is anyone out there managing their Workspace tenants in an infrastructure-as-code manner


Badge +2
  • Active Member / Beta Tester
  • 266 replies

Here’s a 🧵 topic: is anyone out there managing their Workspace tenants in an “infrastructure-as-code” (:buzzwords:) manner?


25 replies

Badge

I think you could kind of argue that GAM is doing that in a way, especially if you have multiple tenants set up. But the lack of API’s to the actual domain wide admin settings makes it difficult to go much further than that, in my opinion


Open Thread in Slack
Userlevel 3
Badge +2

#Airbnb is doing it!


Open Thread in Slack
Userlevel 3
Badge +2

where possible.


Open Thread in Slack
Badge

Where possible is a big asterisk there


Open Thread in Slack
Badge

You could sort of argue that once you get the settings for a domain in place, they don’t need to change often, so user management is the biggest part of “managing” these environments, so in that regard you could do most or all of it that way. I kind of think of “infrastructure-as-code” to mean that you can actually change the rest of that stuff though


Open Thread in Slack
Badge

i.e. how I can deploy an entire AWS instance for a client with one line of code. Or how I can deploy a Meraki network to a client essentially the same way


Open Thread in Slack
Userlevel 3
Badge +2

How you can finally do that for Chrome Policies now. Which hopefully points to more detailed API endpoints in the rest of the console soon


Open Thread in Slack
Badge

when will they ever support Terraform?


Open Thread in Slack
Badge

at Airbnb we did lots of GAM, its just not as nice as terraform because of lack of state


Open Thread in Slack
Userlevel 3
Badge +2

once gam update chromepolicies is also gam update gmailsettings


Open Thread in Slack
Badge

You can kind of manage state for example with GAM by using the bulk CSV operator doing a get groups first, checking against the desired state you have defined, if they differ then push the update and fire an alert so Ops knows there was a state drift.


Open Thread in Slack
Badge

At a previous job we built kind of a middle layer between our HR system and Google, where it would basically compare differences and use GAM commands to perform the updates, then at the end of all of the changes check everything again. Kind of messy, but it worked


Open Thread in Slack
Userlevel 3
Badge +1

Dmhad a customer that asked about this recently too. While individual settings aren't necessarily exposed via API I think there is definitely a lot of granularity and control with being able to apply policy using groups now, which you can managed using the API.


Open Thread in Slack
Badge +2

Checking back in on what I’ve started here - we still need to define exactly what it would look like, but there’s some momentum to standardize the way we manage tools like Google Workspace in a more “engineering” manner. So yes a large portion of that would be making changes via API rather than admin console where possible. I think another part of the equation would be documenting changes via editing a config file in github. Honestly, I’m a bit out of my depth because I like clicking around in the console. It makes sense to me. But I also like being employed, so if they tell me to do it differently I’ll be doing it differently 😆


Open Thread in Slack
Badge

Right. All the “stuff-as-a-service” terms are a bit made up, but to me “infrastructure-as-code” would be possible if you could read and change pretty much anything in the admin console. If, for instance, you had a set of things that you always change in every environment, such as security settings, or a SAML app you add for everyone or something like that, you should be able to set that all up via API. You should be able to write a script that could read a JSON or YAML file or something and be able to completely deploy a new customer entirely with code. Likewise you would be able to audit settings that way as well, and you could save that configuration however you want


Open Thread in Slack
Badge

@ccoy2 One of the big advantages of infra-as-code vs console admin is code reviews. If a admin account gets compromised you are screwed (Ubiquiti hack comes to mind) but if changes have to go through git then another engineer has to approve it which is unlikely (hopefully). I'm working on a blog post about this that should be done soon about Terraforming Okta for stronger security.


Open Thread in Slack
Badge +2

Would definitely be interested in reading that when it’s ready.


Open Thread in Slack
Badge

The reason we really got in to it was that we had a weird fluke where Meraki’s configuration for a VPN that was pretty business critical just got corrupted cloud side and disappeared from our configuration. I’ve used thousands of their devices over many years and this only happened once, but it really screwed us over for about a day. So we built the whole config in code, and then made a script to audit it every day. Easily modified for spinning up new environments too


Open Thread in Slack
Userlevel 2
Badge +2

to answer your question @ccoy2 I exclusively manage my workspace tenants with buzzword technology


Open Thread in Slack
Userlevel 2
Badge +2

SE's as a Service


Open Thread in Slack
Userlevel 3
Badge +2

Sales Engineer, @flm369?


Open Thread in Slack
Userlevel 2
Badge +2

exactly


Open Thread in Slack
Userlevel 2
Badge +2

Well, solutions engineer. Same diff


Open Thread in Slack
Userlevel 3
Badge +1

would it be possible to 1d66a85acb9be015.png this thread?


Open Thread in Slack
Badge

The investment isn’t there.

 

If company’s started providing things like their own custom terraform providers to make this truly possible there would be a lot more adoption. But IT Ops can barely get a decent Asset Management solution, let alone some super duper fancy IaC solution.

 

I wouldn’t hold by breathe.

Reply