Automating User Management in the Company

Written by arslanbekov | Published 2022/12/02
Tech Story Tags: terraform | openvpn | vpn | automation | google-workspace | software-development | technology | business

TLDRTerraform aims to build a reusable infrastructure, we use the automation of repetitive processes, more often it will be Terraform. It is difficult to deny the convenience and popularity of this approach, especially when there are already many ready-made and well-supported providers around by a large community. Terraform will help us, remember its ability to save and share from the output. Let’s create a user in our organization: ‘I use app.terraform.io to launch terraform and share it with outputs*’via the TL;DR App

I continuously ask myself, what else in the processes I participate in can be automated? Repeated click-click-click in the interface brings with it a lot of errors, and if the company is actively growing — then all you will do over time — is click in the interface, stop doing it, and let’s automate.

To build a reusable infrastructure, we use the automation of repetitive processes. More often, it will be Terraform. It is difficult to deny the convenience and popularity of this approach, especially when there are already many ready-made and well-supported providers by a large community.

Introduction

Imagine that our company is growing, new developers and support come to us, and everyone needs to create an account/email in google workspace and attach it to OpenVPN Cloud to access internal resources.

In the most classic version, when a new employee

Also, people are leaving us, and we must not forget to deny access to systems. Here it would be best if you acted strictly in the reverse order of the scheme (scheme 1).

Terraform

Remember that we have to Terraform for automation. We will use it to automate the issuance and withdrawal of accesses.

The schemes perfectly describe the procedure, but to understand how Terraform will help us, let’s remember its ability to save and share from the output.

I use app.terraform.io to launch terraform and share it with outputs

Let’s create a user in our organization:

terraform {
  backend "remote" {
    hostname     = "app.terraform.io"
    organization = "EXAMPLE"

    workspaces {
      name = "google-workspace"
    }
  }
}

provider "googleworkspace" {
  # Use GOOGLEWORKSPACE_CREDENTIALS env
  # More settings: https://registry.terraform.io/providers/hashicorp/googleworkspace/latest/docs
  customer_id = "XXXXXXX"
}

resource "googleworkspace_user" "arslanbekov" {
  primary_email  = "[email protected]"
  org_unit_path = "developer"
  name {
    family_name = "Denis"
    given_name  = "Arslanbekov"
  }
}

output "email" {
  value = googleworkspace_user.arslanbekov.primary_email
}

output "name" {
  value = googleworkspace_user.arslanbekov.name
}

If the user already exists, import it.

terraform import googleworkspace_user.arslanbekov [email protected]

Next, we will interact with the output containing the email and the name of our new employee. We can switch to the following repository, in which we describe the OpenVPN Cloud users:

terraform {
  backend "local" {}
  required_providers {
    openvpncloud = {
      source  = "OpenVPN/openvpn-cloud"
      version = "0.0.7"
    }
  }
}

provider "openvpncloud" {
  base_url = "https://company-name.api.openvpn.com"
}

data "terraform_remote_state" "google_workspace_email" {
  backend = "remote"
  config = {
    organization = "EXAMPLE"
    workspaces = {
      name = "google-workspace"
    }
  }
}

resource "openvpncloud_user" "arslanbekov" {
  username   = "arslanbekov"
  email      = data.terraform_remote_state.google_workspace_email.outputs.arslanbekov
  first_name = data.terraform_remote_state.google_workspace_email.outputs.name.family_name
  last_name  = data.terraform_remote_state.google_workspace_email.outputs.name.given_name
  role       = "USER"
}

Applying this code will create a user in the OpenVPN Cloud and send him an invite via email. The user can log in, set a password, and generate VPN certificates.

We can also fully configure OpenVPN Cloud (create groups and describe routes) through this provider. This is really amazing.

We can very quickly invite him to any other systems (using providers that are in terraform).

For example, SendGrid:

terraform {
  required_providers {
    sendgrid = {
      version = "1.0.0"
      source  = "anna-money/sendgrid"
    }
  }
}

provider "sendgrid" {
  api_key = "SECRET_API_KEY"
}

data "terraform_remote_state" "google_workspace_email" {
  backend = "remote"
  config = {
    organization = "EXAMPLE"
    workspaces = {
      name = "google-workspace"
    }
  }
}

resource "sendgrid_teammate" "arslanbekov" {
  email    = data.terraform_remote_state.google_workspace_email.outputs.arslanbekov
  scopes   = [
    "alerts.create",
    "alerts.read",
    "alerts.update",
    "alerts.delete",
  ]
  is_admin = false
}

Conclusion

The convenience of this approach is that you have one entry point and one exit point. The single-responsibility principle applies here. If a person works in a company — he is always described by the code in one place.

I’ve shown a simple example: I didn’t use loops on purpose, but I strongly advise you to use them to avoid code duplication.

Providers used in this article:

  1. TF: hashicorp/googleworkspace
  2. TF: OpenVPN/openvpn-cloud
  3. TF: anna-money/sendgrid

They are also published here.

Written by arslanbekov | Head of SRE @ANNA Money
Published by HackerNoon on 2022/12/02
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy