Skip to content

mozilla-iam/gsuite-community-drive-driver

Repository files navigation

G-Suite Community Drive Driver

About

This service creates and synchronizes Google Shared Drives (previously called Google Team Drives) with people.mozilla.org access groups. Each time an access group is created or the members of that group change, an associated Google Shared Drive is created or updated so that the members of that access group have access to the Google Shared Drive

The syntax of the name of the Google Shared Drive is such that an access group called hr-admins would result in a Google Shared Drive called hr-admins_mozilliansorg.

This service was created to enable community members to access content in GSuite more easily.

Behavior

  1. Spin up on cron/event trigger.
  2. Scan the dynamodb table of all profiles.
  3. Build a group data structure from all profiles.
  4. Create a TeamDrive object from the library.
  5. Opportunistically create team drive.
  6. Reconcile the permissions list with the group membership based e-mail preferring Mozilla.org, then verified Google accounts.
  7. Return a proposal per drive of add / remove / noops.
  8. Execute the proposal for each set of ops.
  9. Finish

Process Diagram

'docs/img/GSuite-Integration.png'

FAQ

Q: Can a Mozilla Employee or Community Member delete the drive?

A: No all members of the drive are equal, "writer" role. Only the drive owner can delete the drive. In this case "iam-robot@mozilla.com" owns the drive object.

Q: Will a leaked service account credential result in loss of data for our other team drives.

A: While this is non-ideal the credential impersonation only has access to the scopes and data it's granted in the GSuite console. This particular service account "iam robot" is in it's own sub-org and only has control of drives it creates.

Q: How long does it take to get access?

A: The connector runs in about 10-seconds for add/remove operations.

Q: What happens if an admin messes up and adds people to the drive that don't belong.

A: The event-trigger for the function runs every 10-minutes. Any member that is not added via Mozillians.org will be removed.

Deployment

Sample Credstash Secret Insert of Service Account Token for SVC Actor Role

credstash -r us-west-2 put -a gsuite-driver.token @/GSuite-Community-Driver-4ba74895df1f.json app=gsuite-driver
docker run --rm -ti \
  -v ~/.aws:/root/.aws \
  -v `pwd`:/workspace \
  mozillaiam/docker-sls:latest \
  /bin/bash

sls plugin install -n serverless-python-requirements

sls deploy --stage dev --region us-west-2

About

A PoC of a GSuite integration with Mozilla IAM

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •