terraorg 0.3.0 → 0.5.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ce81d4e08d1d925fbf0cc419b5012725e33190563592d8ad491bf52a39df2920
-  data.tar.gz: 1854959244ef5576f9c39f3079ae73e7af243f591c972e3f79ecfb9729a87445
+  metadata.gz: 9d4bc0b594ccdebdbc4f31ec4825e6ba58ae14d594c5ba583be66110146bb87e
+  data.tar.gz: e91277122e80da862872e04377857462d77bde314c79be37e0c9ec223dcc985c
 SHA512:
-  metadata.gz: 498d390c6eb73ff5761ccc40e8a0918d8c0e1ec8ac21d2d5862a9d9b0c7da514e574849a853cb9fce4b8516625bcb72ef6bcc39b2de52e80cbf13fef6e62a5a8
-  data.tar.gz: 72575c047b7565108453002e809fa2c76346e6a8998f04ff52750c065ecb48eb1b9235f0d0a6cd2e967b81292e30a668d91339b9d1bc26e7fc520669a47a750f
+  metadata.gz: f3a0ba270dd09ea04cf4f4acf32374110e1563c56c4259dd2f6664dce55dd37330732fd7bfa2ac530638599afd9e8974ce59bbe452af52bf4d434c5593072ed5
+  data.tar.gz: 2bc8103395027c04b74483da0bb62779eefa0544b2f3fc54f2f68131a8d2bec5a35043de45835d15e32fed572acc8b353a27f7ae9d045faf6b308d93524f8a29

data/README.md

@@ -34,7 +34,9 @@ Based on the org that this tool was originally designed for, orgs are expected
 to have three levels:
 
 * *squads*: the base unit of team-dom, containing people, who may be in
-  different geographical regions.
+  different geographical regions. Teams contain _members_ (full time heads)
+  and _associates_ (typically part time floaters.) Any associate of a squad
+  must also have a home squad for which they are a full time member.
 * *platoons*: a unit which contains squads and exceptional people who are
   members of the platoon, but not part of any squad
 * *org*: The whole organization, including its manager, any exceptional squads
@@ -45,6 +47,10 @@ The tool generates groups for each granular unit of organization in Okta and G
 Suite in Terraform. With patching, it could be possible for more organizational
 systems to be supported.
 
+## Diagram
+
+![Diagram of org structure](img/diagram.png)
+
 ## How it works
 
 Firstly, take your entire existing organization and define it using the
@@ -120,6 +126,10 @@ information on how to configure the providers.
 [articulate/terraform-provider-okta]: https://github.com/articulate/terraform-provider-okta
 [DeviaVir/terraform-provider-gsuite]: https://github.com/DeviaVir/terraform-provider-gsuite
 
+## Running tests
+There are a limited number of tests that can be invoked with 
+`ruby -I lib  test/terraorg/model/org_test.rb `
+
 ## Suggested process
 
 At [LiveRamp], a pull request based workflow leveraging [Atlantis] is used to

data/bin/terraorg

@@ -32,6 +32,7 @@ ACTIONS = [
 ].freeze
 
 STRICT_VALIDATION = ENV.fetch('TERRAORG_STRICT_VALIDATION', 'true')
+ALLOW_ORPHANED_ASSOCIATES = ENV.fetch('ALLOW_ORPHANED_ASSOCIATES', 'false')
 SQUADS_FILE = ENV.fetch('TERRAORG_SQUADS', 'squads.json')
 PLATOONS_FILE = ENV.fetch('TERRAORG_PLATOONS', 'platoons.json')
 ORG_FILE = ENV.fetch('TERRAORG_ROOT', 'org.json')
@@ -97,7 +98,8 @@ org_data = File.read(ORG_FILE)
 org = Org.new(JSON.parse(org_data), platoons, squads, people, GSUITE_DOMAIN)
 
 strict = (STRICT_VALIDATION == 'true')
-org.validate!(strict: strict)
+allow_orphaned_associates = (ALLOW_ORPHANED_ASSOCIATES == 'true')
+org.validate!(strict: strict, allow_orphaned_associates: allow_orphaned_associates)
 
 case action
 when 'generate-squads-md'

data/lib/terraorg/model/org.rb

@@ -1,4 +1,5 @@
 # Copyright 2019-2020 LiveRamp Holdings, Inc.
+# Copyright 2020- Joshua Kwan
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -49,12 +50,12 @@ class Org
     @squads = squads
   end
 
-  def validate!(strict: true)
+  def validate!(strict: true, allow_orphaned_associates: false)
     failure = false
 
     # Do not allow the JSON files to contain any people who have left.
     unless @people.inactive.empty?
-      $stderr.puts "ERROR: Users have left the company: #{@people.inactive.map(&:id).join(', ')}"
+      $stderr.puts "ERROR: Users have left the company, or are Suspended in Okta: #{@people.inactive.map(&:id).join(', ')}"
       failure = true
     end
 
@@ -97,7 +98,8 @@ class Org
     # across the entire org. A person can be an associate of other squads
     # at a different count. See top of file for defined limits.
     squad_count = {}
-    all_squads.map(&:teams).flatten.map(&:values).flatten.map(&:members).flatten.each do |member|
+    all_members = all_squads.map(&:teams).flatten.map(&:values).flatten.map(&:members).flatten
+    all_members.each do |member|
       squad_count[member.id] = squad_count.fetch(member.id, 0) + 1
     end
     more_than_max_squads = squad_count.select do |member, count|
@@ -109,7 +111,8 @@ class Org
     end
 
     associate_count = {}
-    all_squads.map(&:teams).flatten.map(&:values).flatten.map(&:associates).flatten.each do |assoc|
+    all_associates = all_squads.map(&:teams).flatten.map(&:values).flatten.map(&:associates).flatten
+    all_associates.each do |assoc|
       associate_count[assoc.id] = associate_count.fetch(assoc.id, 0) + 1
     end
     more_than_max_squads = associate_count.select do |_, count|
@@ -130,6 +133,15 @@ class Org
       failure = true
     end
 
+    # Validate that any associate is a member of some squad
+    if !allow_orphaned_associates
+      associates_but_not_members = Set.new(all_associates.map(&:id)) - Set.new(all_members.map(&:id)) - exceptions
+      if !associates_but_not_members.empty?
+        $stderr.puts "ERROR: #{associates_but_not_members.to_a} are associates of squads but not members of any squad"
+        failure = true
+      end
+    end
+
     raise "CRITICAL: Validation failed due to at least one error above" if failure && strict
   end
 
@@ -193,13 +205,16 @@ class Org
     md_lines.join("\n")
   end
 
-  def generate_tf
-    tf = @member_platoons.map { |p| p.generate_tf(@id) }.join("\n")
-    File.write('auto.platoons.tf', tf)
+  def generate_tf_platoons
+    @member_platoons.map { |p| p.generate_tf(@id) }.join("\n")
+  end
 
-    tf = @member_exception_squads.map { |s| s.generate_tf(@id) }.join("\n")
-    File.write('auto.exception_squads.tf', tf)
+  def generate_tf_squads
+    @member_exception_squads.map { |s| s.generate_tf(@id) }.join("\n")
+  end
 
+  def generate_tf_org
+    tf = ''
     # Roll all platoons and exception squads into the org.
     roll_up_to_org = \
       @member_exception_squads.map { |s| s.unique_name(@id, nil) } + \
@@ -239,14 +254,18 @@ EOF
     all_locations[@manager_location] = all_locations.fetch(@manager_location, Set.new).add(@manager)
 
     all_locations.each do |l, m|
+      description = "#{@name} organization members based in #{l} (terraorg)"
       name = "#{unique_name}-#{l.downcase}"
       tf += <<-EOF
 resource "okta_group" "#{name}" {
   name = "#{name}"
-  description = "#{@name} organization members based in #{l} (terraorg)"
+  description = "#{description}"
   users = #{Util.persons_tf(m)}
 }
+
+#{Util.gsuite_group_tf(name, @gsuite_domain, m, description)}
 EOF
+
     end
 
     # Generate a special GSuite group for all managers (org, platoon, squad
@@ -255,7 +274,17 @@ EOF
     all_managers = Set.new([@manager] + @platoons.all.map(&:manager) + @squads.all.map(&:manager).select { |m| m })
     manager_dl = "#{@id}-managers"
     tf += Util.gsuite_group_tf(manager_dl, @gsuite_domain, all_managers, "All managers of the #{@name} organization (terraorg)")
+    tf
+  end
+
+  def generate_tf
+    tf = generate_tf_platoons
+    File.write('auto.platoons.tf', tf)
+
+    tf = generate_tf_squads
+    File.write('auto.exception_squads.tf', tf)
 
+    tf = generate_tf_org
     File.write('auto.org.tf', tf)
   end
 

data/lib/terraorg/model/person.rb

@@ -14,8 +14,11 @@
 
 require 'faraday'
 
+# The following statuses are considered ACTIVE by terraorg, which allow PRs to continue and be merged. 
+# A DEACTIVATED account status needs to be removed from the repository before merging PRs
+
 class Person
-  ACTIVE_USER_STATUSES = ['ACTIVE', 'PROVISIONED'].freeze
+  ACTIVE_USER_STATUSES = ['ACTIVE', 'PROVISIONED', 'PASSWORD_EXPIRED', 'SUSPENDED'].freeze
 
   attr_accessor :id, :name, :okta_id, :email, :status
 

data/lib/terraorg/version.rb

@@ -13,5 +13,5 @@
 # limitations under the License.
 
 module Terraorg
-  VERSION = '0.3.0'
+  VERSION = '0.5.4'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terraorg
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.5.4
 platform: ruby
 authors:
 - Joshua Kwan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-27 00:00:00.000000000 Z
+date: 2021-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: countries
@@ -66,6 +66,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
 description: Manage an organizational structure with Okta and G-Suite using Terraform
 email: joshk@triplehelix.org
 executables:
@@ -104,7 +118,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: terraorg