avoid gcp provisioning for google workspace#1321
Open
eschultink wants to merge 2 commits into
Open
Conversation
… settings. Expose google_workspace_provision_service_accounts and google_workspace_enable_apis in google_workspace_connector_settings so customers can manage those GCP steps outside Terraform, with matching TODO outputs and a state move for existing service accounts.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds configuration switches to optionally skip Terraform-managed GCP resource provisioning (API enablement, service account creation, key creation) for Google Workspace connectors, while still producing actionable TODO instructions for the manual steps.
Changes:
- Introduces
google_workspace_connector_settingsflags to control API enablement and service account provisioning in addition to key provisioning. - Updates Google Workspace connector Terraform modules to conditionally skip resource creation and generate TODO content/files for manual completion.
- Updates Google Workspace source documentation and connector settings descriptions to reflect the new options.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| infra/modules/worklytics-connectors-google-workspace/variables.tf | Deprecation/description updates; documents new settings-map keys. |
| infra/modules/worklytics-connectors-google-workspace/main.tf | Adds settings-driven toggles; generates TODOs/files for manual API/SA/key steps. |
| infra/modules/worklytics-connectors-google-workspace/gcp-sa-create-todo.tftpl | New TODO template for manual service account creation. |
| infra/modules/worklytics-connectors-google-workspace/gcp-api-enable-todo.tftpl | New TODO template for manual API enablement. |
| infra/modules/worklytics-connector-specs/variables.tf | Updates description of supported Google Workspace connector settings keys. |
| infra/modules/google-workspace-dwd-connection/variables.tf | Adds provision_service_account and enable_apis variables (defaults true). |
| infra/modules/google-workspace-dwd-connection/output.tf | Makes outputs compatible with optionally non-provisioned service accounts (null numeric id). |
| infra/modules/google-workspace-dwd-connection/main.tf | Conditionally skips SA/APIs; updates TODO content to handle manual SA flow. |
| infra/examples-dev/gcp/google-workspace-variables.tf | Updates settings-map description to list supported keys. |
| infra/examples-dev/aws/google-workspace-variables.tf | Updates settings-map description to list supported keys. |
| docs/sources/google-workspace/README.md | Documents disabling Terraform-managed API/SA/key provisioning via settings map and updates key-provisioning guidance. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| id => templatefile("${path.module}/gcp-sa-create-todo.tftpl", { | ||
| gcp_project_id : var.gcp_project_id | ||
| connector_id : id | ||
| service_account_id : "${local.environment_id_prefix}${substr(id, 0, 30 - length(local.environment_id_prefix))}" |
Comment on lines
+111
to
+121
| If your organization's policies don't allow Terraform to manage some or all of these GCP resources, you can still use our Terraform modules for the rest of your deployment and disable the parts you must do manually via `google_workspace_connector_settings` in your `terraform.tfvars`: | ||
|
|
||
| ```hcl | ||
| google_workspace_connector_settings = { | ||
| google_workspace_enable_apis = false | ||
| google_workspace_provision_service_accounts = false | ||
| google_workspace_provision_keys = false | ||
| } | ||
| ``` | ||
|
|
||
| When any of these are `false`, Terraform will skip creating the corresponding resources and instead emit TODO files (or `todos_1` outputs, if configured) with instructions to complete those steps outside of Terraform. |
Comment on lines
+111
to
+112
| If your organization's policies don't allow Terraform to manage some or all of these GCP resources, you can still use our Terraform modules for the rest of your deployment and disable the parts you must do manually via `google_workspace_connector_settings` in your `terraform.tfvars`: | ||
|
|
Member
Author
There was a problem hiding this comment.
resovle this by adding a setting to pass in the client id created outside terraform, and filling this value from that.
…s keys. Map scope already implies the prefix, so keys are now example_user, provision_keys, enable_apis, etc. Co-authored-by: Cursor <cursoragent@cursor.com>
aperez-worklytics
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Features
Change implications
CHANGELOG.mdto mention this new configuration option