Implemented sync method to allows the sync of groups and its members

.github/workflows/main.yml

@@ -27,9 +27,9 @@ jobs:
         run: GOBIN=$PWD/bin go install honnef.co/go/tools/cmd/staticcheck && ./bin/staticcheck ./...
 
       - name: Run Linting
-        uses: golangci/golangci-lint-action@v1
+        uses: golangci/golangci-lint-action@v2
         with:
-          version: v1.27
+          version: v1.33.0
 
       - name: Run Tests
         run: go test -cover -p 1 -race -v ./...

.gitignore

@@ -24,3 +24,6 @@ packaged.yaml
 # IDE
 .idea/
 .vscode/
+
+# SAM
+.aws-sam/

README.md

@@ -98,24 +98,25 @@ Usage:
 The default for ssosync is to run through the sync.
 
 ```text
-A command line tool to enable you to synchronise your Google
-Apps (G-Suite) users to AWS Single Sign-on (AWS SSO)
-Complete documentation is available at https://github.com/awslabs/ssosync
+A command line tool to enable you to synchronise your GoogleApps (G-Suite) users to AWS Single Sign-on (AWS SSO)Complete documentation is available at https://github.com/awslabs/ssosync
 
 Usage:
   ssosync [flags]
 
 Flags:
-  -t, --access-token string         SCIM Access Token
-  -d, --debug                       Enable verbose / debug logging
-  -e, --endpoint string             SCIM Endpoint
-  -u, --google-admin string         Google Admin Email
-  -c, --google-credentials string   set the path to find credentials for Google (default "credentials.json")
+  -t, --access-token string         AWS SCIM Access Token
+  -d, --debug                       enable verbose / debug logging
+  -e, --endpoint string             AWS SCIM Endpoint
+  -u, --google-admin string         Google admin user email
+  -c, --google-credentials string   path to find credentials file for Google (default "credentials.json")
+  -g, --group-match string          Google groups query parameter, example: 'name:Admin* email:aws-*', see: https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
   -h, --help                        help for ssosync
-      --ignore-groups strings       ignores these groups
-      --ignore-users strings        ignores these users
+      --ignore-groups strings       ignores these Google groups
+      --ignore-users strings        ignores these Google users
       --log-format string           log format (default "text")
-      --log-level string            log level (default "warn")
+      --log-level string            log level (default "info")
+  -s, --sync-method string          Select the sync method to use (users_groups|groups) (default "groups")
+  -m, --user-match string           Google users query parameter, example: 'name:John* email:admin*', see: https://developers.google.com/admin-sdk/directory/v1/guides/search-users
   -v, --version                     version for ssosync
 ```
 
@@ -153,6 +154,22 @@ Specify an Amazon S3 Bucket for the upload with `export S3_BUCKET=<YOUR_BUCKET>`
 
 Execute `make package` in the console. Which will package and upload the function to the bucket. You can then use the `packaged.yaml` to configure and deploy the stack in [AWS CloudFormation Console](https://console.aws.amazon.com/cloudformation).
 
+### Example
+
+Build
+
+```bash
+aws cloudformation validate-template --template-body  file://template.yaml 1>/dev/null &&
+sam validate &&
+sam build
+```
+
+Deploy
+
+```bash
+sam deploy --guided
+```
+
 ## License
 
 [Apache-2.0](/LICENSE)

cmd/root.go

@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+// Package cmd ...
 package cmd
 
 import (
@@ -95,7 +96,21 @@ func initConfig() {
 	viper.SetEnvPrefix("ssosync")
 	viper.AutomaticEnv()
 
-	for _, e := range []string{"google_admin", "google_credentials", "scim_access_token", "scim_endpoint", "log_level", "log_format", "ignore_users", "ignore_groups"} {
+	appEnvVars := []string{
+		"google_admin",
+		"google_credentials",
+		"scim_access_token",
+		"scim_endpoint",
+		"log_level",
+		"log_format",
+		"ignore_users",
+		"ignore_groups",
+		"user_match",
+		"group_match",
+		"sync_method",
+	}
+
+	for _, e := range appEnvVars {
 		if err := viper.BindEnv(e); err != nil {
 			log.Fatalf(errors.Wrap(err, "cannot bind environment variable").Error())
 		}
@@ -144,17 +159,21 @@ func configLambda() {
 }
 
 func addFlags(cmd *cobra.Command, cfg *config.Config) {
-	rootCmd.PersistentFlags().StringVarP(&cfg.GoogleCredentials, "google-admin", "a", config.DefaultGoogleCredentials, "set the path to find credentials for Google")
-	rootCmd.PersistentFlags().BoolVarP(&cfg.Debug, "debug", "d", config.DefaultDebug, "Enable verbose / debug logging")
+	rootCmd.PersistentFlags().StringVarP(&cfg.GoogleCredentials, "google-admin", "a", config.DefaultGoogleCredentials, "path to find credentials file for Google")
+	rootCmd.PersistentFlags().BoolVarP(&cfg.Debug, "debug", "d", config.DefaultDebug, "enable verbose / debug logging")
 	rootCmd.PersistentFlags().StringVarP(&cfg.LogFormat, "log-format", "", config.DefaultLogFormat, "log format")
 	rootCmd.PersistentFlags().StringVarP(&cfg.LogLevel, "log-level", "", config.DefaultLogLevel, "log level")
-	rootCmd.Flags().StringVarP(&cfg.SCIMAccessToken, "access-token", "t", "", "SCIM Access Token")
-	rootCmd.Flags().StringVarP(&cfg.SCIMEndpoint, "endpoint", "e", "", "SCIM Endpoint")
-	rootCmd.Flags().StringVarP(&cfg.GoogleCredentials, "google-credentials", "c", config.DefaultGoogleCredentials, "set the path to find credentials for Google")
-	rootCmd.Flags().StringVarP(&cfg.GoogleAdmin, "google-admin", "u", "", "Google Admin Email")
-	rootCmd.Flags().StringSliceVar(&cfg.IgnoreUsers, "ignore-users", []string{}, "ignores these users")
-	rootCmd.Flags().StringSliceVar(&cfg.IgnoreGroups, "ignore-groups", []string{}, "ignores these groups")
-	rootCmd.Flags().StringVarP(&cfg.GroupMatch, "group-match", "g", ".*", "Regular expression matching groups to sync")
+
+	rootCmd.Flags().StringVarP(&cfg.SCIMAccessToken, "access-token", "t", "", "AWS SCIM Access Token")
+	rootCmd.Flags().StringVarP(&cfg.SCIMEndpoint, "endpoint", "e", "", "AWS SCIM Endpoint")
+	rootCmd.Flags().StringVarP(&cfg.GoogleCredentials, "google-credentials", "c", config.DefaultGoogleCredentials, "path to find credentials file for Google")
+	rootCmd.Flags().StringVarP(&cfg.GoogleAdmin, "google-admin", "u", "", "Google admin user email")
+	rootCmd.Flags().StringSliceVar(&cfg.IgnoreUsers, "ignore-users", []string{}, "ignores these Google users")
+	rootCmd.Flags().StringSliceVar(&cfg.IgnoreGroups, "ignore-groups", []string{}, "ignores these Google groups")
+
+	rootCmd.Flags().StringVarP(&cfg.UserMatch, "user-match", "m", "", "Google users query parameter, example: 'name:John* email:admin*', see: https://developers.google.com/admin-sdk/directory/v1/guides/search-users")
+	rootCmd.Flags().StringVarP(&cfg.GroupMatch, "group-match", "g", "", "Google groups query parameter, example: 'name:Admin* email:aws-*', see: https://developers.google.com/admin-sdk/directory/v1/guides/search-groups")
+	rootCmd.Flags().StringVarP(&cfg.SyncMethod, "sync-method", "s", config.DefaultSyncMethod, "Select the sync method to use (users_groups|groups)")
 }
 
 func logConfig(cfg *config.Config) {

go.mod

@@ -1,24 +1,29 @@
 module github.com/awslabs/ssosync
 
-go 1.14
+go 1.16
 
 require (
 	github.com/BurntSushi/toml v0.3.1
-	github.com/aws/aws-lambda-go v1.17.0
-	github.com/aws/aws-sdk-go v1.33.7
-	github.com/golang/mock v1.4.3
-	github.com/golang/protobuf v1.4.1 // indirect
-	github.com/hashicorp/go-retryablehttp v0.6.7
+	github.com/aws/aws-lambda-go v1.23.0
+	github.com/aws/aws-sdk-go v1.38.6
+	github.com/fsnotify/fsnotify v1.4.9 // indirect
+	github.com/golang/mock v1.5.0
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.6.8
+	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/mitchellh/mapstructure v1.4.1 // indirect
+	github.com/pelletier/go-toml v1.8.1 // indirect
 	github.com/pkg/errors v0.9.1
-	github.com/sirupsen/logrus v1.2.0
-	github.com/spf13/cobra v1.0.0
-	github.com/spf13/viper v1.4.0
-	github.com/stretchr/testify v1.5.1
-	golang.org/x/net v0.0.0-20200505041828-1ed23360d12c // indirect
-	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 // indirect
-	google.golang.org/api v0.24.0
-	google.golang.org/appengine v1.6.6 // indirect
-	google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84 // indirect
-	google.golang.org/grpc v1.29.1 // indirect
+	github.com/sirupsen/logrus v1.8.1
+	github.com/spf13/afero v1.6.0 // indirect
+	github.com/spf13/cast v1.3.1 // indirect
+	github.com/spf13/cobra v1.1.3
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/spf13/viper v1.7.1
+	github.com/stretchr/testify v1.6.1
+	golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4 // indirect
+	golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84
+	golang.org/x/sys v0.0.0-20210324051608-47abb6519492 // indirect
+	google.golang.org/api v0.43.0
+	gopkg.in/ini.v1 v1.62.0 // indirect
 )