terraorg 0.2.3 → 0.5.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 60e495604f197ced6264c00cea8607d7c846fd65179e024eaeabcf4ea3e28fb7
-  data.tar.gz: b24f650f9f48b5707b10f2cf4422e7cca438f257a57b0f5276abb90d34f5115c
+  metadata.gz: '081a5e9b4201f219e7b153a554a57e32060a8c043b2769d8bd9199d25f871850'
+  data.tar.gz: f6be12775e8435085b35da3bdc0b66af701705ffc9c6d0de45a6cc47cc237737
 SHA512:
-  metadata.gz: 634029af22269e47401fa78d47f11aa34dbe0cff1343459db6d344a9c496a02ba9d2ed97c3d2bae5dc95a4a01e44cbdb794160459a7ffb23d33c9c360f96acd0
-  data.tar.gz: 51d2f8ddebbe751e2e935ce30d68c111b090a500fa35edf61f4ed9011d63ccb388f2d4e04b719c2eb31b6012f871cafba4088bbab3eb9f97662d3751e62ccc39
+  metadata.gz: 8ca99240c4e75a63c6af0e7ff83efe3994dc3da8ac3072a524d3c845a5c99f68211bc189aafe53ed03593a9c748d7179d5f92bc67b4c15cbdc33c1ca3c632c71
+  data.tar.gz: dcb7597efd163ca22e17968c81cd80dd599ddaa98acf304972e25ed5fafe6c9745f15ec143878c6f3898ed415393caaf109b25d5312953fc9fe6393936b0a0db

data/README.md

@@ -34,7 +34,9 @@ Based on the org that this tool was originally designed for, orgs are expected
 to have three levels:
 
 * *squads*: the base unit of team-dom, containing people, who may be in
-  different geographical regions.
+  different geographical regions. Teams contain _members_ (full time heads)
+  and _associates_ (typically part time floaters.) Any associate of a squad
+  must also have a home squad for which they are a full time member.
 * *platoons*: a unit which contains squads and exceptional people who are
   members of the platoon, but not part of any squad
 * *org*: The whole organization, including its manager, any exceptional squads
@@ -45,6 +47,10 @@ The tool generates groups for each granular unit of organization in Okta and G
 Suite in Terraform. With patching, it could be possible for more organizational
 systems to be supported.
 
+## Diagram
+
+![Diagram of org structure](img/diagram.png)
+
 ## How it works
 
 Firstly, take your entire existing organization and define it using the
@@ -120,6 +126,10 @@ information on how to configure the providers.
 [articulate/terraform-provider-okta]: https://github.com/articulate/terraform-provider-okta
 [DeviaVir/terraform-provider-gsuite]: https://github.com/DeviaVir/terraform-provider-gsuite
 
+## Running tests
+There are a limited number of tests that can be invoked with 
+`ruby -I lib  test/terraorg/model/org_test.rb `
+
 ## Suggested process
 
 At [LiveRamp], a pull request based workflow leveraging [Atlantis] is used to

data/bin/terraorg

@@ -31,6 +31,8 @@ ACTIONS = [
   'validate'
 ].freeze
 
+STRICT_VALIDATION = ENV.fetch('TERRAORG_STRICT_VALIDATION', 'true')
+ALLOW_ORPHANED_ASSOCIATES = ENV.fetch('ALLOW_ORPHANED_ASSOCIATES', 'false')
 SQUADS_FILE = ENV.fetch('TERRAORG_SQUADS', 'squads.json')
 PLATOONS_FILE = ENV.fetch('TERRAORG_PLATOONS', 'platoons.json')
 ORG_FILE = ENV.fetch('TERRAORG_ROOT', 'org.json')
@@ -95,7 +97,9 @@ platoons = Platoons.new(JSON.parse(platoons_data), squads, people, GSUITE_DOMAIN
 org_data = File.read(ORG_FILE)
 org = Org.new(JSON.parse(org_data), platoons, squads, people, GSUITE_DOMAIN)
 
-org.validate!
+strict = (STRICT_VALIDATION == 'true')
+allow_orphaned_associates = (ALLOW_ORPHANED_ASSOCIATES == 'true')
+org.validate!(strict: strict, allow_orphaned_associates: allow_orphaned_associates)
 
 case action
 when 'generate-squads-md'

data/lib/terraorg/model/org.rb

@@ -1,4 +1,5 @@
 # Copyright 2019-2020 LiveRamp Holdings, Inc.
+# Copyright 2020- Joshua Kwan
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -49,23 +50,33 @@ class Org
     @squads = squads
   end
 
-  def validate!
+  def validate!(strict: true, allow_orphaned_associates: false)
+    failure = false
+
     # Do not allow the JSON files to contain any people who have left.
-    raise "Users have left the company: #{@people.inactive.map(&:id).join(', ')}" unless @people.inactive.empty?
+    unless @people.inactive.empty?
+      $stderr.puts "ERROR: Users have left the company, or are Suspended in Okta: #{@people.inactive.map(&:id).join(', ')}"
+      failure = true
+    end
 
     # Do not allow the org to be totally empty.
-    raise 'Org has no platoons or exception squads' if @member_platoons.size + @member_exception_squads.size == 0
+    if @member_platoons.size + @member_exception_squads.size == 0
+      $stderr.puts 'ERROR: Org has no platoons or exception squads'
+      failure = true
+    end
 
     # Require all platoons to be part of the org.
     platoon_diff = Set.new(@platoons.all_names) - Set.new(@member_platoon_names)
     unless platoon_diff.empty?
-      raise "Platoons are not used in the org: #{platoon_diff.to_a.sort}"
+      $stderr.puts "ERROR: Platoons are not used in the org: #{platoon_diff.to_a.sort}"
+      failure = true
     end
 
     # Require all squads to be used in the org.
     squad_diff = Set.new(@squads.all_names) - Set.new(@platoons.all_squad_names) - Set.new(@member_exception_squad_names)
     unless squad_diff.empty?
-      raise "Squad(s) are not used in the org: #{squad_diff.to_a.sort}"
+      $stderr.puts "ERROR: Squad(s) are not used in the org: #{squad_diff.to_a.sort}"
+      failure = true
     end
 
     all_squads = (@member_platoons.map(&:member_squads) + @member_exception_squads).flatten
@@ -79,34 +90,37 @@ class Org
       count > 1
     end
     if !more_than_one_platoon.empty?
-      raise "Squads are part of more than one platoon: #{more_than_one_platoon}"
+      $stderr.puts "ERROR: Squads are part of more than one platoon: #{more_than_one_platoon}"
+      failure = true
     end
 
     # Validate that a squad member belongs to some maximum number of squads
     # across the entire org. A person can be an associate of other squads
     # at a different count. See top of file for defined limits.
     squad_count = {}
-    all_squads.map(&:teams).flatten.map(&:values).flatten.map(&:members).flatten.each do |member|
+    all_members = all_squads.map(&:teams).flatten.map(&:values).flatten.map(&:members).flatten
+    all_members.each do |member|
       squad_count[member.id] = squad_count.fetch(member.id, 0) + 1
     end
     more_than_max_squads = squad_count.select do |member, count|
       count > MAX_MEMBER_SQUADS_PER_PERSON
     end
     if !more_than_max_squads.empty?
-      # TODO(joshk): Enforce after April 17th
-      $stderr.puts "WARNING: Members are part of more than #{MAX_MEMBER_SQUADS_PER_PERSON} squads: #{more_than_max_squads}"
+      $stderr.puts "ERROR: People are members of more than #{MAX_MEMBER_SQUADS_PER_PERSON} squads: #{more_than_max_squads}"
+      failure = true
     end
 
     associate_count = {}
-    all_squads.map(&:teams).flatten.map(&:values).flatten.map(&:associates).flatten.each do |assoc|
+    all_associates = all_squads.map(&:teams).flatten.map(&:values).flatten.map(&:associates).flatten
+    all_associates.each do |assoc|
       associate_count[assoc.id] = associate_count.fetch(assoc.id, 0) + 1
     end
     more_than_max_squads = associate_count.select do |_, count|
       count > MAX_ASSOCIATE_SQUADS_PER_PERSON
     end
     if !more_than_max_squads.empty?
-      # TODO(joshk): Enforce after April 17th
-      $stderr.puts "WARNING: People associated with more than #{MAX_ASSOCIATE_SQUADS_PER_PERSON} squads: #{more_than_max_squads}"
+      $stderr.puts "ERROR: People are associates of more than #{MAX_ASSOCIATE_SQUADS_PER_PERSON} squads: #{more_than_max_squads}"
+      failure = true
     end
 
     # Validate that a squad member is not also an org exception
@@ -115,8 +129,20 @@ class Org
       exceptions.member? member
     end
     if !exception_and_squad_member.empty?
-      raise "Exception members are also squad members: #{exception_and_squad_member}"
+      $stderr.puts "ERROR: Exception members are also squad members: #{exception_and_squad_member}"
+      failure = true
     end
+
+    # Validate that any associate is a member of some squad
+    if !allow_orphaned_associates
+      associates_but_not_members = Set.new(all_associates.map(&:id)) - Set.new(all_members.map(&:id)) - exceptions
+      if !associates_but_not_members.empty?
+        $stderr.puts "ERROR: #{associates_but_not_members.to_a} are associates of squads but not members of any squad"
+        failure = true
+      end
+    end
+
+    raise "CRITICAL: Validation failed due to at least one error above" if failure && strict
   end
 
   def members
@@ -179,13 +205,16 @@ class Org
     md_lines.join("\n")
   end
 
-  def generate_tf
-    tf = @member_platoons.map { |p| p.generate_tf(@id) }.join("\n")
-    File.write('auto.platoons.tf', tf)
+  def generate_tf_platoons
+    @member_platoons.map { |p| p.generate_tf(@id) }.join("\n")
+  end
 
-    tf = @member_exception_squads.map { |s| s.generate_tf(@id) }.join("\n")
-    File.write('auto.exception_squads.tf', tf)
+  def generate_tf_squads
+    @member_exception_squads.map { |s| s.generate_tf(@id) }.join("\n")
+  end
 
+  def generate_tf_org
+    tf = ''
     # Roll all platoons and exception squads into the org.
     roll_up_to_org = \
       @member_exception_squads.map { |s| s.unique_name(@id, nil) } + \
@@ -225,14 +254,18 @@ EOF
     all_locations[@manager_location] = all_locations.fetch(@manager_location, Set.new).add(@manager)
 
     all_locations.each do |l, m|
+      description = "#{@name} organization members based in #{l} (terraorg)"
       name = "#{unique_name}-#{l.downcase}"
       tf += <<-EOF
 resource "okta_group" "#{name}" {
   name = "#{name}"
-  description = "#{@name} organization members based in #{l} (terraorg)"
+  description = "#{description}"
   users = #{Util.persons_tf(m)}
 }
+
+#{Util.gsuite_group_tf(name, @gsuite_domain, m, description)}
 EOF
+
     end
 
     # Generate a special GSuite group for all managers (org, platoon, squad
@@ -241,7 +274,17 @@ EOF
     all_managers = Set.new([@manager] + @platoons.all.map(&:manager) + @squads.all.map(&:manager).select { |m| m })
     manager_dl = "#{@id}-managers"
     tf += Util.gsuite_group_tf(manager_dl, @gsuite_domain, all_managers, "All managers of the #{@name} organization (terraorg)")
+    tf
+  end
+
+  def generate_tf
+    tf = generate_tf_platoons
+    File.write('auto.platoons.tf', tf)
+
+    tf = generate_tf_squads
+    File.write('auto.exception_squads.tf', tf)
 
+    tf = generate_tf_org
     File.write('auto.org.tf', tf)
   end
 

data/lib/terraorg/model/person.rb

@@ -15,7 +15,7 @@
 require 'faraday'
 
 class Person
-  ACTIVE_USER_STATUSES = ['ACTIVE', 'PROVISIONED'].freeze
+  ACTIVE_USER_STATUSES = ['ACTIVE', 'PROVISIONED', 'PASSWORD_EXPIRED'].freeze
 
   attr_accessor :id, :name, :okta_id, :email, :status
 

data/lib/terraorg/version.rb

@@ -13,5 +13,5 @@
 # limitations under the License.
 
 module Terraorg
-  VERSION = '0.2.3'
+  VERSION = '0.5.3'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terraorg
 version: !ruby/object:Gem::Version
-  version: 0.2.3
+  version: 0.5.3
 platform: ruby
 authors:
 - Joshua Kwan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-13 00:00:00.000000000 Z
+date: 2021-01-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: countries
@@ -66,6 +66,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
 description: Manage an organizational structure with Okta and G-Suite using Terraform
 email: joshk@triplehelix.org
 executables:
@@ -104,7 +118,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: terraorg