RubyGems - terraorg - Versions diffs - 0.3.0 → 0.5.4 - Mend

terraorg 0.3.0 → 0.5.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ce81d4e08d1d925fbf0cc419b5012725e33190563592d8ad491bf52a39df2920
-  data.tar.gz: 1854959244ef5576f9c39f3079ae73e7af243f591c972e3f79ecfb9729a87445
+  metadata.gz: 9d4bc0b594ccdebdbc4f31ec4825e6ba58ae14d594c5ba583be66110146bb87e
+  data.tar.gz: e91277122e80da862872e04377857462d77bde314c79be37e0c9ec223dcc985c
 SHA512:
-  metadata.gz: 498d390c6eb73ff5761ccc40e8a0918d8c0e1ec8ac21d2d5862a9d9b0c7da514e574849a853cb9fce4b8516625bcb72ef6bcc39b2de52e80cbf13fef6e62a5a8
-  data.tar.gz: 72575c047b7565108453002e809fa2c76346e6a8998f04ff52750c065ecb48eb1b9235f0d0a6cd2e967b81292e30a668d91339b9d1bc26e7fc520669a47a750f
+  metadata.gz: f3a0ba270dd09ea04cf4f4acf32374110e1563c56c4259dd2f6664dce55dd37330732fd7bfa2ac530638599afd9e8974ce59bbe452af52bf4d434c5593072ed5
+  data.tar.gz: 2bc8103395027c04b74483da0bb62779eefa0544b2f3fc54f2f68131a8d2bec5a35043de45835d15e32fed572acc8b353a27f7ae9d045faf6b308d93524f8a29

data/README.md CHANGED

@@ -34,7 +34,9 @@ Based on the org that this tool was originally designed for, orgs are expected
 to have three levels:
 * *squads*: the base unit of team-dom, containing people, who may be in
-  different geographical regions.
+  different geographical regions. Teams contain _members_ (full time heads)
+  and _associates_ (typically part time floaters.) Any associate of a squad
+  must also have a home squad for which they are a full time member.
 * *platoons*: a unit which contains squads and exceptional people who are
   members of the platoon, but not part of any squad
 * *org*: The whole organization, including its manager, any exceptional squads
@@ -45,6 +47,10 @@ The tool generates groups for each granular unit of organization in Okta and G
 Suite in Terraform. With patching, it could be possible for more organizational
 systems to be supported.
+## Diagram
+![Diagram of org structure](img/diagram.png)
 ## How it works
 Firstly, take your entire existing organization and define it using the
@@ -120,6 +126,10 @@ information on how to configure the providers.
 [articulate/terraform-provider-okta]: https://github.com/articulate/terraform-provider-okta
 [DeviaVir/terraform-provider-gsuite]: https://github.com/DeviaVir/terraform-provider-gsuite
+## Running tests
+There are a limited number of tests that can be invoked with
+`ruby -I lib  test/terraorg/model/org_test.rb `
 ## Suggested process
 At [LiveRamp], a pull request based workflow leveraging [Atlantis] is used to

data/bin/terraorg CHANGED

@@ -32,6 +32,7 @@ ACTIONS = [
 ].freeze
 STRICT_VALIDATION = ENV.fetch('TERRAORG_STRICT_VALIDATION', 'true')
+ALLOW_ORPHANED_ASSOCIATES = ENV.fetch('ALLOW_ORPHANED_ASSOCIATES', 'false')
 SQUADS_FILE = ENV.fetch('TERRAORG_SQUADS', 'squads.json')
 PLATOONS_FILE = ENV.fetch('TERRAORG_PLATOONS', 'platoons.json')
 ORG_FILE = ENV.fetch('TERRAORG_ROOT', 'org.json')
@@ -97,7 +98,8 @@ org_data = File.read(ORG_FILE)
 org = Org.new(JSON.parse(org_data), platoons, squads, people, GSUITE_DOMAIN)
 strict = (STRICT_VALIDATION == 'true')
-org.validate!(strict: strict)
+allow_orphaned_associates = (ALLOW_ORPHANED_ASSOCIATES == 'true')
+org.validate!(strict: strict, allow_orphaned_associates: allow_orphaned_associates)
 case action
 when 'generate-squads-md'

