Google Group Access Strategy

๐Ÿ“˜

Have you configured the custom Google Workspace Admin Role?

In order for Sym to be able to manage Google Group memberships, you will need to:

  • Define a gcp_connector module with enable_google_group_management = true
  • Grant the service account permissions to manage Group memberships, via a custom role created in the Google Workspaces Admin console.

If you have not set up the service account and permissions yet, please see the main Google docs first.

Add Google Group Access Targets

Define sym_target resources with type = google_group for all of the Google Groups that you wish to manage access to. Google Group Access Targets have two settings:

  • group_email: The email of the Google Group being managed.
  • role: The role to assign the user when adding them to the Group.
    • The value may be one of: ADMIN, MANAGER, or MEMBER
    • For more information about Google Group roles, see the Google Workspace docs.
resource "sym_target" "super_user_google_group" {
  type = "google_group"
  name = "google-group-super-users"

  label = "Super Users"

  settings = {
    group_email = "[email protected]"
    role        = "MEMBER"
  }
}

resource "sym_target" "read_only_google_group" {
  type = "google_group"
  name = "google-group-read-only"

  label = "Read Only"

  settings = {
    group_email = "[email protected]"
    role        = "MEMBER"
  }
}

Add a Google Group Access Strategy

Define a sym_strategy resource with type = google_group and include the google Integration created by the gcp_connector module, and the google_group Access Targets you defined above.


resource "sym_strategy" "google_group" {
  type           = "google_group"
  name           = "google-group-strategy"
  integration_id = module.gcp_connector.sym_integration.id
  targets        = [sym_target.super_user_google_group.id, sym_target.read_only_google_group.id]
}

Add the Google Group Strategy to your Flow

In your sym_flow resource, reference your sym_strategy as the strategy_id in your Flow Parameters.

resource "sym_flow" "this" {
  name  = "google-group-access"
  label = "Google Group Access"

  # ... other Flow attributes not shown

  params = {
    strategy_id = sym_strategy.google_group.id

    # ... other Flow params not shown
  }
}

Full Example

You can find the complete code for this example in our Google Group Access Strategy Example.