update to v0.5.10

README.md

@@ -17,8 +17,8 @@ You'll need:
   - a Bash-like shell environment on Linux, MacOS, or [WSL on Windows](https://learn.microsoft.com/en-us/windows/wsl/install).
   - [`git` installed](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git), although it
     is usually included on those platforms (check with `git --version`).
-  - an AWS account and credentials, as described in [Psoxy's AWS - Getting Started docs](https://github.com/Worklytics/psoxy/blob/v0.4.37/docs/aws/getting-started.md)
-  - the [prerequisites for Psoxy](https://github.com/Worklytics/psoxy/blob/v0.4.37/README.md#prerequisites)
+  - an AWS account and credentials, as described in [Psoxy's AWS - Getting Started docs](https://github.com/Worklytics/psoxy/blob/v0.5.9/docs/aws/getting-started.md)
+  - the [prerequisites for Psoxy](https://github.com/Worklytics/psoxy/blob/v0.5.9/README.md#prerequisites)
     itself, although this example will attempt to help you check those.
 
 ### Getting Started
@@ -36,7 +36,7 @@ Clone the resulting repo to your machine.  Example command below, just fill in y
 git clone https://github.com/{{YOUR_ORG_ID}}/{{YOUR_REPO_NAME}}.git
 ```
 
-1a. **Manual template setup** (if you *cannot* 'Use this template', perhaps because your organization doesn't use GitHub or you need to use a different git host, you can manually create a copy:
+- Alternatively **use template outside GitHub** (if you *cannot* 'Use this template', perhaps because your organization doesn't use GitHub or you need to use a different git host, you can manually create a copy:
    - Clone this repository to your local machine:
      ```shell
      git clone https://github.com/Worklytics/psoxy-example-aws.git
@@ -50,7 +50,7 @@ git clone https://github.com/{{YOUR_ORG_ID}}/{{YOUR_REPO_NAME}}.git
      ```shell
      git init
      git add .
-     git commit -m "Initial commit from psoxy-example-aws template"
+     git commit -m "Initial commit from psoxy-example template"
      ```
    - Create a new repository on your preferred git hosting service (GitLab, Bitbucket, etc.)
    - Add your new repository as the remote origin:
@@ -60,6 +60,14 @@ git clone https://github.com/{{YOUR_ORG_ID}}/{{YOUR_REPO_NAME}}.git
      git push -u origin main
      ```
 
+- Alternatively, **use this in a monorepo** (eg, you maintain a monorepo with lots of terraform configurations, and you want to add this to those)
+  - Clone this repository to your local machine and copy its contents (excluding hidden stuff like `.git` files into your monorepo)
+     ```shell
+     git clone https://github.com/Worklytics/psoxy-example-aws.git
+     rm -rf psoxy-example-aws/.git
+     cp -r psoxy-example-aws ${PATH_TO_MONO_REPO}/
+     ```
+
 2. Check your prereqs. Review versions and install anything needed.
 
 ```shell
@@ -72,6 +80,7 @@ git clone https://github.com/{{YOUR_ORG_ID}}/{{YOUR_REPO_NAME}}.git
    - if plan to get data from Google Workspace, auth [GCloud CLI](https://cloud.google.com/sdk/docs/authorizing) - `gcloud auth login` to authenticate, then `gcloud auth list` to verify you have expected account/user
    - if plan to get data from Microsoft 365, auth [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli) - `az login --allow-no-subscription` to authenticate, then `az account list` to verify you have expected account/user
 
