Introduce Google Workspace module

Co-Authored-By: Bryan Black <bryan.black@agilebits.com>
Co-Authored-By: Scott Lougheed <scott@scottlougheed.com>

beta/aws-terraform-gw/README.md

@@ -0,0 +1,6 @@
+# 1Password SCIM bridge Google Workspace module
+
+This is an initial beta release of a Terraform module to manage the configuration required to support automated provisioning with Google Workspace. This module:
+- Creates AWS secrets to store the Google Workspace config
+- Creates an IAM policy to read the secrets and attaches it to the role passed into the module
+- Outputs a list of `secrets` objects to append to the SCIM bridge container definition

beta/aws-terraform-gw/main.tf

@@ -0,0 +1,56 @@
+locals {
+  # Define secret reference list
+  secrets = [
+    {
+      name      = "OP_WORKSPACE_CREDENTIALS"
+      valueFrom = aws_secretsmanager_secret.workspace_credentials.arn
+    },
+    {
+      name      = "OP_WORKSPACE_SETTINGS",
+      valueFrom = aws_secretsmanager_secret.workspace_settings.arn,
+    },
+  ]
+}
+
+# Construct an IAM policy document
+data "aws_iam_policy_document" "this" {
+  statement {
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ]
+
+    resources = [
+      aws_secretsmanager_secret.workspace_settings.arn,
+      aws_secretsmanager_secret.workspace_credentials.arn,
+    ]
+  }
+}
+
+# Create a policy from the document and attach it to the IAM role
+resource "aws_iam_role_policy" "this" {
+  name_prefix = var.name_prefix
+  policy      = data.aws_iam_policy_document.this.json
+  role        = var.iam_role.name
+}
+
+resource "aws_secretsmanager_secret" "workspace_settings" {
+  name_prefix = var.name_prefix
+
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "workspace_settings" {
+  secret_id     = aws_secretsmanager_secret.workspace_settings.id
+  secret_string = var.enabled ? filebase64("${path.root}/workspace-settings.json") : null
+}
+
+resource "aws_secretsmanager_secret" "workspace_credentials" {
+  name_prefix = var.name_prefix
+
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "workspace_credentials" {
+  secret_id     = aws_secretsmanager_secret.workspace_credentials.id
+  secret_string = var.enabled ? filebase64("${path.root}/workspace-credentials.json") : null
+}

beta/aws-terraform-gw/outputs.tf

@@ -0,0 +1,4 @@
+output "secrets" {
+  description = "Google Workspace secret references to append to container definition environment."
+  value       = local.secrets
+}

beta/aws-terraform-gw/variables.tf

@@ -0,0 +1,21 @@
+variable "name_prefix" {
+  type        = string
+  description = "A common prefix to apply to the names of all AWS resources."
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "A set of tags to apply to all respective AWS resources."
+}
+
+variable "iam_role" {
+  type = object({
+    name = string
+  })
+  description = "The IAM role to which the policy to read the Google Workspace credentials should be attached."
+}
+
+variable "enabled" {
+  type        = bool
+  description = "Whether or not the module is enabled."
+}