GoogleCloudPlatform
diff --git a/‎README.md‎
Lines changed: 23 additions & 21 deletions b/‎README.md‎
Lines changed: 23 additions & 21 deletions
diff --git a/‎images/basic_architecture.png‎
-3.85 KB b/‎images/basic_architecture.png‎
-3.85 KB
diff --git a/‎images/custom_architecture.png‎
-18.1 KB b/‎images/custom_architecture.png‎
-18.1 KB
diff --git a/‎images/custom_config.png‎
86.6 KB b/‎images/custom_config.png‎
86.6 KB
diff --git a/‎images/private_custom_config.png‎
60.3 KB b/‎images/private_custom_config.png‎
60.3 KB
diff --git a/‎images/private_ip_architecture.png‎
24.3 KB b/‎images/private_ip_architecture.png‎
24.3 KB
@@ -1,26 +1,26 @@
-# Cloud SQL IAM Database Authentication for Groups
+# GroupSync: Cloud SQL IAM Database Authentication for Groups
 **Note:** This project is experimental and is not an officially supported Google product.
 
-This project is a self-deployed service that provides support for managing [Cloud SQL IAM Database Authentication](https://cloud.google.com/sql/docs/mysql/authentication) for groups. This service leverages [Cloud Run](https://cloud.google.com/run), [Cloud Scheduler](https://cloud.google.com/scheduler), and the [Cloud SQL Python Connector](https://github.com/googlecloudplatform/cloud-sql-python-connector) to consistently update and sync Cloud SQL instances based on IAM groups. It will create missing database IAM users, GRANT roles to database IAM users based on their IAM groups, and REVOKE roles from database IAM users no longer in IAM groups.
+GroupSync is a self-deployed service that provides support for managing [Cloud SQL IAM Database Authentication](https://cloud.google.com/sql/docs/mysql/authentication) for groups. GroupSync leverages [Cloud Run](https://cloud.google.com/run), [Cloud Scheduler](https://cloud.google.com/scheduler), and the [Cloud SQL Python Connector](https://github.com/googlecloudplatform/cloud-sql-python-connector) to consistently update and sync Cloud SQL instances based on IAM groups. It will create missing database IAM users, GRANT roles to database IAM users based on their IAM groups, and REVOKE roles from database IAM users no longer in IAM groups.
 
 ## Supported Databases
 Currently only the following databases are supported:
 - **MySQL 8.0**
 - **PostgreSQL 13, 12, 11, 10, 9.6**
 
 ## Overview
-The Cloud SQL IAM Database Authentication for Groups service at an overview is made of Cloud Scheduler Job(s) and Cloud Run instance(s). 
+The GroupSync service at an overview is made of Cloud Scheduler Job(s) and Cloud Run instance(s). 
 
-The Cloud Scheduler Job(s) are configured to run on the interval of your choosing (every 10 mins, 1 hour, daily etc.) When ran, the Cloud Scheduler calls the IAM Database Authentication for Groups Cloud Run service, passing in the configured request body from the scheduler, which contains parameters that tell the service which IAM groups and which Cloud SQL instances to sync and manage. 
+The Cloud Scheduler Job(s) are configured to run on the interval of your choosing (every 10 mins, 1 hour, daily etc.) When ran, the Cloud Scheduler calls a GroupSync Cloud Run service, passing in the configured request body from the scheduler, which contains parameters that tell the service which IAM groups and which Cloud SQL instances to sync and manage. 
 
 <p align="center"><img src="images/basic_architecture.png" width="640"></p>
 
 The Cloud Run service calls the required Google APIs to get a snapshot of the current IAM group(s) members and the current Cloud SQL instance(s) database users, it then adds any new IAM members who have been added to the IAM group since the last sync as an IAM database user on the corresponding Cloud SQL instances. The Cloud Run service then also verifies or creates a database role within each configured database for each configured IAM group. Mapping each IAM group to a database role, the service can then GRANT/REVOKE this group role with the appropriate database permissions for the IAM group to all the proper IAM database users who are missing it or should not have it based on the members of the IAM group.
 
-<p align="center"><img src="images/service_overview.png" width="640"></p>
+<p align="center"><img src="images/service_overview.png" width="700"></p>
 
 ## Deployment
-There are a few initial setups steps to get the service ready and grant it the permissions needed in order to successfully operate. However, after this setup is complete, minimal configuration is needed in the future.
+There are a few initial setups steps to get the GroupSync service ready and grant it the permissions needed in order to successfully operate. However, after this setup is complete, minimal configuration is needed in the future.
 
 ### Installation
 To run this service successfully, please clone this repository to an environment that thas the Google Cloud SDK installed and initialized. [(Install and initialize the Cloud SDK)](https://cloud.google.com/sdk/docs/install)
@@ -44,15 +44,15 @@ gcloud config set project <PROJECT_ID>
 ```
 
 ### Enabling APIs
-This service requires enabling the following Cloud APIs for a successful deployment and lifecycle.
+GroupSync requires enabling the following Cloud APIs for a successful deployment and lifecycle.
  - [Cloud Run API](https://console.cloud.google.com/apis/api/run.googleapis.com/overview)
  - [Cloud Scheduler API](https://console.cloud.google.com/apis/api/cloudscheduler.googleapis.com/overview)
  - [Cloud Build API](https://console.cloud.google.com/apis/api/cloudbuild.googleapis.com/overview)
  - [Cloud SQL Admin API](https://console.cloud.google.com/apis/api/sqladmin.googleapis.com/overview)
  - [Admin SDK API](https://console.cloud.google.com/apis/api/admin.googleapis.com/overview)
  - [IAM Service Account Credentials API](https://console.cloud.google.com/apis/api/iamcredentials.googleapis.com/overview)
 
- **Note:** If planning to use service with a Cloud SQL instance that has a Private IP, the following additional APIs need to be enabled. 
+ **Note:** If planning to use GroupSync with a Cloud SQL instance that has a Private IP, the following additional APIs need to be enabled. 
  - [Serverless VPC Access API](https://console.cloud.google.com/apis/api/vpcaccess.googleapis.com)
  - [Service Networking API](https://console.cloud.google.com/apis/api/servicenetworking.googleapis.com/overview)
 
@@ -71,9 +71,9 @@ This service requires enabling the following Cloud APIs for a successful deploym
  ```
 
 ### Creating the Service Account
-A service account must be created and granted the proper IAM permissions in order for the service to have appropriate credentials and permissions to access APIs, IAM groups and database users.
+A service account must be created and granted the proper IAM permissions in order for the GroupSync service to have appropriate credentials and permissions to access APIs, IAM groups and database users.
 
-The following commands will create a service account and grant it the proper IAM roles and permissions for the service to run successfully.
+The following commands will create a service account and grant it the proper IAM roles and permissions for the GroupSync service to run successfully.
 
 Replace the following values:
 - `SERVICE_ACCOUNT_ID`: The ID (name) for the service account.
@@ -113,7 +113,7 @@ gcloud projects add-iam-policy-binding <PROJECT_ID> \
 ```
 
 #### Assigning Group Administrator Role to Service Account
-To properly allow read-access of an organization's IAM group members (i.e. which IAM users belong within a specific IAM group) within the service, we need to assign the Google Workspace Group Administrator Role to the service account created above. This will allow the service account to properly call the [List Members Discovery API](https://developers.google.com/admin-sdk/directory/reference/rest/v1/members/list) to keep track of the IAM members being managed through this service.
+To properly allow read-access of an organization's IAM group members (i.e. which IAM users belong within a specific IAM group) within the GroupSync service, we need to assign the Google Workspace Group Administrator Role to the service account created above. This will allow the service account to properly call the [List Members Discovery API](https://developers.google.com/admin-sdk/directory/reference/rest/v1/members/list) to keep track of the IAM members being managed through this service.
 
 To assign the Group Administator Role to the service account follow these four quick steps. ([How to Assign Group Administrator Role](https://cloud.google.com/identity/docs/how-to/setup#auth-no-dwd))
 
@@ -135,10 +135,10 @@ gcloud projects add-iam-policy-binding <PROJECT_ID> \
 **NOTE**: The above command is required for each IAM group and the binding is added at the project level. Therefore, if an IAM group is being synced with Cloud SQL instances across several different projects, the command will need to be run for each project.
 
 ### Configuring Cloud SQL Instances
-This service requires Cloud SQL instances to be already created and to have the `cloudsql_iam_authentication` flag turned **On**. [(See how to enable flag here.)](https://cloud.google.com/sql/docs/mysql/create-edit-iam-instances)
+GroupSync requires Cloud SQL instances to be already created and to have the `cloudsql_iam_authentication` flag turned **On**. [(See how to enable flag here.)](https://cloud.google.com/sql/docs/mysql/create-edit-iam-instances)
 
 #### Create a database user for service
-To properly manage the database users on each Cloud SQL instance that is configured with the service, the service needs to GRANT/REVOKE database users the proper role(s) corresponding to their IAM group(s). This is achieved by creating an IAM database authenticated service account user on each instance using the service account previously created. This will allow the service account to authenticate to the instance(s) while running the service through the [Cloud SQL Python Connector](https://github.com/GoogleCloudPlatform/cloud-sql-python-connector).
+To properly manage the database users on each Cloud SQL instance that is configured with GroupSync, the service needs to GRANT/REVOKE database users the proper role(s) corresponding to their IAM group(s). This is achieved by creating an IAM database authenticated service account user on each instance using the service account previously created. This will allow the service account to authenticate to the instance(s) while running the GroupSync service through the [Cloud SQL Python Connector](https://github.com/GoogleCloudPlatform/cloud-sql-python-connector).
 
 Add the service account as an IAM authenticated database user on each Cloud SQL instance that needs managing through IAM groups. Can be done both manually through the Google Cloud Console or through the following `gcloud` command.
 
@@ -152,7 +152,7 @@ gcloud sql users create <SERVICE_ACCOUNT_EMAIL> \
 ```
 
 #### Granting Database Permissions to the Service Account's Database User
-For the service to run smoothly it needs the IAM service account database user to be granted several permissions on all Cloud SQL instances that the user was added to above. This allows for the service to read usernames of other database users and GRANT/REVOKE the group role(s) appropriately.
+For GroupSync to run smoothly it needs the IAM service account database user to be granted several permissions on all Cloud SQL instances that the user was added to above. This allows for the GroupSync service to read usernames of other database users and GRANT/REVOKE the group role(s) appropriately.
 
 Connect to all Cloud SQL instances in question with an admin user or another database user with appropriate permissions for the following commands. ([Connecting to an Instance](https://cloud.google.com/sql/docs/mysql/connect-overview))
 
@@ -239,7 +239,7 @@ There is an additional optional parameter `"log_level"` for the JSON payload whi
 It is recommended to save your JSON payload as a `.json` file (ex. "config.json").
 
 ### Creating a Cloud Scheduler Job
-An example command creating a Cloud Scheduler job to run the IAM database authentication service for IAM groups and Cloud SQL instances can be seen below.
+An example command creating a Cloud Scheduler job to call the Cloud Run service to sync IAM groups and Cloud SQL instances can be seen below.
 
 **NOTE:** If error occurs mentioning "...does not contain App Engine application", simply run `gcloud app create` and try running command again.
 
@@ -274,7 +274,7 @@ The Cloud Run service maps each IAM group configured in the JSON payload into a
 The name of the mapped IAM group database role is the email of the IAM group without everything after and including the **"@"** sign of the IAM group email. 
 (Ex. IAM group with email "example-group@test.com", would map to a database role **"example-group"** on each Cloud SQL instance it is configured with.)
 
