feat: add group_roles request param for mapping group role names (#67)

Author: jackwotherspoon

README.md

@@ -224,12 +224,22 @@ An example JSON payload:
 {
     "iam_groups": ["[email protected]", "[email protected]"],
     "sql_instances": ["project:region:instance"],
+    "group_roles": {
+        "[email protected]": "engineering",
+        "[email protected]": "accounting"
+    },
     "private_ip": false
 }
 ```
 Where:
 - **iam_groups**: List of all IAM Groups to manage IAM database users of.
 - **sql_instances**: List of all Cloud SQL instances to configure.
+- **group_roles**(optional): Dictionary of IAM group emails as keys and group database
+    role names as values. The group database role name is the database role
+    that will be granted/revoked within GroupSync to each member of the
+    corresponding IAM group. Group role names default to the IAM group email
+    without the domain (everything before the @, i.e "[email protected]"
+    would have a default group role name of "iam-group".
 - **private_ip** (optional): Boolean flag for private or public IP addresses.
 
 **Note:** These are placeholder values and should be replaced with proper IAM groups and Cloud SQL instance connection names.

app.py

@@ -18,7 +18,7 @@
 from google.auth.transport.requests import Request
 import logging
 import google.cloud.logging
-from iam_groups_authn.sync import groups_sync
+from iam_groups_authn.sync import GroupRoleMaxLengthError, groups_sync
 
 # define OAuth2 scopes
 SCOPES = [
@@ -65,6 +65,13 @@ async def run_groups_authn():
             400,
         )
 
+    group_roles = body.get("group_roles", dict())
+    if type(group_roles) is not dict:
+        return (
+            "Incorrect type for request parameter: `group_roles`, should be dict/JSON",
+            400,
+        )     
+
     # try reading in private_ip param, default to False
     private_ip = body.get("private_ip", False)
     if type(private_ip) is not bool:
@@ -83,7 +90,13 @@ async def run_groups_authn():
         request = Request()
         creds.refresh(request)
 
-    # sync IAM groups to Cloud SQL instances
-    await groups_sync(iam_groups, sql_instances, creds, private_ip)
-
+    try:
+        # sync IAM groups to Cloud SQL instances
+        await groups_sync(iam_groups, sql_instances, creds, group_roles, private_ip)
+    except GroupRoleMaxLengthError as e:
+        logging.exception(f"Error during sync: {str(e)}")
+        return (
+            str(e),
+            400,
+        )
     return "Sync successful.", 200