+
 4. Initialize your configuration
 
 ```shell

google-workspace-variables.tf

@@ -5,7 +5,7 @@ variable "google_workspace_gcp_project_id" {
 
 variable "google_workspace_terraform_sa_account_email" {
   type        = string
-  description = "Email of GCP service account that will be used to provision GCP resources. Leave 'null' to use application default for you environment."
+  description = "DEPRECATED; use google_workspace_sa_to_impersonate instead. Email of GCP service account that will be used to provision GCP resources via impersonation. Leave 'null' to use application default for you environment."
   default     = null
 
   validation {
@@ -14,6 +14,28 @@ variable "google_workspace_terraform_sa_account_email" {
   }
 }
 
+variable "google_workspace_sa_to_impersonate" {
+  type        = string
+  description = "Email of GCP service account that will be used to provision GCP resources via impersonation. Leave 'null' to use application default for you environment."
+  default     = null
+
+  validation {
+    condition     = var.google_workspace_sa_to_impersonate == null || can(regex(".*@.*\\.iam\\.gserviceaccount\\.com$", var.google_workspace_sa_to_impersonate))
+    error_message = "The google_workspace_sa_to_impersonate value should be a valid GCP service account email address."
+  }
+}
+
+variable "google_workspace_terraform_principal_email" {
+  type        = string
+  description = "Email of GCP principal that will be used to provision GCP resources via impersonation. Leave 'null' to use application default for you environment."
+  default     = null
+
+  validation {
+    condition     = var.google_workspace_terraform_principal_email == null || can(regex(".*@.*", var.google_workspace_terraform_principal_email))
+    error_message = "The google_workspace_terraform_principal_email value should be a valid email address."
+  }
+}
+
 variable "google_workspace_example_user" {
   type        = string
   description = "user to impersonate for Google Workspace API calls (null for none)"
@@ -32,6 +54,17 @@ variable "google_workspace_provision_keys" {
   default     = true
 }
 
+variable "google_workspace_key_rotation_days" {
+  type        = number
+  description = "rotation period for the GCP Service Account keys, in days; not applicable if provision_gcp_sa_keys is false"
+  default     = 60
+
+  validation {
+    condition     = var.google_workspace_key_rotation_days > 0
+    error_message = "gcp_sa_keygoogle_workspace_key_rotation_days_rotation_days must be greater than 0"
+  }
+}
+
 locals {
   # tflint-ignore: terraform_unused_declarations
   some_google_connector_enabled                    = (length(setintersection(var.enabled_connectors, ["gcal", "gdirectory", "gdrive", "gmail", "google-meet", "google-chat", "gemini-for-workspace"])) > 0)

google-workspace.tf

@@ -2,12 +2,12 @@ provider "google" {
   alias = "google_workspace"
 
   project                     = var.google_workspace_gcp_project_id
-  impersonate_service_account = var.google_workspace_terraform_sa_account_email
+  impersonate_service_account = var.google_workspace_sa_to_impersonate != null ? var.google_workspace_sa_to_impersonate : var.google_workspace_terraform_sa_account_email # TODO: remove ternary in 0.6.x
 }
 
 
 module "worklytics_connectors_google_workspace" {
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-google-workspace?ref=v0.5.9"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-google-workspace?ref=v0.5.10"
 
   providers = {
     google = google.google_workspace
@@ -16,9 +16,11 @@ module "worklytics_connectors_google_workspace" {
   environment_id                 = var.environment_name
   enabled_connectors             = var.enabled_connectors
   gcp_project_id                 = var.google_workspace_gcp_project_id
+  tf_gcp_principal_email         = var.google_workspace_terraform_principal_email
   google_workspace_example_user  = var.google_workspace_example_user
   google_workspace_example_admin = var.google_workspace_example_admin
   provision_gcp_sa_keys          = var.google_workspace_provision_keys
+  gcp_sa_key_rotation_days       = var.google_workspace_key_rotation_days
   todos_as_local_files           = var.todos_as_local_files
 }
 

init

@@ -17,7 +17,7 @@
 #
 #
 # Testing:
-#   - within example directory, such as `infra/examples/aws-msft-365`:
+#   - within example directory, such as `infra/examples-dev/aws`:
 #     ../../../tools/init-example.sh ~/code/psoxy
 #
 #   to repeat:

main.tf

@@ -20,7 +20,7 @@ terraform {
 
 # general cases
 module "worklytics_connectors" {
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors?ref=v0.5.9"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors?ref=v0.5.10"
 
   enabled_connectors                       = var.enabled_connectors
   chat_gpt_enterprise_example_workspace_id = var.chat_gpt_enterprise_example_workspace_id
@@ -105,7 +105,7 @@ locals {
 }
 
 module "psoxy" {
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-host?ref=v0.5.9"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-host?ref=v0.5.10"
 
   environment_name                     = var.environment_name
   aws_account_id                       = var.aws_account_id
@@ -168,7 +168,7 @@ locals {
 module "connection_in_worklytics" {
   for_each = local.all_instances
 
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-psoxy-connection-aws?ref=v0.5.9"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-psoxy-connection-aws?ref=v0.5.10"
 
   proxy_instance_id    = each.key
   worklytics_host      = var.worklytics_host

msft-365.tf

@@ -1,7 +1,7 @@
 # BEGIN MSFT
 
 module "worklytics_connectors_msft_365" {
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-msft-365?ref=v0.5.9"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-msft-365?ref=v0.5.10"
 
   enabled_connectors                         = var.enabled_connectors
   environment_id                             = var.environment_name
@@ -46,7 +46,7 @@ data "aws_region" "current" {
 module "cognito_identity_pool" {
   count = local.msft_365_enabled ? 1 : 0 # only provision identity pool if MSFT-365 connectors are enabled
 
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-cognito-pool?ref=v0.5.9"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-cognito-pool?ref=v0.5.10"
 
   developer_provider_name = local.developer_provider_name
   name                    = "${local.env_qualifier}-azure-ad-federation"
@@ -68,7 +68,7 @@ locals {
 module "cognito_identity" {
   count = local.msft_365_enabled ? 1 : 0 # only provision identity pool if MSFT-365 connectors are enabled
 
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-cognito-identity-cli?ref=v0.5.9"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-cognito-identity-cli?ref=v0.5.10"
 
   aws_region       = data.aws_region.current.id
   aws_role         = var.aws_assume_role_arn
@@ -104,7 +104,7 @@ locals {
 module "msft_connection_auth_federation" {
   for_each = local.provision_entraid_apps ? local.enabled_to_entraid_object : local.shared_to_entraid_object
 
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/azuread-federated-credentials?ref=v0.5.9"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/azuread-federated-credentials?ref=v0.5.10"
 
   application_id = each.value.connector_id
   display_name   = "${local.env_qualifier}AccessFromAWS"