:fire: Google Group Migration :fire:
Hi everyone,
As part of security tightening, CDE requires any Google Group that has access to our GCP org, be defined in iac. This will enable access audit in the future, because group creation/deletion, and membership addition/deletion will have to go through iac.
We from FinServ were updating ours this week, but thought we might as well update for everyone else in 1 shot. The migration essentially creates a new Google Group via iac, formatted in the name that’s according to CDE’s convention.
Helps that are required from you guys:
- Identify if your name exists in this sheet. If it does, that means you are either owner of the existing Google group, or that group has no owner and you’re one of the members. Put down your name on column F as acknowledgement.
- Help to check if the new group naming is semantically correct. If it isn’t, please comment in this thread, and not directly change it in the sheet so that I can adjust the PRs.
- Decide what kind of migration is required:
- Delete: mark this if the old group is no longer required, hence migration is not required.
- Migrate only: mark this if the old group is still required (such as for permission sharing for Google Drive files). If your group email is heavily used to share Gsheet for example, this should be the safest option.
- Migrate and delete: mark this if the old group can be fully migrated to the new one, and hence can be deleted after migration (usually means the group is purely used as proxy to grant access to individual email addresses)
- Approve the PR that affects you
PRs to apply these are split to 4:
Important notes:
- PRs are to be merged by Friday Feb 18th 16:00PM
- What is controlled by this PR is the creation of the new groups, and access removal of the previous Google Groups from GCP. These DO NOT remove the existing Google Groups.
- For hygiene purpose (that we don’t have too many unused or redundant Google Groups lying around), if you choose “Delete” or “Migrate and delete” from step 3, make sure that you yourselves delete the groups.
- Since the original Google Groups will be revoked from iac, bear in mind that in order to grant someone outside of data team access to GCP, it will have to be done from iac moving forward. Adding them to the old groups will no longer do the trick.
Feel free to comment if there are questions 
:pray: