search

awslabs / ssosync

Populate AWS SSO directly with your G Suite users and groups using either a CLI or AWS Lambda
Apache License 2.0
528 stars 182 forks source link

Option to avoid deleting AWS groups that are missing in Google #220

Closed dancorne closed 3 weeks ago

dancorne commented 4 weeks ago

Is your feature request related to a problem? Please describe. We use the users_groups sync method to sync from Google to Identity Centre. The main reason for this is we have Identity Centre groups created directly in AWS, and membership is handled purely in AWS-hosted systems. The default groups sync method would delete these as they aren't present in Google.

Describe the solution you'd like It would be useful to be able to skip deleting groups in the groups method, based on some naming pattern that can be configured. Eg a regex env variable SKIP_GROUP_DELETE=aws-group.*

Describe alternatives you've considered We've been running the users_groups method for a while with INCLUDE_GROUPS which currently works. However, we'd like to use the groups method as it appears to be more efficient (users_groups runs close to the 15min limit for us) and better supported (I don't think the nested group fix made it into the users_groups method, for example).

Additional context

ChrisPates commented 4 weeks ago

This is a variation on an existing feature request I'll merge them.

The good news is this feature is being worked shortly however it has some dependencies such as improving the group match logic, embedding the Google guuids into the aws groups, so we can really be sure about which groups were created manually on the aws side.

Strictly speaking this is anti pattern to scum replication best practice but it's been so heavily requested we looking at it.

Kind regards,

Chris

dancorne commented 3 weeks ago

Thanks! Sorry, had missed that issue when opening this one, I'll close this off and subscribe to that one.

Strictly speaking this is anti pattern to scum replication best practice

We'd considered this, but it seemed more complicated than necessary to have AWS-built systems authenticate back to Google to update Google directories that then need to sync back to AWS (with a delay because we need to schedule the Lambda).

FWIW it's worked well so far: the Google team can manage the directory and the AWS team can handle permissions for AWS, by assigning permission sets to existing groups and managing membership for AWS-specific groups. Theoretically the AWS team should probably manage things in Google, but that means managing systems outside of AWS which is more friction 😄