Merge branch 'awslabs:master' into feat/google_workload_identity_fede…

…ration
awslabs · Oct 26, 2023 · fb03a9e · fb03a9e
2 parents aed4518 + 315e85d
commit fb03a9e
Show file tree

Hide file tree

Showing 11 changed files with 96 additions and 40 deletions.
diff --git a/.gitignore b/.gitignore
@@ -34,3 +34,4 @@ ssosync
 # Noise from os/editors
 .DS_Store
 *.swp
+*/.DS_Store
diff --git a/Makefile b/Makefile
@@ -20,6 +20,10 @@ go-build:
 clean:
 	rm -f $(OUTPUT) $(PACKAGED_TEMPLATE)
 
+build-SSOSyncFunction:
+	GOOS=linux GOARCH=arm64 go build -o bootstrap main.go
+	cp ./bootstrap $(ARTIFACTS_DIR)/.
+
 .PHONY: install
 install:
 	go get ./...

diff --git a/cicd/build/build/buildspec.yml b/cicd/build/build/buildspec.yml
@@ -63,8 +63,8 @@ phases:
       # Tweak the .goreleaser.yml so it uses the vairables from .Env
       - patch .goreleaser.yml cicd/build/build/goreleaser.patch
 
-      # Make main but only for the lambda (linux amd64)
-      - goreleaser build --snapshot --rm-dist --single-target
+      # Make main 
+      - goreleaser build --snapshot --clean
 
 
       # Check we've packaged something useful
@@ -74,3 +74,4 @@ artifacts:
   files:
     - ${APP_NAME}
     - dist/**/*
+
diff --git a/cicd/build/build/goreleaser.patch b/cicd/build/build/goreleaser.patch
@@ -1,8 +1,21 @@
---- .goreleaser.yml	2022-06-15 08:38:24.000000000 +0100
-+++ .goreleaser-codebuild.yml	2022-06-21 12:33:43.000000000 +0100
-@@ -22,7 +22,7 @@
-     - goos: windows
-       goarch: 386
+--- .goreleaser.yml.default	2023-10-25 11:30:58
++++ .goreleaser.yml	2023-10-25 11:32:18
+@@ -9,20 +9,11 @@
+     - CGO_ENABLED=0
+   goos:
+     - linux
+-    - darwin
+-    - windows
+   goarch:
+-    - 386
+     - amd64
+-    - arm
+     - arm64
+-  ignore:
+-    - goos: darwin
+-      goarch: 386
+-    - goos: windows
+-      goarch: 386
    ldflags:
 -     - -s -w -X github.com/awslabs/ssosync/cmd.version={{.Version}} -X github.com/awslabs/ssosync/cmd.commit={{.Commit}} -X github.com/awslabs/ssosync/cmd.date={{.Date}} -X github.com/awslabs/ssosync/cmd.builtBy=goreleaser
 +     - -s -w -X github.com/awslabs/ssosync/cmd.version={{.Env.GitTag}} -X github.com/awslabs/ssosync/cmd.commit={{.Env.GitCommit}} -X github.com/awslabs/ssosync/cmd.date={{.Date}} -X github.com/awslabs/ssosync/cmd.builtBy=goreleaser -X github.com/awslabs/ssosync/cmd.goversion={{.Env.GoVersion}}

diff --git a/cicd/build/package/buildspec.yml b/cicd/build/package/buildspec.yml
@@ -14,10 +14,12 @@ phases:
       # Check that the files need to package exist
       - ls README.md
       - ls SAR.md
-      - ls dist/ssosync_linux_amd64_v1/ssosync
+      - ls dist/ssosync_linux_arm64/ssosync
+      - ls dist/ssosync_linux_amd64_v1/ssosync 
 