data/lib/terraorg/model/org.rb CHANGED

@@ -1,4 +1,5 @@
 # Copyright 2019-2020 LiveRamp Holdings, Inc.
+# Copyright 2020- Joshua Kwan
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -49,12 +50,12 @@ class Org
     @squads = squads
   end
-  def validate!(strict: true)
+  def validate!(strict: true, allow_orphaned_associates: false)
     failure = false
     # Do not allow the JSON files to contain any people who have left.
     unless @people.inactive.empty?
-      $stderr.puts "ERROR: Users have left the company: #{@people.inactive.map(&:id).join(', ')}"
+      $stderr.puts "ERROR: Users have left the company, or are Suspended in Okta: #{@people.inactive.map(&:id).join(', ')}"
       failure = true
     end
@@ -97,7 +98,8 @@ class Org
     # across the entire org. A person can be an associate of other squads
     # at a different count. See top of file for defined limits.
     squad_count = {}
-    all_squads.map(&:teams).flatten.map(&:values).flatten.map(&:members).flatten.each do |member|
+    all_members = all_squads.map(&:teams).flatten.map(&:values).flatten.map(&:members).flatten
+    all_members.each do |member|
       squad_count[member.id] = squad_count.fetch(member.id, 0) + 1
     end
     more_than_max_squads = squad_count.select do |member, count|
@@ -109,7 +111,8 @@ class Org
     end
     associate_count = {}
-    all_squads.map(&:teams).flatten.map(&:values).flatten.map(&:associates).flatten.each do |assoc|
+    all_associates = all_squads.map(&:teams).flatten.map(&:values).flatten.map(&:associates).flatten
+    all_associates.each do |assoc|
       associate_count[assoc.id] = associate_count.fetch(assoc.id, 0) + 1
     end
     more_than_max_squads = associate_count.select do |_, count|
@@ -130,6 +133,15 @@ class Org
       failure = true
     end
+    # Validate that any associate is a member of some squad
+    if !allow_orphaned_associates
+      associates_but_not_members = Set.new(all_associates.map(&:id)) - Set.new(all_members.map(&:id)) - exceptions
+      if !associates_but_not_members.empty?
+        $stderr.puts "ERROR: #{associates_but_not_members.to_a} are associates of squads but not members of any squad"
+        failure = true
+      end
+    end
     raise "CRITICAL: Validation failed due to at least one error above" if failure && strict
   end
@@ -193,13 +205,16 @@ class Org
     md_lines.join("\n")
   end
-  def generate_tf
-    tf = @member_platoons.map { |p| p.generate_tf(@id) }.join("\n")
-    File.write('auto.platoons.tf', tf)
+  def generate_tf_platoons
+    @member_platoons.map { |p| p.generate_tf(@id) }.join("\n")
+  end
-    tf = @member_exception_squads.map { |s| s.generate_tf(@id) }.join("\n")
-    File.write('auto.exception_squads.tf', tf)
+  def generate_tf_squads
+    @member_exception_squads.map { |s| s.generate_tf(@id) }.join("\n")
+  end
+  def generate_tf_org
+    tf = ''
     # Roll all platoons and exception squads into the org.
     roll_up_to_org = \
       @member_exception_squads.map { |s| s.unique_name(@id, nil) } + \
@@ -239,14 +254,18 @@ EOF
     all_locations[@manager_location] = all_locations.fetch(@manager_location, Set.new).add(@manager)
     all_locations.each do |l, m|
+      description = "#{@name} organization members based in #{l} (terraorg)"
       name = "#{unique_name}-#{l.downcase}"
       tf += <<-EOF
 resource "okta_group" "#{name}" {
   name = "#{name}"
-  description = "#{@name} organization members based in #{l} (terraorg)"
+  description = "#{description}"
   users = #{Util.persons_tf(m)}
 }
+#{Util.gsuite_group_tf(name, @gsuite_domain, m, description)}
 EOF
     end
     # Generate a special GSuite group for all managers (org, platoon, squad
@@ -255,7 +274,17 @@ EOF
     all_managers = Set.new([@manager] + @platoons.all.map(&:manager) + @squads.all.map(&:manager).select { |m| m })
     manager_dl = "#{@id}-managers"
     tf += Util.gsuite_group_tf(manager_dl, @gsuite_domain, all_managers, "All managers of the #{@name} organization (terraorg)")
+    tf
+  end
+  def generate_tf
+    tf = generate_tf_platoons
+    File.write('auto.platoons.tf', tf)
+    tf = generate_tf_squads
+    File.write('auto.exception_squads.tf', tf)
+    tf = generate_tf_org
     File.write('auto.org.tf', tf)
   end

data/lib/terraorg/model/person.rb CHANGED

@@ -14,8 +14,11 @@
 require 'faraday'
+# The following statuses are considered ACTIVE by terraorg, which allow PRs to continue and be merged.
+# A DEACTIVATED account status needs to be removed from the repository before merging PRs
 class Person
-  ACTIVE_USER_STATUSES = ['ACTIVE', 'PROVISIONED'].freeze
+  ACTIVE_USER_STATUSES = ['ACTIVE', 'PROVISIONED', 'PASSWORD_EXPIRED', 'SUSPENDED'].freeze
   attr_accessor :id, :name, :okta_id, :email, :status

data/lib/terraorg/version.rb CHANGED

@@ -13,5 +13,5 @@
 # limitations under the License.
 module Terraorg
-  VERSION = '0.3.0'
+  VERSION = '0.5.4'
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terraorg
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.5.4
 platform: ruby
 authors:
 - Joshua Kwan
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-04-27 00:00:00.000000000 Z
+date: 2021-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: countries
@@ -66,6 +66,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
 description: Manage an organizational structure with Okta and G-Suite using Terraform
 email: joshk@triplehelix.org
 executables:
@@ -104,7 +118,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.8
 signing_key:
 specification_version: 4
 summary: terraorg