Here’s a 🧵 topic: is anyone out there managing their Workspace tenants in an “infrastructure-as-code” (:buzzwords:) manner?
I think you could kind of argue that GAM is doing that in a way, especially if you have multiple tenants set up. But the lack of API’s to the actual domain wide admin settings makes it difficult to go much further than that, in my opinion
#Airbnb is doing it!
Where possible is a big asterisk there
You could sort of argue that once you get the settings for a domain in place, they don’t need to change often, so user management is the biggest part of “managing” these environments, so in that regard you could do most or all of it that way. I kind of think of “infrastructure-as-code” to mean that you can actually change the rest of that stuff though
i.e. how I can deploy an entire AWS instance for a client with one line of code. Or how I can deploy a Meraki network to a client essentially the same way
How you can finally do that for Chrome Policies now. Which hopefully points to more detailed API endpoints in the rest of the console soon
when will they ever support Terraform?
at Airbnb we did lots of GAM, its just not as nice as terraform because of lack of state
once gam update chromepolicies is also gam update gmailsettings
gam update chromepolicies
gam update gmailsettings
You can kind of manage state for example with GAM by using the bulk CSV operator doing a get groups first, checking against the desired state you have defined, if they differ then push the update and fire an alert so Ops knows there was a state drift.
At a previous job we built kind of a middle layer between our HR system and Google, where it would basically compare differences and use GAM commands to perform the updates, then at the end of all of the changes check everything again. Kind of messy, but it worked
Dmhad a customer that asked about this recently too. While individual settings aren't necessarily exposed via API I think there is definitely a lot of granularity and control with being able to apply policy using groups now, which you can managed using the API.
Checking back in on what I’ve started here - we still need to define exactly what it would look like, but there’s some momentum to standardize the way we manage tools like Google Workspace in a more “engineering” manner. So yes a large portion of that would be making changes via API rather than admin console where possible. I think another part of the equation would be documenting changes via editing a config file in github. Honestly, I’m a bit out of my depth because I like clicking around in the console. It makes sense to me. But I also like being employed, so if they tell me to do it differently I’ll be doing it differently 😆
Right. All the “stuff-as-a-service” terms are a bit made up, but to me “infrastructure-as-code” would be possible if you could read and change pretty much anything in the admin console. If, for instance, you had a set of things that you always change in every environment, such as security settings, or a SAML app you add for everyone or something like that, you should be able to set that all up via API. You should be able to write a script that could read a JSON or YAML file or something and be able to completely deploy a new customer entirely with code. Likewise you would be able to audit settings that way as well, and you could save that configuration however you want
@ccoy2 One of the big advantages of infra-as-code vs console admin is code reviews. If a admin account gets compromised you are screwed (Ubiquiti hack comes to mind) but if changes have to go through git then another engineer has to approve it which is unlikely (hopefully). I'm working on a blog post about this that should be done soon about Terraforming Okta for stronger security.
Would definitely be interested in reading that when it’s ready.
The reason we really got in to it was that we had a weird fluke where Meraki’s configuration for a VPN that was pretty business critical just got corrupted cloud side and disappeared from our configuration. I’ve used thousands of their devices over many years and this only happened once, but it really screwed us over for about a day. So we built the whole config in code, and then made a script to audit it every day. Easily modified for spinning up new environments too
to answer your question @ccoy2 I exclusively manage my workspace tenants with buzzword technology
SE's as a Service
Sales Engineer, @flm369?
Well, solutions engineer. Same diff
would it be possible to this thread?
The investment isn’t there.
If company’s started providing things like their own custom terraform providers to make this truly possible there would be a lot more adoption. But IT Ops can barely get a decent Asset Management solution, let alone some super duper fancy IaC solution.
I wouldn’t hold by breathe.
Already have an account? Login
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.
We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.