       # Check that the executable works
       - ./dist/ssosync_linux_amd64_v1/ssosync --version 
+      - mv dist/ssosync_linux_arm64/ssosync bootstrap
 
   build:
     commands:

diff --git a/cicd/build/package/release.patch b/cicd/build/package/release.patch
@@ -1,5 +1,5 @@
---- template.yaml	2022-11-29 16:56:21.000000000 +0000
-+++ release.yaml	2022-11-29 17:11:58.000000000 +0000
+--- template.yaml	2023-10-25 09:44:33
++++ release.yaml	2023-10-25 16:02:21
 @@ -27,7 +27,7 @@
            - IncludeGroups
 
@@ -9,29 +9,37 @@
      Description: Helping you populate AWS SSO directly with your Google Apps users.
      Author: Sebastian Doell
      SpdxLicenseId: Apache-2.0
-@@ -107,7 +107,7 @@
-       Ignore these Google Workspace users
+@@ -111,7 +111,7 @@
+     Default: 'none'
    IncludeGroups:
      Type: String
 -    Description: |
 +    Description: | 
        Include only these Google Workspace groups. (Only applicable for SyncMethod user_groups)
+     Default: '*'
    SyncMethod:
-     Type: String
-@@ -116,9 +116,9 @@
+@@ -121,16 +121,16 @@
      AllowedValues:
        - groups
        - users_groups
--
--
--
 +      
 +      
 +      
 
+-
+-
+-
  Resources:
    SSOSyncFunction:
-@@ -156,8 +156,6 @@
+     Type: AWS::Serverless::Function
+     Properties:
+       Runtime: provided.al2
+-      Handler: dist/ssosync_linux_arm64/ssosync
++      Handler: bootstrap
+       Architectures:
+         - arm64
+       Timeout: 300
+@@ -163,8 +163,6 @@
                  - !Ref AWSSCIMAccessTokenSecret
                  - !Ref AWSRegionSecret
                  - !Ref AWSIdentityStoreIDSecret
@@ -40,3 +48,12 @@
              - Sid: IdentityStoreAccesPolicy
                Effect: Allow
                Action:
+@@ -187,8 +185,6 @@
+           Properties:
+             Enabled: true
+             Schedule: !Ref ScheduleExpression
+-    Metadata:
+-      BuildMethod: makefile
+
+   AWSGoogleCredentialsSecret:
+     Type: "AWS::SecretsManager::Secret"
diff --git a/cicd/build/package/staging.patch b/cicd/build/package/staging.patch
@@ -1,5 +1,5 @@
---- template.yaml	2022-11-29 16:56:21.000000000 +0000
-+++ staging.yaml	2022-11-29 17:10:47.000000000 +0000
+--- template.yaml	2023-10-25 09:44:33
++++ staging.yaml	2023-10-25 16:02:07
 @@ -27,7 +27,7 @@
            - IncludeGroups
 
@@ -9,35 +9,38 @@
      Description: Helping you populate AWS SSO directly with your Google Apps users.
      Author: Sebastian Doell
      SpdxLicenseId: Apache-2.0
-@@ -107,7 +107,7 @@
-       Ignore these Google Workspace users
+@@ -111,7 +111,7 @@
+     Default: 'none'
    IncludeGroups:
      Type: String
 -    Description: |
 +    Description: | 
        Include only these Google Workspace groups. (Only applicable for SyncMethod user_groups)
+     Default: '*'
    SyncMethod:
-     Type: String
-@@ -116,14 +116,15 @@
+@@ -121,16 +121,17 @@
      AllowedValues:
        - groups
        - users_groups
--
--
--
 +      
 +      
 +      
 
