Skip to main content

Google Groups + Indent Webhook

This guide will show you how to create a webhook for Indent to communicate with for granting and revoking access, among other operations, to Google Groups. This webhook can be run as a Google Cloud Function.

There are direct code examples in the indentapis/examples repository. Take a look at the code that will run in these webhooks: terraform-gcloud-google-groups-pull-webhook and terraform-gcloud-google-groups-webhook.

This page assumes that you or someone on your team has already completed the Quickstart. If you haven't already, we would recommend you check it out - it should take 5 minutes.

Prerequisites

Overview

We're going to pull Google Groups into Indent (optionally, you can manually import groups) then set up automated change management. This webhook integration only works when deployed on Google Cloud because it uses Google APIs and IAM permissions directly.

Step 1: Deploy the pull update webhook

If you don't have a Google Service account, create one to manage your webhooks and Google Groups before deploying these webhooks

  1. Sign in and select your Indent Space.
  2. Go to your Webhooks.
  3. Click "New" and create a new Webhook.
    • For "Kind of Webhook" select "Pull update"
    • For "Supported Kind of Resource" select "Google Group" or type google.v1.Group
    • Save the webhook and note down the signing secret for use in the deployment process
  4. Download the example:
curl https://codeload.github.com/indentapis/examples/tar.gz/main | tar -xz --strip=3 examples-main/webhooks/pull/terraform-gcloud-google-groups-pull-webhook
cd terraform-gcloud-google-groups-pull-webhook

Follow the instructions in the README to complete the deployment process.

Pull updates from Google Groups

  1. Enter the HTTP endpoint from Cloud Functions as the "Webhook URL" field in your new Webhook.
  2. Save the new Webhook.
  3. Go to the Resources page, click the dropdown arrow next to "New", click "Pull Update", select "Google Groups" in the modal then "Start Pulling Updates".

Now if you search for "google group" on the Resource page, you should see your groups. Next, we're going to set up changing group membership automatically when access is granted or revoked.

Step 2: Deploy the change webhook

Download the example:

curl https://codeload.github.com/indentapis/examples/tar.gz/main | tar -xz --strip=3 examples-main/webhooks/change/terraform-gcloud-google-groups-webhook
cd terraform-gcloud-google-groups-webhook

Follow the instructions in the README to complete the deployment process then save the new webhook in your Indent configuration.

Grant the function service account permissions

Deploying the function creates a new service account. This account is used to change group membership, so it needs appropriate permissions like Manager or Owner of each Google Group you want to manage. Changes to service account permissions can be made in the Google Admin dashboard for Groups by adding the email of the service account.

Step 3: Configure your Indent policies

  1. Open the "Access Request Rules" section and navigate to the rules for your new resource.
  2. Configure the approvers for granting access to your Google Groups.

Step 4: Make a test request

  1. Go to Request Access.
  2. Select your Google Group from the dropdown and enter a reason for access.
  3. Once the access is approved, you can check groups.google.com to confirm membership.

Congrats! You’ve just configured requesting and managing Google Group access with Indent.


Import groups manually

  1. Sign into your Indent Space.
  2. Go to your Resources.
  3. Click "New" and create a new Resource.
    • Under resource type, type in "google.v1.Group"
    • Enter the name of your Google Group.
    • Enter the ID of your Google Group.
How do I get my group's ID?

  • Visit the Google Workspace Admin SDK page.
  • Use the "Try This API" modal to get the ID. Under the "customer" field enter my_customer. (Note: This must be performed as a Workspace Administrator)
  • Paste the ID for your group into the Indent Resource creation page.

Creating a Service Account

You can create a Google Service Account to use with both the Pull Update and Change Management to manage your Google Groups.

  1. Navigate to your Google Cloud Console
  2. Go to Menu IAM & Admin and select Service Accounts
  3. Create a new Service Account with a memorable name like "indent-webhook-service-account"
    • The Service Account gets a new email address which you'll use to deploy the webhooks
  4. Create a JSON Service Account Key for your new Service Account and save it for use with the webhooks
  5. Add the Service Account as an Owner of the Google Groups you want to manage with Indent.
  6. Continue to deploy the webhooks
What permissions does my Service Account need?

Your new service account needs the following scopes to deploy the webhooks and manage your Google Groups:

cloudfunctions.functions.create
cloudfunctions.functions.delete
cloudfunctions.functions.get
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.setIamPolicy
cloudfunctions.functions.update
cloudfunctions.operations.get
iam.serviceAccounts.actAs
iam.serviceAccounts.create
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list


How do I get my Google Workspace Customer ID?

  • Sign in to your Google Cloud Admin Console as an administrator.
  • From the Admin console home page, go to "Account Settings" then "Profile."
  • Next to "Customer ID" find your organization's unique ID.