← All controls

62 Config-as-code with reconciliation

The tenant's security settings are kept as desired state in a reviewed git repository — GAM batch files, Policy API JSON — and a scheduled reconciler fetches live state, diffs it against the repo, and either reports or converges. A delta git did not author is either an outage or an intruder. The reconciler runs as a service account bound to a custom role scoped to exactly the settings it manages — never Super Admin for Admin SDK work. Policy API reads are the exception: only a super administrator can use the Cloud Identity Policy API, so that portion needs a separately scoped super-admin credential.

Caveats

Setup steps

  1. One repo, reviewed PRs, tagged releases
    the source of truth

    Policy API overview ↗

  2. open ↗ Account › Admin roles

    Custom role = only the privileges under management; never Super Admin

    Assign specific admin roles ↗ Create, edit, and delete custom admin roles ↗

  3. open ↗ Security › Access and data control › API controls › Manage Domain Wide Delegation

    DWD list: Admin SDK reconciler's client id = absent (it authenticates as itself with the role from step 2); Policy API reads use a separate super-admin DWD credential

    Control API access with domain-wide delegation ↗

  4. Mode = report-only first; converge only after a clean dry-run streak

    Listing and getting policies ↗

Ongoing maintenance

How to verify

  1. Run the reconciler in dry-run mode against the live tenant — zero diff means the code matches reality; any diff is either drift or an undocumented change.

v0.1.3Prevent policy #27 · #34, #32 ↗