-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathgroups-settings.yaml
55 lines (50 loc) · 2.28 KB
/
groups-settings.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Shows how to fetch Google Groups settings and update them via a Cloud Audit logging to
# Pub/Sub sink.
#
# To setup:
# 1. Create a service account:
# gcloud iam service-accounts create groupsettings
# 2. Grant this service account Groups Editor in admin.google.com > Account > Admin Roles
# 3. Grant Service Account Token Creator permission to the service account that your function
# runs under for this new service account:
# gcloud iam service-accounts add-iam-policy-binding [email protected] \
# --member="serviceAccount:[email protected]" \
# --role="roles/iam.serviceAccountTokenCreator"
# 4. Create a Log Sink to Pub/Sub with a filter like:
# logName:"cloudaudit.googleapis.com%2Factivity" AND protoPayload.methodName:"GroupsService.UpdateGroup" AND protoPayload.metadata.groupDelta.action="CREATE"
# 5. Have the deployed function trigger on Pub/Sub topic where the audit messages are sent to.
#
retryPeriod: 3 day ago
processors:
- genericjson
- directory
directory:
api: groupsettings
## Set the following to correct service account:
# serviceAccountEmail: [email protected]
groupUniqueIds: "{{ data.protoPayload.metadata.group|replace('group:', '') }}"
outputs:
- type: logger
level: debug
message: |
Group settings: {{ results|first|json_encode }}
- type: groupssettings
group: "{{ data.protoPayload.metadata.group|replace('group:', '') }}"
## Set the following to correct service account:
# serviceAccountEmail: [email protected]
settings:
whoCanViewMembership: ALL_IN_DOMAIN_CAN_VIEW