feat(INT-53): bring in tf module from existing repo

[westonplatter]

what

• bring in existing postgres module under new repo name

Summary by CodeRabbit

• New Features

  • Introduced comprehensive support for managing Google Workspace users, groups, group settings, and group memberships via Terraform.
  • Added detailed input variables for users and groups with extensive validation.
  • Provided example configurations and import workflows for existing organizations using YAML and Terraform files.

• Documentation

  • Rewrote and expanded the README with Google Workspace-specific usage instructions, examples, and input schemas.
  • Updated provider and resource documentation to reflect new functionality.

• Bug Fixes

  • Improved input validation for user and group attributes, ensuring correct email formats and allowed values.

• Tests

  • Added extensive test coverage for user and group variable validation, including edge cases and failure scenarios.

• Chores

  • Updated .gitignore rules and removed outdated changelog entries.
  • Removed obsolete outputs and variables related to previous random resource usage.

[coderabbitai]

Walkthrough

This change replaces a generic Terraform module template with a comprehensive module for managing Google Workspace users, groups, and group settings. It introduces detailed variable schemas for users and groups, extensive input validation, and resource definitions for users, groups, group settings, and group memberships using the googleworkspace provider. The main module logic, example configurations, and provider blocks are updated to reflect these new resources and input structures. The README is rewritten to provide module-specific documentation and usage examples. Test files are added to validate input variables. Outdated outputs, variables, and references to the previous template are removed.

Possibly related PRs

• #3: Both PRs replace the previous random_pet resource with comprehensive Google Workspace user and group management resources, including user-to-group membership handling and updated provider configurations, indicating a direct connection.
• #1: The main PR builds upon the initial addition of Google Workspace user and group resources by introducing advanced group settings, detailed validations, and lifecycle management, extending the foundational work of this earlier PR.
• #4: While this PR adds an example for importing existing users and groups into Terraform state using the new module, it complements the main PR by demonstrating usage but does not alter core module logic.

Tip

⚡️ Faster reviews with caching

• CodeRabbit now supports caching for code and dependencies, helping speed up reviews. This means quicker feedback, reduced wait times, and a smoother review experience overall. Cached data is encrypted and stored securely. This feature will be automatically enabled for all accounts on May 16th. To opt out, configure Review - Disable Cache at either the organization or repository level. If you prefer to disable all data retention across your organization, simply turn off the Data Retention setting under your Organization Settings.

Enjoy the performance boost—your workflow just got faster.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 4

🔭 Outside diff range comments (1)

outputs.tf (1)

1-2: 🛠️ Refactor suggestion

Remove empty outputs.tf file
Since all outputs have been deleted, this empty file can be removed to avoid confusion and keep the module tree tidy.

♻️ Duplicate comments (1)

examples/import-existing-org/providers.tf (1)

7-8: Duplicate provider credential suggestion.
As noted in examples/complete/providers.tf, avoid hardcoding the credentials file path and impersonated user; parameterize via variables or environment variables to improve reuse and security.

🧹 Nitpick comments (17)

examples/import-existing-org/users.yaml (1)

2-6: YAML clarity: quote string values explicitly
Consider quoting the role value to ensure it’s parsed as a string and improve consistency. You can also expand the inline flow mapping into block style for better readability:

groups:
  team:
    role: "member"

.gitignore (2)

12-14: Consolidate lock file ignore rules
You’ve added examples/**/*.terraform.lock.hcl to ignore all example-level lock files. If you intend to ignore these consistently, you can remove any commented legacy rules and add a brief comment explaining why examples should not track lock files.

---

17-18: Remove commented-out negation rule
The line # !examples/**/.terraform.lock.hcl is now redundant and can be deleted to keep the .gitignore clean.

examples/import-existing-org/versions.tf (2)

2-2: Specify an upper bound for Terraform version.
Consider constraining Terraform versions to avoid breaking changes from v2.x by using a version range, for example:

required_version = ">= 1.0, < 2.0"

---

6-7: Allow patch-level updates for the provider.
Instead of pinning exactly to 0.7.0, use the pessimistic constraint to permit patch releases while preventing breaking minor versions:

version = "~> 0.7.0"

examples/import-existing-org/main.tf (1)

2-3: Make file paths explicit and module-friendly.
Use path.module to ensure Terraform resolves these files correctly when invoked from different working directories:

_all_groups = yamldecode(file("${path.module}/groups.yaml"))
_all_users  = yamldecode(file("${path.module}/users.yaml"))

examples/complete/providers.tf (1)

7-8: Avoid hardcoding credential paths in examples.
Instead of embedding an absolute path, parameterize credentials (e.g. via var.credentials_path) or encourage use of the GOOGLE_APPLICATION_CREDENTIALS environment variable. Likewise, consider making impersonated_user_email a variable for flexibility.

examples/import-existing-org/groups.yaml (1)

15-22: Use descriptive resource keys.
The key team is quite generic. Renaming it to something like engineering_team or another identifier that reflects its purpose will improve readability and avoid collisions if additional groups are added.

tests/variables_groups.tftest.hcl (1)

26-43: Enhance failure assertion
Consider adding an expect_failure_message to assert on the specific validation error (e.g., "Invalid group email address") so the test fails for the intended reason.

README.md (2)

17-22: Use proper Markdown list formatting
Switch from 1 -/2 - to standard ordered list syntax (1./2.) for consistency and better rendering.

---

25-25: Address the TODO before release
A step-by-step authentication guide is marked TODO – consider adding those instructions now or plan a follow-up.

variables.tf (1)

100-110: Simplify group.type validation
Since group.type defaults to "USER", checking for null is redundant and can be removed for clarity.

examples/import-existing-org/imports.tf (1)

17-28: Flatten logic is functional but can be simplified
You can inline the user filtering and flatten steps without the _user_with_groups intermediate or leverage Terraform 1.5’s flatten enhancements.

main.tf (4)

1-4: Consider defaulting settings to avoid null merges
Using merge(v.settings, { email = v.email }) assumes v.settings is always a map. If settings may be omitted or null, use lookup(v, "settings", {}) to prevent merge errors.

---

6-9: Rename local variable for clarity
Rename _user_with_groups to users_with_groups (dropping the leading underscore) for consistency with Terraform naming conventions and improved readability.

---

12-21: Decouple locals from resource attributes
Referencing googleworkspace_group.defaults[group_key].email in a local creates an implicit dependency on that resource. You can instead use var.groups[group_key].email to obtain the same value and avoid unexpected ordering constraints.

---

24-27: Remove unnecessary user→group dependency
The depends_on = [googleworkspace_group.defaults] in the user resource is not needed since users can be created independently of groups. Dropping this will allow parallel resource creation and speed up plans.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5387f28 and 6ed6952.

📒 Files selected for processing (21)

• .github/renovate.json5 (1 hunks)
• .gitignore (2 hunks)
• CHANGELOG.md (0 hunks)
• README.md (5 hunks)
• examples/complete/main.tf (1 hunks)
• examples/complete/outputs.tf (0 hunks)
• examples/complete/providers.tf (1 hunks)
• examples/complete/variables.tf (0 hunks)
• examples/complete/versions.tf (1 hunks)
• examples/import-existing-org/groups.yaml (1 hunks)
• examples/import-existing-org/imports.tf (1 hunks)
• examples/import-existing-org/main.tf (1 hunks)
• examples/import-existing-org/providers.tf (1 hunks)
• examples/import-existing-org/users.yaml (1 hunks)
• examples/import-existing-org/versions.tf (1 hunks)
• main.tf (1 hunks)
• outputs.tf (1 hunks)
• tests/variables_groups.tftest.hcl (1 hunks)
• tests/variables_users.tftest.hcl (1 hunks)
• variables.tf (1 hunks)
• versions.tf (1 hunks)

💤 Files with no reviewable changes (3)

• examples/complete/variables.tf
• CHANGELOG.md
• examples/complete/outputs.tf

🧰 Additional context used

📓 Path-based instructions (1)

`**/*.tf`: You're a Terraform expert who has thoroughly studied all the documentation from Hashicorp https://developer.hashicorp.com/terraform/docs and OpenTofu https://opentofu.or...

**/*.tf: You're a Terraform expert who has thoroughly studied all the documentation from Hashicorp https://developer.hashicorp.com/terraform/docs and OpenTofu https://opentofu.org/docs/.
You have a strong grasp of Terraform syntax and prioritize providing accurate and insightful code suggestions.
As a fan of the Cloud Posse / SweetOps ecosystem, you incorporate many of their best practices https://docs.cloudposse.com/best-practices/terraform/ while balancing them with general Terraform guidelines.