-The service verifies that a group role exists or creates one on the database if it does not exist. It is recommended to configure the Cloud Scheduler job(s) and after having it triggered **at least** once, have a Database Administrator or project admin verify the creation of the group roles and **GRANT** the group roles the appropriate privileges on each Cloud SQL instance that should be inherited by database users of those IAM groups on all consecutive Cloud Scheduler runs. 
+The Cloud Run service verifies that a group role exists or creates one on the database if it does not exist. It is recommended to configure the Cloud Scheduler job(s) and after having it triggered **at least** once, have a Database Administrator or project admin verify the creation of the group roles and **GRANT** the group roles the appropriate privileges on each Cloud SQL instance that should be inherited by database users of those IAM groups on all consecutive Cloud Scheduler runs. 
 
 To verify the creation of group roles after Cloud Scheduler has triggered at least once, the following command can be run for **MySQL** instances (**PostgreSQL** instances require connecting to the database to verify):
 
@@ -285,17 +285,19 @@ gcloud sql users list --instance=<INSTANCE_NAME>
 ```
 The above command should return a list of all database users on the configured instance, with the **new** group role(s) showing up within the list.
 
-**NOTE:** It is up to a Database Administrator or project admin to configure the proper privileges on each group role. The service will then be able to grant or revoke each group role with privileges to the proper database users.
+**NOTE:** It is up to a Database Administrator or project admin to configure the proper privileges on each group role. GroupSync will then be able to grant or revoke each group role with privileges to the proper database users.
 
 ## Running Service with Private IP Cloud SQL Connections
-This service does work for Private IP database connections however, there are some additional configurations needed and some limitations to mention.
+GroupSync does work for Private IP database connections however, there are some additional configurations needed and some limitations to mention.
 
-To run this service with Private IP, first make sure all Cloud SQL instances that are going to be connected to have a Private IP address configured. ([Configure Private IP for Cloud SQL](https://cloud.google.com/sql/docs/mysql/configure-private-ip))
+To run the GroupSync service with Private IP, first make sure all Cloud SQL instances that are going to be connected to have a Private IP address configured. ([Configure Private IP for Cloud SQL](https://cloud.google.com/sql/docs/mysql/configure-private-ip))
 
 Private IP Cloud SQL instance(s) should be connected to a [VPC Network](https://cloud.google.com/vpc/docs/using-vpc) which can be accessed securely via Cloud Run using [Serverless VPC Access](https://console.cloud.google.com/networking/connectors) which creates a VPC Connector.
 
 Thie VPC Connector can be attached to the Cloud Run service previously created to allow Private IP connections to the Cloud SQL instances on the **same VPC Network**.
 
+<p align="center"><img src="images/private_ip_architecture.png" width="640"></p>
+
 Update the Cloud Run service with a VPC Connector.
 
 Replace the following values:
@@ -311,11 +313,11 @@ Multiple different Cloud Scheduler and Cloud Run configurations can be configure
 
 A Cloud Scheduler job maps which IAM group(s) and hence which IAM users to manage permissions for any given Cloud SQL instance(s). When configuring a Cloud Scheduler job, all IAM groups listed in the JSON body will be mapped to all Cloud SQL instances in the JSON body. Therefore, for custom configurations where certain IAM groups need to be mapped to one instance, and other IAM groups to a different Cloud SQL instance, the solution is to deploy multiple Cloud Scheduler jobs.
 
-<p align="center"><img src="images/custom_architecture.png" width="640"></p>
+<p align="center"><img src="images/custom_config.png" width="700"></p>
 
 A single Cloud Run service can be used for multiple Cloud Scheduler jobs across an organization's different Google Cloud projects as long as they allow Public IP connections.
 
 ### Private IP Configurations
 **NOTE:** For custom configurations with Private IP connections, multiple Cloud Run services may be required. Since Private IP configurations require the Cloud Run service and Cloud SQL instances to be connected to the same VPC network, thus for different projects with different VPC networks, a different Cloud Run service will be needed for each.
 
-<p align="center"><img src="images/private_ip_architecture.png" width="640"></p>
+<p align="center"><img src="images/private_custom_config.png" width="640"></p>