Lambda Function: Addition of Dry-Run, syncing of Suspended Users and Customer Precaching scope (#254)

ChrisPates · web-flow · commit 7ce70a44f8d7 · 2025-08-14T16:53:02.000+01:00
* Use IncludeDerivedMembership in group memberships

* Improve error messages

* Make handling of suspended user configurable

* Improve logging for precaching and group/user selection.

* Add Templates parameters

* Improve logging of EnvVars
diff --git a/cicd/account_execution/staging/stack.yml b/cicd/account_execution/staging/stack.yml
@@ -73,5 +73,7 @@ Resources:
             - '}}'
         SyncMethod: groups
         GoogleGroupMatch: !Ref GroupMatch
-        LogLevel: info
+        SyncSuspended: sync
+        PrecacheOrgUnits: '/Catering/,/Maintenance/Vending Machines'
+        LogLevel: debug
         LogFormat: json
diff --git a/cicd/build/package/buildspec.yml b/cicd/build/package/buildspec.yml
@@ -28,11 +28,11 @@ phases:
       # Create staging & release variants of the template.yaml
       - cp template.yaml staging.yaml
       - patch staging.yaml cicd/build/package/staging.patch
-      - sam package --no-progressbar --template-file staging.yaml --s3-bucket ${S3Bucket} --output-template-file packaged-staging.yaml
+      - sam package --force-upload --no-progressbar --template-file staging.yaml --s3-bucket ${S3Bucket} --output-template-file packaged-staging.yaml
 
       - cp template.yaml release.yaml
       - patch release.yaml cicd/build/package/release.patch
-      - sam package --no-progressbar --template-file release.yaml --s3-bucket ${S3Bucket} --output-template-file packaged-release.yaml
+      - sam package --force-upload --no-progressbar --template-file release.yaml --s3-bucket ${S3Bucket} --output-template-file packaged-release.yaml
 
       - ls packaged-staging.yaml
       - ls packaged-release.yaml
diff --git a/cicd/build/package/release.patch b/cicd/build/package/release.patch
@@ -1,7 +1,7 @@
---- template.yaml	2023-10-27 16:34:16
-+++ release.yaml	2023-10-27 16:34:37
-@@ -36,7 +36,7 @@
-           - ScheduleExpression
+--- ../../../template.yaml	2025-08-14 14:37:47
++++ release.yaml	2025-08-14 15:04:51
+@@ -45,7 +45,7 @@
+           - PrecacheOrgUnits
  
    AWS::ServerlessRepo::Application:
 -    Name: ssosync
diff --git a/cicd/build/package/staging.patch b/cicd/build/package/staging.patch
@@ -1,7 +1,7 @@
---- template.yaml	2023-10-30 14:21:20
-+++ staging.yaml	2023-10-30 14:21:59
-@@ -38,7 +38,7 @@
-           - ScheduleExpression
+--- ../../../template.yaml	2025-08-14 14:37:47
++++ staging.yaml	2025-08-14 15:04:41
+@@ -45,7 +45,7 @@
+           - PrecacheOrgUnits
  
    AWS::ServerlessRepo::Application:
 -    Name: ssosync
diff --git a/cicd/cloudformation/developer.yaml b/cicd/cloudformation/developer.yaml
@@ -612,6 +612,7 @@ Resources:
               - 'cloudformation:DeleteChangeSet'
               - 'cloudformation:DescribeChangeSet'
               - 'cloudformation:SetStackPolicy'
+              - 'cloudformation:DescribeStackEvents'
               Resource:
               - '*'
               Effect: Allow
diff --git a/cmd/root.go b/cmd/root.go
@@ -191,6 +191,12 @@ func initConfig() {
 	// config logger
 	logConfig(cfg)
 
+        if cfg.SyncSuspended {
+                cfg.UserFilter = " isArchived=false"
+        } else {
+                cfg.UserFilter = " isSuspended=false isArchived=false"
+        }
+
 }
 
 func configLambda() {
@@ -237,62 +243,66 @@ func configLambda() {
         unwrap = os.Getenv("LOG_LEVEL")
         if len([]rune(unwrap)) != 0 {
            cfg.LogLevel = unwrap
-	   log.WithField("LogLevel", unwrap).Debug("from EnvVar")
+	   log.WithField("LogLevel", unwrap).Info("from EnvVar")
         }
 
         unwrap = os.Getenv("LOG_FORMAT")
         if len([]rune(unwrap)) != 0 {
            cfg.LogFormat = unwrap
-	   log.WithField("LogFormay", unwrap).Debug("from EnvVar")
+	   log.WithField("LogFormat", unwrap).Info("from EnvVar")
         }
 
 	unwrap = os.Getenv("SYNC_METHOD")
         if len([]rune(unwrap)) != 0 {
            cfg.SyncMethod = unwrap
-	   log.WithField("SyncMethod", unwrap).Debug("from EnvVar")
+	   log.WithField("SyncMethod", unwrap).Info("from EnvVar")
         }
 
 	unwrap = os.Getenv("USER_MATCH")
         if len([]rune(unwrap)) != 0 {
 	   cfg.UserMatch = unwrap
-	   log.WithField("UserMatch", unwrap).Debug("from EnvVar")
+	   log.WithField("UserMatch", unwrap).Info("from EnvVar")
         }
 
 	unwrap = os.Getenv("GROUP_MATCH")
         if len([]rune(unwrap)) != 0 {
            cfg.GroupMatch = unwrap
-	   log.WithField("GroupMatch", unwrap).Debug("from EnvVar")
+	   log.WithField("GroupMatch", unwrap).Info("from EnvVar")
         }
 
         unwrap = os.Getenv("IGNORE_GROUPS")
         if len([]rune(unwrap)) != 0 {
            cfg.IgnoreGroups = strings.Split(unwrap, ",")
-	   log.WithField("IgnoreGroups", unwrap).Debug("from EnvVar")
+	   log.WithField("IgnoreGroups", unwrap).Info("from EnvVar")
         }
 
         unwrap = os.Getenv("IGNORE_USERS")
         if len([]rune(unwrap)) != 0 {
            cfg.IgnoreUsers = strings.Split(unwrap, ",")
-	   log.WithField("IgnoreUsers", unwrap).Debug("from EnvVar")
+	   log.WithField("IgnoreUsers", unwrap).Info("from EnvVar")
         }
 
         unwrap = os.Getenv("INCLUDE_GROUPS")
         if len([]rune(unwrap)) != 0 {
            cfg.IncludeGroups = strings.Split(unwrap, ",")
-	   log.WithField("IncludeGroups", unwrap).Debug("from EnvVar")
+	   log.WithField("IncludeGroups", unwrap).Info("from EnvVar")
         }
 
-        unwrap = os.Getenv("PRECACHE_QUERIES")
+        unwrap = os.Getenv("PRECACHE_ORG_UNITS")
         if len([]rune(unwrap)) != 0 {
-           cfg.PrecacheQueries = unwrap
-           log.WithField("PrecacheQueries", unwrap).Debug("from EnvVar")
-        }
+           cfg.PrecacheOrgUnits = strings.Split(unwrap, ",")
+           log.WithField("PrecacheOrgUnits", unwrap).Info("from EnvVar")
+	}
 
 	unwrap = os.Getenv("DRY_RUN")
-        if len([]rune(unwrap)) != 0 {
-	   cfg.DryRun = strings.ToLower(unwrap) == "true"
-	   log.WithField("DryRun", unwrap).Debug("from EnvVar")
-	}
+	log.WithField("DRY_RUN", unwrap).Info("EnvVar")
+	cfg.DryRun = strings.ToLower(unwrap) == "true"
+	log.WithField("DryRun", cfg.DryRun).Info("config")
+
+        unwrap = os.Getenv("SYNC_SUSPENDED")
+        log.WithField("SYNC_SUSPENDED", unwrap).Info("EnvVar")
+        cfg.SyncSuspended = strings.ToLower(unwrap) == "true"
+        log.WithField("SyncSuspended", cfg.SyncSuspended).Info("config")
 }
 
