Skip to content
This repository has been archived by the owner on Dec 25, 2020. It is now read-only.

[Sprint 4] Write a Google Script that commits data from our production data spreadsheet to our repository. #32

Open
5 of 6 tasks
ondrae opened this issue Mar 6, 2020 · 5 comments
Open
5 of 6 tasks

[Sprint 4] Write a Google Script that commits data from our production data spreadsheet to our repository. #32

ondrae opened this issue Mar 6, 2020 · 5 comments
Assignees
@peterrowland

Comments

@ondrae
Copy link
Contributor

ondrae commented Mar 6, 2020
edited
Loading

What:
Write a Google Script that commits data from our production data spreadsheet to our repository.

How:

  • Write the script. Look at examples of other google scripts doing similar things. This one is in use by the Fedramp team. There are others also.
  • Ensure the script is version controlled in our repo.
  • Ensure the script is running in Google Scripts.
  • Set the script to run on every edit in the spreadsheet.
  • There is a quick security review has to get approved too.

Why:

  • Our partners want to have Google Spreadsheet as the interface to their data for the PII Inventory.
  • Google Scripts has an existing ATO. Adding new scripts don't need new ATO. Its a compliance hack to get data into our repo.

Acceptance:

  • We have a working script that is making regular commits to our repository on every edit in the spreadsheet.
@ondrae ondrae changed the title Write a Google Script that commits data from our production data spreadsheet to our repository. [Sprint 4] Write a Google Script that commits data from our production data spreadsheet to our repository. Mar 6, 2020
@ondrae
Copy link
Contributor Author

ondrae commented Mar 9, 2020
edited
Loading

The Fedramp gscript uses a GitHub personal access token. Is that okay?
Here is another example setting up a GitHub app that does the committing instead of a personal token.

I've asked the author of the Fedramp code for their advice.

@peterrowland peterrowland self-assigned this Mar 11, 2020
@peterrowland
Copy link
Collaborator

peterrowland commented Mar 13, 2020
edited
Loading

We did some testing of script ownership and permissions.

Adding the @OnlyCurrentDoc to the script restricts its permissions to access only the spreadsheet that it is installed in.

If we store an access token needed to communicate with GH in another spreadsheet, restricting permissions to a single sheet might prevent us from being able to access it.

Whoever runs the script needs to grant it permissions - currently it must be re-authorized frequently and is triggering Cloud Lock restrictions. Hopefully this will change if we get the application white-listed.

@peterrowland
Copy link
Collaborator

We learned that white-listing this will authorize the script itself to run, regardless of the person running it. This should mean that we can get it whitelisted and anyone can use it.

@peterrowland
Copy link
Collaborator

Submitted request for a security review.

@peterrowland
Copy link
Collaborator

peterrowland commented Mar 23, 2020
edited
Loading

Followed up with cloudlock to confirm that they had received our request. They confirmed they had it in their queue and it was up for review.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@peterrowland peterrowland

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ondrae @peterrowland