• outputs.tf
• versions.tf
• examples/complete/versions.tf
• examples/import-existing-org/versions.tf
• examples/import-existing-org/main.tf
• examples/complete/providers.tf
• examples/import-existing-org/providers.tf
• variables.tf
• examples/complete/main.tf
• examples/import-existing-org/imports.tf
• main.tf

🔇 Additional comments (24)

.github/renovate.json5 (1)

64-64: No-op change—trailing newline removal only.

This update only removes the empty line at the end of the file. There are no functional or configuration changes.

.gitignore (1)

19-20: Verify ignore pattern for live-provider.tf
Please confirm that your examples include files named live-provider.tf. If you meant to ignore providers.tf instead, update this pattern accordingly.

versions.tf (1)

5-7: Provider block updated correctly
Switching to the hashicorp/googleworkspace provider with >= 0.7.0 aligns the root module’s requirements with the new Google Workspace functionality.

examples/complete/versions.tf (1)

1-10: Example version constraints look good
Locking to Terraform >= 1.0 and provider 0.7.0 ensures the example is reproducible.

examples/import-existing-org/main.tf (1)

10-15: Example module invocation looks good.
Using a relative source = "../../" for examples and passing the filtered users and groups locals aligns well with the module’s interface.

tests/variables_groups.tftest.hcl (4)

1-3: Mock provider configuration is correct
The googleworkspace mock provider alias is properly set up for isolated tests.

---

9-23: Email success scenario validated
The email_success test correctly verifies that a valid group email passes validation.

---

49-69: Group settings specific values scenario is solid
The test defines valid settings and expects the plan to succeed, covering key attributes.

---

72-89: Default settings omission handled
Omitting the settings block and expecting success verifies the default behavior as intended.

README.md (4)

3-3: Module title updated
The new module name accurately reflects its purpose in managing Google Workspace users and groups.

---

11-11: Child‐module description is clear
Explicitly stating this is a Terraform child module helps users understand integration points.

---

29-47: Provider example is comprehensive
The sample googleworkspace provider block with scopes and impersonation is well documented and aligns with best practices.

---

201-206: Badges and links updated
Release badge and contributor links correctly point to the new repository.

variables.tf (3)

53-59: Email regex validations look solid
Both primary and group email validations use a robust regex pattern and align with Terraform best practices.

Also applies to: 160-165

---

62-69: Password length validation is appropriate
The conditional allows null passwords or enforces the 8–100 character range when provided.

---

87-96: Group role validation covers defaults
Uppercasing and allowed values ensure roles conform to Terraform metadata requirements.

examples/complete/main.tf (2)

26-33: Example user configuration is clear
The example covers key user attributes and demonstrates nested group definitions effectively.

---

35-58: Group configuration merging is effective
Using merge(local.default_group_settings, {...}) showcases how to override defaults cleanly.

main.tf (2)

45-53: Verify lifecycle.ignore_changes targets
You ignore changes to languages, password, recovery_email, recovery_phone, and suspended. Double-check whether languages is ever set or managed by this module—if not, consider removing it to avoid inadvertently ignoring legitimate updates.

---

112-113: Enforce uppercase for role and type
Using upper() on role and type normalizes casing for API calls. This is a good practice to ensure consistency with the provider’s expectations.

tests/variables_users.tftest.hcl (4)

9-45: Comprehensive email validation test suite
The email_success and email_invalid_missing_at_symbol runs accurately cover both valid and invalid email scenarios against the variable schema. Well done.

---

52-114: Robust password length and hash function validation
The password-related tests (password_success, password_too_short, password_too_long) effectively validate length constraints. The hash function tests (hash_function_md5_success, hash_function_invalid, hash_function_can_be_null_with_password_set) correctly cover valid, invalid, and null cases. Nice coverage.

---

187-245: Group membership role validation tests
The groups_member_role_success and groups_member_role_invalid runs properly test the allowed set of group roles. The use of expect_failures for invalid roles is spot-on.

---

251-342: Group member type validation tests
The success and failure scenarios for member type are well-covered, including defaulting to USER when omitted. Solid validation tests.

[gberenice]

🚢 🚢 🚢