 func addFlags(cmd *cobra.Command, cfg *config.Config) {
@@ -301,6 +311,7 @@ func addFlags(cmd *cobra.Command, cfg *config.Config) {
 	rootCmd.PersistentFlags().StringVarP(&cfg.LogFormat, "log-format", "", config.DefaultLogFormat, "log format")
 	rootCmd.PersistentFlags().StringVarP(&cfg.LogLevel, "log-level", "", config.DefaultLogLevel, "log level")
 	rootCmd.PersistentFlags().BoolVarP(&cfg.DryRun, "dry-run", "n", false, "Do *not* perform any actions, instead list what would happen")
+        rootCmd.PersistentFlags().BoolVarP(&cfg.SyncSuspended, "suspended", "", config.DefaultSyncSuspended, "included suspended users and their group memberships when syncing")
 	rootCmd.Flags().StringVarP(&cfg.SCIMAccessToken, "access-token", "t", "", "AWS SSO SCIM API Access Token")
 	rootCmd.Flags().StringVarP(&cfg.SCIMEndpoint, "endpoint", "e", "", "AWS SSO SCIM API Endpoint")
 	rootCmd.Flags().StringVarP(&cfg.GoogleCredentials, "google-credentials", "c", config.DefaultGoogleCredentials, "path to Google Workspace credentials file")
@@ -309,11 +320,12 @@ func addFlags(cmd *cobra.Command, cfg *config.Config) {
 	rootCmd.Flags().StringSliceVar(&cfg.IgnoreGroups, "ignore-groups", []string{}, "ignores these Google Workspace groups")
 	rootCmd.Flags().StringSliceVar(&cfg.IncludeGroups, "include-groups", []string{}, "include only these Google Workspace groups, NOTE: only works when --sync-method 'users_groups'")
 	rootCmd.Flags().StringVarP(&cfg.UserMatch, "user-match", "m", "", "Google Workspace Users filter query parameter, example: 'name:John*' 'name=John Doe,email:admin*', to sync all users in the directory specify '*'. For query syntax and more examples see: https://developers.google.com/admin-sdk/directory/v1/guides/search-users")
-	rootCmd.Flags().StringVarP(&cfg.GroupMatch, "group-match", "g", "*", "Google Workspace Groups filter query parameter, example: 'name:Admin*' 'name=Admins,email:aws-*', to sync all groups (and their member users) specify '*'. For query syntax and more examples see: https://developers.google.com/admin-sdk/directory/v1/guides/search-groups")
+	rootCmd.Flags().StringVarP(&cfg.GroupMatch, "group-match", "g", "*", "Google Workspace Groups filter query parameter, example: 'name:Admin*' 'name=AWS-Admins,email:aws*', to sync all groups (and their member users) specify '*'. For query syntax and more examples see: https://developers.google.com/admin-sdk/directory/v1/guides/search-groups")
 	rootCmd.Flags().StringVarP(&cfg.SyncMethod, "sync-method", "s", config.DefaultSyncMethod, "Sync method to use (users_groups|groups)")
 	rootCmd.Flags().StringVarP(&cfg.Region, "region", "r", "", "AWS Region where AWS SSO is enabled")
 	rootCmd.Flags().StringVarP(&cfg.IdentityStoreID, "identity-store-id", "i", "", "Identifier of Identity Store in AWS SSO")
-	rootCmd.Flags().StringVarP(&cfg.PrecacheQueries, "precache-queries", "p", config.DefaultPrecacheQueries, "Google Workspace Users filter queries parameter, example: 'OrgUnitPath=/ isSuspend=false isArchived=false', to precache all users within that Org Unit Path. For query syntax and more examples see: https://developers.google.com/admin-sdk/directory/v1/guides/search-users. To disable and use caching on the fly, 'DISABLED'.")
+	rootCmd.Flags().StringSliceVar(&cfg.PrecacheOrgUnits, "precache-ous", strings.Split(config.DefaultPrecacheOrgUnits, ","), "A common separated list of Google Workspace OrgUnitPathis e.g.'/', to precache all users within the organization or '/OU_1/OU 2,/OU3'. To disable and use caching on the fly, 'DISABLED'.")
+
 }
 
