Skip to content

Commit 9d584ea

Browse files
pcarletonlocalden
authored andcommitted
Suppress googleworkspace permadiffs in preview output
- GroupSettings: ignoreChanges on isArchived (upstream hashicorp/terraform-provider-googleworkspace#398) - OrgUnit: drop the stale import option; it was only needed for the initial adopt and now triggers a re-compare on every preview
1 parent 56df7da commit 9d584ea

1 file changed

Lines changed: 31 additions & 27 deletions

File tree

src/google.ts

Lines changed: 31 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -20,32 +20,36 @@ ROLES.forEach((role: Role) => {
2020
description: role.description + ' \n(Managed by github.com/modelcontextprotocol/access)',
2121
});
2222

23-
new gworkspace.GroupSettings(role.google.group, {
24-
email: groups[role.google.group].email,
25-
26-
// Maximise visibility of group. It's visible in GitHub anyway
27-
whoCanViewMembership: 'ALL_IN_DOMAIN_CAN_VIEW',
28-
29-
// This specifies who can add/remove members. We want this to only be via this IaC.
30-
whoCanModerateMembers: 'NONE',
31-
whoCanLeaveGroup: 'NONE_CAN_LEAVE',
32-
whoCanJoin: 'INVITED_CAN_JOIN',
33-
34-
// Email groups allow anyone (including externals) to post
35-
// Non-email groups are not intended as mailing lists, so use the most restrictive settings
36-
// whoCanViewGroup is badly named, but actually means 'Permissions to view group messages'. See https://developers.google.com/workspace/admin/groups-settings/v1/reference/groups
37-
...(role.google.isEmailGroup
38-
? {
39-
whoCanPostMessage: 'ANYONE_CAN_POST',
40-
whoCanContactOwner: 'ALL_OWNERS_CAN_CONTACT',
41-
whoCanViewGroup: 'ALL_MEMBERS_CAN_VIEW',
42-
}
43-
: {
44-
whoCanPostMessage: 'ALL_OWNERS_CAN_POST',
45-
whoCanContactOwner: 'ALL_OWNERS_CAN_CONTACT',
46-
whoCanViewGroup: 'ALL_OWNERS_CAN_VIEW',
47-
}),
48-
});
23+
new gworkspace.GroupSettings(
24+
role.google.group,
25+
{
26+
email: groups[role.google.group].email,
27+
28+
// Maximise visibility of group. It's visible in GitHub anyway
29+
whoCanViewMembership: 'ALL_IN_DOMAIN_CAN_VIEW',
30+
31+
// This specifies who can add/remove members. We want this to only be via this IaC.
32+
whoCanModerateMembers: 'NONE',
33+
whoCanLeaveGroup: 'NONE_CAN_LEAVE',
34+
whoCanJoin: 'INVITED_CAN_JOIN',
35+
36+
// Email groups allow anyone (including externals) to post
37+
// Non-email groups are not intended as mailing lists, so use the most restrictive settings
38+
// whoCanViewGroup is badly named, but actually means 'Permissions to view group messages'. See https://developers.google.com/workspace/admin/groups-settings/v1/reference/groups
39+
...(role.google.isEmailGroup
40+
? {
41+
whoCanPostMessage: 'ANYONE_CAN_POST',
42+
whoCanContactOwner: 'ALL_OWNERS_CAN_CONTACT',
43+
whoCanViewGroup: 'ALL_MEMBERS_CAN_VIEW',
44+
}
45+
: {
46+
whoCanPostMessage: 'ALL_OWNERS_CAN_POST',
47+
whoCanContactOwner: 'ALL_OWNERS_CAN_CONTACT',
48+
whoCanViewGroup: 'ALL_OWNERS_CAN_VIEW',
49+
}),
50+
},
51+
{ ignoreChanges: ['isArchived'] }
52+
);
4953
});
5054

5155
// Create the organizational unit for MCP users
@@ -56,7 +60,7 @@ const mcpOrgUnit = new gworkspace.OrgUnit(
5660
description: 'Model Context Protocol',
5761
parentOrgUnitPath: '/',
5862
},
59-
{ import: 'id:03ph8a2z0nc6rsr', ignoreChanges: ['description'] }
63+
{ ignoreChanges: ['description'] }
6064
);
6165

6266
// Provision Google Workspace user accounts for members in roles with provisionUser

0 commit comments

Comments
 (0)