = Request()
8491
creds.refresh(request)
8592

86-
# sync IAM groups to Cloud SQL instances
87-
await groups_sync(iam_groups, sql_instances, creds, private_ip)
88-
93+
try:
94+
# sync IAM groups to Cloud SQL instances
95+
await groups_sync(iam_groups, sql_instances, creds, group_roles, private_ip)
96+
except GroupRoleMaxLengthError as e:
97+
logging.exception(f"Error during sync: {str(e)}")
98+
return (
99+
str(e),
100+
400,
101+
)
89102
return "Sync successful.", 200

0 commit comments

Comments
 (0)