Add config AwsGroupMatch to filter which AWS groups get compared #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is potentially dangerous for the reason in the comment, but useful for our purposes and we just need something that works.
dancorne
pushed a commit
that referenced
this pull request
Nov 6, 2023
Add initial Dockerfile and skeleton for ssosync lambda
agnes-gajda
force-pushed
the
filter-aws-groups
branch
from
13ae30c
to
eafae9a
Compare
|
let's test this out in dev, tag: v100.100.100-local |
agnes-gajda
force-pushed
the
filter-aws-groups
branch
from
ecc2af1
to
09b1486
Compare
agnes-gajda
force-pushed
the
filter-aws-groups
branch
from
09b1486
to
fdf4510
Compare
|
Marking as a draft until this gets tested in dev. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We want to switch to the
groupssync method instead ofusers_groupsdue to the latter timing out after 15 minutes. Howevergroupswill delete any groups in AWS that aren't found in the Google query. By filtering which AWS groups we get, we can then ignore certain AWS groups from this process.For example, a Google query of
name:PREFIX-*will return all Google groups starting withPREFIX-. We can then set this new config option to^PREFIX.*which will only get AWS groups that match.Of course, this is pretty dangerous -- if you filter out AWS groups that match ones in Google then you're at risk of SSOSync attempting to recreate groups persistently and erroring. I initially attempted to adapt the Google
GroupMatchinto a string match for AWS groups, however this ended up potentially more precarious because the Google query can include multiple statements.