 func logConfig(cfg *config.Config) {
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -38,9 +38,13 @@ type Config struct {
 	// IdentityStoreID is the ID of the identity store
 	IdentityStoreID string `mapstructure:"identity_store_id"`
 	// Precaching queries as a comma separated list of query strings
-	PrecacheQueries string
+	PrecacheOrgUnits []string
 	// DryRun flag, when set to true, no change will be made in the Identity Store
 	DryRun bool
+	// sync suspended user, if true suspended user and their group memberships are sync'd into IAM Identity Center
+	SyncSuspended bool
+	// User filter string
+	UserFilter string
 }
 
 const (
@@ -54,8 +58,10 @@ const (
 	DefaultGoogleCredentials = "credentials.json"
 	// DefaultSyncMethod is the default sync method to use.
 	DefaultSyncMethod = "groups"
-	// DefaultPrecacheQueries
-	DefaultPrecacheQueries = "OrgUnitPath=/ isSuspended=false isArchived=false"
+	// DefaultPrecacheOrgUnits
+	DefaultPrecacheOrgUnits = "/"
+	// DefaultSyncSuspended
+	DefaultSyncSuspended = false
 )
 
 // New returns a new Config
diff --git a/internal/google/client.go b/internal/google/client.go
@@ -27,7 +27,7 @@ import (
 
 // Client is the Interface for the Client
 type Client interface {
-	GetUsers(string) ([]*admin.User, error)
+	GetUsers(string, string) ([]*admin.User, error)
 	GetDeletedUsers() ([]*admin.User, error)
 	GetGroups(string) ([]*admin.Group, error)
 	GetGroupMembers(*admin.Group) ([]*admin.Member, error)
@@ -84,7 +84,7 @@ func (c *client) GetGroupMembers(g *admin.Group) ([]*admin.Member, error) {
 	m := make([]*admin.Member, 0)
 	var err error
 
-	err = c.service.Members.List(g.Id).Pages(context.TODO(), func(members *admin.Members) error {
+	err = c.service.Members.List(g.Id).IncludeDerivedMembership(true).Pages(context.TODO(), func(members *admin.Members) error {
 		if err != nil {
 			return err
 		}
@@ -108,7 +108,7 @@ func (c *client) GetGroupMembers(g *admin.Group) ([]*admin.Member, error) {
 //  manager='janesmith@example.com'
 //  orgName=Engineering orgTitle:Manager
 //  EmploymentData.projects:'GeneGnomes'
-func (c *client) GetUsers(query string) ([]*admin.User, error) {
+func (c *client) GetUsers(query string, filter string) ([]*admin.User, error) {
 	u := make([]*admin.User, 0)
 	var err error
 
@@ -119,7 +119,7 @@ func (c *client) GetUsers(query string) ([]*admin.User, error) {
 
 	// If we have wildcard then fetch all users
 	if query == "*" {
-		err = c.service.Users.List().Customer("my_customer").Pages(c.ctx, func(users *admin.Users) error {
+		err = c.service.Users.List().Query(filter).Customer("my_customer").Pages(c.ctx, func(users *admin.Users) error {
 			if err != nil {
 				return err
 			}
@@ -133,7 +133,7 @@ func (c *client) GetUsers(query string) ([]*admin.User, error) {
 
 		// Then call the api one query at a time, appending to our list
 		for _, subQuery := range queries {
-			err = c.service.Users.List().Query(subQuery).Customer("my_customer").Pages(c.ctx, func(users *admin.Users) error {
+			err = c.service.Users.List().Query(subQuery + filter).Customer("my_customer").Pages(c.ctx, func(users *admin.Users) error {
 				if err != nil {
 					return err
 				}
diff --git a/internal/sync.go b/internal/sync.go
diff --git a/template.yaml b/template.yaml