+-
+-
+-
  Resources:
    SSOSyncFunction:
      Type: AWS::Serverless::Function
      Properties:
 +      FunctionName: SSOSyncFunction
-       Runtime: go1.x
-       Handler: dist/ssosync_linux_amd64_v1/ssosync
+       Runtime: provided.al2
+-      Handler: dist/ssosync_linux_arm64/ssosync
++      Handler: bootstrap
+       Architectures:
+         - arm64
        Timeout: 300
-@@ -156,8 +157,6 @@
+@@ -163,8 +164,6 @@
                  - !Ref AWSSCIMAccessTokenSecret
                  - !Ref AWSRegionSecret
                  - !Ref AWSIdentityStoreIDSecret
@@ -46,8 +49,8 @@
              - Sid: IdentityStoreAccesPolicy
                Effect: Allow
                Action:
-@@ -172,13 +171,13 @@
-                 - "identitystore:DeleteGroupMembership"
+@@ -180,16 +179,14 @@
+                 - "identitystore:DeleteGroup"
                Resource:
                  - "*"
 -      Events:
@@ -57,17 +60,20 @@
 -          Properties:
 -            Enabled: true
 -            Schedule: !Ref ScheduleExpression
-+
+-    Metadata:
+-      BuildMethod: makefile
+
 +            - Sid: CodePipelinePolicy
 +              Effect: Allow
 +              Action:
 +                - codepipeline:PutJobSuccessResult
 +                - codepipeline:PutJobFailureResult
 +              Resource: "*"
- 
++
    AWSGoogleCredentialsSecret:
      Type: "AWS::SecretsManager::Secret"
-@@ -215,3 +214,10 @@
+     Properties:
+@@ -225,3 +222,10 @@
      Properties:
        Name: SSOSyncIdentityStoreID
        SecretString: !Ref IdentityStoreID

diff --git a/cicd/cloudformation/developer.yaml b/cicd/cloudformation/developer.yaml
@@ -260,7 +260,7 @@ Resources:
                 Capabilities: CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND
                 StackName: SmokeTest
                 RoleArn: !GetAtt [CloudFormationDeployerRole, Arn]
-                TemplateConfiguration: !Sub 'Tests::deploy/params.json'
+                TemplateConfiguration: !Sub 'Tests::deploy/developer.json'
                 TemplatePath: !Sub 'Tests::deploy/stack.yml'
               InputArtifacts:
                 - Name: Tests

diff --git a/cicd/staging/build/buildspec.yml b/cicd/staging/build/buildspec.yml
@@ -49,7 +49,15 @@ phases:
       - mkdir deploy
       - cp cicd/staging/build/stack.yml ./deploy/
 
-      # Update params with the values for this run for the management
+      # Update params with the values for this run for a developer account
+      - |
+        jq -n \
+        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GroupMatch\": \"name:AWS*\"}" \
+        --argjson StackPolicy "{\"Statement\":[{\"Effect\": \"Allow\", \"NotAction\": \"Update:Delete\", \"Principal\": \"*\", \"Resource\": \"*\"}]}" \
+        '$ARGS.named' > ./deploy/developer.json
+      - cat ./deploy/developer.json
+
+      # Update params with the values for this run for the management account
       - |
         jq -n \
         --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GroupMatch\": \"name:Man*\"}" \

diff --git a/cmd/root.go b/cmd/root.go
@@ -136,7 +136,7 @@ func Handler(ctx context.Context, event events.CodePipelineEvent) (string, error
 func init() {
 	// init config
 	cfg = config.New()
-	cfg.IsLambda = len(os.Getenv("_LAMBDA_SERVER_PORT")) > 0
+	cfg.IsLambda = len(os.Getenv("AWS_LAMBDA_FUNCTION_NAME")) > 0
 
 	// initialize cobra
 	cobra.OnInitialize(initConfig)

diff --git a/template.yaml b/template.yaml
@@ -132,8 +132,10 @@ Resources:
   SSOSyncFunction:
     Type: AWS::Serverless::Function
     Properties:
-      Runtime: go1.x
-      Handler: dist/ssosync_linux_amd64_v1/ssosync
+      Runtime: provided.al2
+      Handler: dist/ssosync_linux_arm64/ssosync
+      Architectures:
+        - arm64
       Timeout: 300
       Environment:
         Variables:
@@ -160,6 +162,8 @@ Resources:
           Properties:
             Enabled: true
             Schedule: !Ref ScheduleExpression
+    Metadata:
+      BuildMethod: makefile
 
 
   SSOSyncFunctionRole: