awslabs
diff --git a/‎.github/workflows/main.yml‎
Lines changed: 13 additions & 16 deletions b/‎.github/workflows/main.yml‎
Lines changed: 13 additions & 16 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 30 additions & 16 deletions b/‎.github/workflows/release.yml‎
Lines changed: 30 additions & 16 deletions
diff --git a/‎.gitignore‎
Lines changed: 11 additions & 2 deletions b/‎.gitignore‎
Lines changed: 11 additions & 2 deletions
diff --git a/‎.goreleaser.yml‎
Lines changed: 52 additions & 27 deletions b/‎.goreleaser.yml‎
Lines changed: 52 additions & 27 deletions
diff --git a/‎.kiro/steering/product.md‎
Lines changed: 27 additions & 0 deletions b/‎.kiro/steering/product.md‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎.kiro/steering/structure.md‎
Lines changed: 66 additions & 0 deletions b/‎.kiro/steering/structure.md‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎.kiro/steering/tech.md‎
Lines changed: 72 additions & 0 deletions b/‎.kiro/steering/tech.md‎
Lines changed: 72 additions & 0 deletions
@@ -15,25 +15,22 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v3
+      - name: Check out code
+        uses: actions/checkout@v4
 
-      - name: Setup go
+      - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.23.x'
+          go-version: '1.24.x'
 
-      - name: Install staticcheck
-        run: go install honnef.co/go/tools/cmd/staticcheck@latest
-
-      - name: Run staticcheck
-        run: staticcheck ./...
+      - name: Cache development tools
+        uses: actions/cache@v4
+        with:
+          path: .bin
+          key: ${{ runner.os }}-tools-${{ hashFiles('Makefile') }}
+          restore-keys: |
+            ${{ runner.os }}-tools-
 
-      - name: Install golint
-        run: go install golang.org/x/lint/golint@latest
+      - name: Run tests and linters
+        run: make ci
 
-      - name: Run golint
-        run: golint ./...
-      
-      - name: Run Tests
-        run: go test -cover -p 1 -race -v ./...
@@ -10,22 +10,31 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - name: Check out code into the Go module directory
+      - name: Check out code
         uses: actions/checkout@v4
 
-      - name: Setup go
+      - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.23.x'
+          go-version: '1.24.x'
 
-      - name: Install staticcheck
-        run: go install honnef.co/go/tools/cmd/staticcheck@latest
-
-      - name: Run staticcheck
-        run: staticcheck ./...
+      - name: Cache development tools
+        uses: actions/cache@v4
+        with:
+          path: .bin
+          key: ${{ runner.os }}-tools-${{ hashFiles('Makefile') }}
+          restore-keys: |
+            ${{ runner.os }}-tools-
 
-      - name: Run Tests
-        run: go test -p 1 -cover -race -v ./...
+      - name: Run CI pipeline
+        run: make test-coverage
+        
+      - name: Upload coverage HTML report
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage.html
+          retention-days: 30
 
   release:
     runs-on: ubuntu-latest
@@ -40,12 +49,17 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.23.x'
-          
-      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+          go-version: '1.24.x'
+
+      - name: Cache development tools
+        uses: actions/cache@v4
         with:
-          version: latest
-          args: release --clean
+          path: .bin
+          key: ${{ runner.os }}-tools-${{ hashFiles('Makefile') }}
+          restore-keys: |
+            ${{ runner.os }}-tools-
+          
+      - name: Create release
+        run: make release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -34,12 +34,21 @@ ssosync
 # Noise from os/editors
 .DS_Store
 *.swp
-*/.DS_Store
-cicd/.DS_Store
 release.yaml
 staging.yaml
 *.orig
 *.rej
 cicd/.DS_Store
 *.swo
 cicd/.DS_Store
+mocks_*.go
+.bin/
+out/
+dist/
+bin/
+node_modules/
+coverage/
+coverage.out
+.pnpm-store
+.secrets.json
+google-service-account.json
@@ -1,38 +1,61 @@
-# .goreleaser.yml
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
 project_name: ssosync
+version: 2
 
 before:
   hooks:
     - go mod download
+gomod:
+  env:
+    - GOPROXY=direct
 builds:
-- env:
-    - CGO_ENABLED=0
-  goos:
-    - linux
-    - darwin
-    - windows
-  goarch:
-    - 386
-    - amd64
-    - arm
-    - arm64
-  ignore:
-    - goos: darwin
-      goarch: 386
-    - goos: windows
-      goarch: 386
-  ldflags:
-     - -s -w -X github.com/awslabs/ssosync/cmd.version={{.Version}} -X github.com/awslabs/ssosync/cmd.commit={{.Commit}} -X github.com/awslabs/ssosync/cmd.date={{.Date}} -X github.com/awslabs/ssosync/cmd.builtBy=goreleaser
+  - id: ssosync
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - "386"
+      - amd64
+      - arm
+      - arm64
+    goarm64:
+      - v8.0
+    goamd64:
+      - v1
+    goarm:
+      - "6"
+    ignore:
+      - goos: darwin
+        goarch: "386"
+      - goos: windows
+        goarch: "386"
+    flags:
+      - -trimpath
+    ldflags:
+      - -s -w -X github.com/awslabs/ssosync/cmd.version={{.Version}} -X github.com/awslabs/ssosync/cmd.commit={{.FullCommit}} -X github.com/awslabs/ssosync/cmd.date={{.Date}} -X github.com/awslabs/ssosync/cmd.builtBy=goreleaser
+
+upx:
+  - enabled: true
+    ids: [ssosync]
+    goos: [linux]
+    goarch: [arm, arm64, amd64]
+    compress: best
+    lzma: true
+    binary: .bin/upx
+
 checksum:
-  name_template: '{{ .ProjectName }}_checksums.txt'
+  name_template: "{{ .ProjectName }}_checksums.txt"
 changelog:
   sort: asc
   filters:
     exclude:
-    - '^docs:'
-    - '^test:'
-    - Merge pull request
-    - Merge branch
+      - "^docs:"
+      - "^test:"
+      - Merge pull request
+      - Merge branch
 archives:
   - name_template: >-
       {{- .ProjectName }}_
@@ -42,6 +65,8 @@ archives:
       {{- else }}{{ .Arch }}{{ end }}
       {{- if .Arm }}v{{ .Arm }}{{ end -}}
     format_overrides:
-    - goos: windows
-      format: zip
-
+      - goos: windows
+        formats:
+          - zip
+snapshot:
+  version_template: "{{ incpatch .Version }}-{{ .ShortCommit }}"
@@ -0,0 +1,27 @@
+# Product Overview
+
+SSO Sync is a CLI tool and AWS Lambda function that synchronizes Google Workspace (formerly G Suite) users and groups to AWS IAM Identity Center (formerly AWS SSO). 
+
+## Purpose
+- Enables automatic provisioning of Google Workspace users and groups into AWS SSO
+- Provides uni-directional sync from Google Workspace to AWS
+- Supports both CLI execution and serverless Lambda deployment
+- Handles user lifecycle management (create, update, delete, suspend)
+
+## Key Features
+- Two sync methods: `groups` (default) and `users_groups` 
+- Flexible filtering with Google API query parameters
+- Support for ignoring specific users/groups
+- Dry-run capability for testing
+- Cross-account deployment patterns
+- Integration with AWS CodePipeline
+- Comprehensive logging and error handling
+
+## Deployment Options
+- Local CLI execution
+- AWS Lambda via Serverless Application Repository
+- AWS SAM deployment
+- Multiple CloudFormation deployment patterns (app+secrets, app-only, cross-account)
+
+## Target Users
+Organizations using Google Workspace as their identity provider who want to centrally manage AWS access through IAM Identity Center.
@@ -0,0 +1,66 @@
+# Project Structure
+
+## Root Level
+- `main.go` - Application entry point
+- `go.mod/go.sum` - Go module dependencies
+- `Makefile` - Build automation and common tasks
+- `template.yaml` - AWS SAM CloudFormation template
+- `.goreleaser.yml` - Cross-platform build configuration
+
+## Core Application (`cmd/`)
+- `cmd/root.go` - Cobra CLI setup, Lambda handler, and configuration initialization
+- Contains version information and command-line flag definitions
+
+## Internal Packages (`internal/`)
+
+### `internal/aws/`
+- AWS-specific client implementations
+- `client.go` - SCIM API client for AWS SSO
+- `client_dry.go` - Dry-run implementation for testing
+- `users.go`, `groups.go` - User and group management logic
+- `schema.go` - SCIM schema definitions
+- `mock/` - Mock implementations for testing
+
+### `internal/config/`
+- `config.go` - Configuration structure and defaults
+- `secrets.go` - AWS Secrets Manager integration
+
+### `internal/google/`
+- `client.go` - Google Workspace Directory API client
+
+### `internal/mocks/`
+- Generated mock interfaces for testing
+
+### Root `internal/`
+- `sync.go` - Core synchronization logic and orchestration
+- `sync_test.go` - Synchronization tests
+
+## CI/CD (`cicd/`)
+- `build/` - Build pipeline configurations
+- `cloudformation/` - Infrastructure templates
+- `deploy_patterns/` - Different deployment configurations
+- `release/` - Release automation
+- `tests/` - Integration and end-to-end tests
+
+## Conventions
+
+### Package Organization
+- `internal/` for private packages not intended for external use
+- Service-specific packages (`aws/`, `google/`) for API integrations
+- Separate test files alongside implementation files
+
+### Naming Patterns
+- Interface types end with `Client` or `API`
+- Mock implementations prefixed with `Mock`
+- Test files use `_test.go` suffix
+- Dry-run implementations use `_dry.go` suffix
+
+### Configuration
+- Environment variables use `SSOSYNC_` prefix
+- Configuration struct in `internal/config/config.go`
+- Secrets handled separately from regular config
+
+### Error Handling
+- Custom error types in service packages
+- Structured logging with contextual fields
+- Graceful degradation for non-critical failures
@@ -0,0 +1,72 @@
+# Technology Stack
+
+## Language & Runtime
+- **Go 1.17+** - Primary programming language
+- **AWS Lambda Runtime**: `provided.al2` on ARM64 architecture
+- Cross-platform support (Linux, macOS, Windows)
+
+## Key Dependencies
+- **AWS SDK Go v2** - AWS service interactions
+- **Google Admin SDK** - Google Workspace API access
+- **Cobra** - CLI framework and command handling
+- **Viper** - Configuration management
+- **Logrus** - Structured logging
+- **GoMock** - Testing and mocking
+
+## AWS Services
+- **IAM Identity Center** (Identity Store API) - User/group management
+- **AWS Lambda** - Serverless execution
+- **AWS Secrets Manager** - Credential storage
+- **AWS KMS** - Secret encryption
+- **CloudWatch Events** - Scheduled execution
+
+## Build System & Tools
+- **Make** - Build automation
+- **GoReleaser** - Cross-platform binary releases
+- **AWS SAM** - Serverless application deployment
+- **CloudFormation** - Infrastructure as Code
+
+## Common Commands
+
+### Development
+```bash
+# Install dependencies
+make install
+
+# Build locally
+make go-build
+
+# Run tests
+make test
+
+# Clean build artifacts
+make clean
+```
+
+### Lambda Development
+```bash
+# Build for Lambda
+make lambda
+
+# Package for deployment
+make package
+
+# Deploy with SAM
+sam build
+sam deploy --guided
+```
+
+### Release
+```bash
+# Create release binaries
+goreleaser build --snapshot --rm-dist
+
+# Validate CloudFormation template
+aws cloudformation validate-template --template-body file://template.yaml
+```
+
+## Configuration
+- Environment variables with `SSOSYNC_` prefix
+- AWS credentials via standard AWS credential chain
+- Google service account JSON credentials
+- Supports both file-based and AWS Secrets Manager configuration