forked from awslabs/ssosync
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathtemplate.yaml
320 lines (304 loc) · 12.8 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: AWS IAM Identity Center (Successor to AWS Single Sign-On)
Parameters:
- SCIMEndpointUrl
- SCIMEndpointAccessToken
- Region
- IdentityStoreID
- Label:
default: Google Workspace Credentials
Parameters:
- GoogleAdminEmail
- GoogleCredentials
- Label:
default: Sync Configuration
Parameters:
- SyncMethod
- GoogleUserMatch
- GoogleGroupMatch
- IgnoreUsers
- IgnoreGroups
- Label:
default: "Configuration options for users_groups Mode only"
Parameters:
- IncludeGroups
- Label:
default: "Lambda Configuration"
Parameters:
- FunctionName
- LogLevel
- LogFormat
- TimeOut
- ScheduleExpression
AWS::ServerlessRepo::Application:
Name: ssosync
Description: Helping you populate AWS SSO directly with your Google Apps users.
Author: Sebastian Doell
SpdxLicenseId: Apache-2.0
# paths are relative to .aws-sam/build directory
LicenseUrl: LICENSE
ReadmeUrl: SAR.md
Labels: [serverless, sso, lambda, scim]
HomePageUrl: https://github.com/awslabs/ssosync
# Update the semantic version and run sam publish to publish a new version of your app
SemanticVersion: 1.0.0-rc.10
# best practice is to use git tags for each release and link to the version tag as your source code URL
SourceCodeUrl: https://github.com/awslabs/ssosync/
Parameters:
FunctionName:
Type: String
Description: Specify the Function you want to us for this deployment, leave empty for default behaviour.
AllowedPattern: '(?!.*\s)|[a-zA-Z0-9-_]{1,140}'
ScheduleExpression:
Type: String
Description: Schedule for trigger the execution of ssosync (see CloudWatch schedule expressions)
Default: rate(15 minutes)
AllowedPattern: '(?!.*\s)|rate\(\d{1,3} (minutes|hours|days)\)|(cron\((([0-9]|[1-5][0-9]|60)|\d\/([0-9]|[1-5][0-9]|60)|\*) (([0-9]|[1][0-9]|[2][0-3])|(\d\/([0-9]|[1][0-9]|[2][0-3]))|(([0-9]|[1][0-9]|[2][0-3])-([0-9]|[1][0-9]|[2][0-3]))|\*) (([1-9]|[1-2][0-9]|[3][0-1])|\d\/([1-9]|[1-2][0-9]|[3][0-1])|[1-5]W|L|\*|\?) (([1-9]|[1][1-2])|(JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)|((JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV)-(FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC))|(JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV)(,(FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)){0,11}|\d\/([0-9]|[1][0-2])|\?|\*) ((MON|TUE|WED|THU|FRI|SAT|SUN)|(MON|TUE|WED|THU|FRI|SAT)-(TUE|WED|THU|FRI|SAT|SUN)|(MON|TUE|WED|THU|FRI|SAT)(,(TUE|WED|THU|FRI|SAT|SUN)){0,6}|[1-7]L|[1-7]#[1-5]|\?|\*) ((19[7-9][0-9]|2[0-1]\d\d)|(19[7-9][0-9]|2[0-1]\d\d)-(19[7-9][0-9]|2[0-1]\d\d)|(19[7-9][0-9]|2[0-1]\d\d)(,(19[7-9][0-9]|2[0-1]\d\d))*|\*)\))'
LogLevel:
Type: String
Description: Log level for Lambda function logging
Default: warn
AllowedValues:
- panic
- fatal
- error
- warn
- info
- debug
- trace
LogFormat:
Type: String
Description: Log format for Lambda function logging
Default: json
AllowedValues:
- json
- text
LogRetention:
Type: String
Description: Number of days to retain Logs for, leave empty to retain them indefinitely
Default: ""
AllowedPattern: '(?!.*\s)|/d'
TimeOut:
Type: Number
Description: Timeout for the Lambda function
Default: 300
MinValue: 1
MaxValue: 900
GoogleCredentials:
Type: String
Description: |
Credentials to log into Google (content of credentials.json)
ConstraintDescription: |
You should save this information when following this setup https://developers.google.com/admin-sdk/directory/v1/guides/delegation
NoEcho: true
GoogleAdminEmail:
Type: String
Description: |
Google Admin email
ConstraintDescription: |
This is a use with admin authority on your Google Directory, you will have used this when following this setup https://developers.google.com/admin-sdk/directory/v1/guides/delegation
NoEcho: true
SCIMEndpointUrl:
Type: String
Description: |
AWS IAM Identity Center - SCIM Endpoint Url
AllowedPattern: "https://scim.(us(-gov)?|ap|ca|cn|eu|sa)-(central|(north|south)?(east|west)?)-([0-9]{1}).amazonaws.com/(.*)-([a-z0-9]{4})-([a-z0-9]{4})-([a-z0-9]{12})/scim/v2/"
ConstraintDescription: |
You should save this information when following this setup https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-automatically.html
NoEcho: true
SCIMEndpointAccessToken:
Type: String
Description: |
AWS IAM Identity Center - SCIM AccessToken
ConstraintDescription: |
You should save this information when following this setup https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-automatically.html
NoEcho: true
Region:
Type: String
Description: |
AWS Region where AWS IAM Identity Center is enabled
ConstraintDescription: |
You can find this value on the settings page of the IAM Identity Center console page
AllowedPattern: '(us(-gov)?|ap|ca|cn|eu|sa)-(central|(north|south)?(east|west)?)-\d'
IdentityStoreID:
Type: String
Description: |
Identifier of Identity Store in AWS IAM Identity Center
ConstraintDescription: |
You can find this value on the settings page of the IAM Identity Center console page
NoEcho: true
AllowedPattern: 'd-[1-z0-9]{10}'
GoogleUserMatch:
Type: String
Description: |
Google Workspace user filter query parameter, example: 'name:John* email:admin*', leave empty if you do not wish to pass this parameter
ConstraintDescription: |
The parameter needs to be compliant with the Google admin-sdk api, https://developers.google.com/admin-sdk/directory/v1/guides/search-users
Default: ""
AllowedPattern: '(?!.*\s)|(name|Name|NAME)(:([a-zA-Z0-9]{1,64})(\*))|(name|Name|NAME)(=([a-zA-Z0-9 ]{1,64}))|(email|Email|EMAIL)(:([a-zA-Z0-9.-_]{1,64})(\*))|(email|Email|EMAIL)(=([a-zA-Z0-9.-_]{1,64})@([a-zA-Z0-9.-]{5,260}))'
GoogleGroupMatch:
Type: String
Description: |
Google Workspace group filter query parameter, example: 'name:Admin* email:aws-*', leave empty if you do not wish to pass this parameter
ConstraintDescription: |
The parameter needs to be compliant with the Google admin-sdk api, see: https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
Default: 'name:AWS*'
AllowedPattern: '(?!.*\s)|(name|Name|NAME)(:([a-zA-Z0-9]{1,64})\*)|(name|Name|NAME)(=([a-zA-Z0-9 ]{1,64}))|(email|Email|EMAIL)(:([a-zA-Z0-9.-_]{1,64})\*)|(email|Email|EMAIL)(=([a-zA-Z0-9.-_]{1,64})@([a-zA-Z0-9.-]{5,260}))'
IgnoreGroups:
Type: String
Description: |
Do NOT sync these Google Workspace groups into IAM Identity Center, leave empty if not required
ConstraintDescription: |
This should be a comma separated list of group names
Default: ""
AllowedPattern: '(?!.*\s)|(["0-9a-zA-Z-=@. _]*)(,["0-9a-zA-Z-=@. _]*)*'
IgnoreUsers:
Type: String
Description: |
Ignore these Google Workspace users, leave empty if not required
ConstraintDescription: |
This should be a comma separated list of group names
Default: ""
AllowedPattern: '(?!.*\s)|([0-9a-zA-Z-= _]*)(,[0-9a-zA-Z-=@. _]*)*'
IncludeGroups:
Type: String
Description: |
Include only these Google Workspace groups, leave empty if not required. (Only applicable for SyncMethod user_groups)
ConstraintDescription: |
This should be a comma separated list of group names
Default: ""
AllowedPattern: '(?!.*\s)|([0-9a-zA-Z-= _]*)(,[0-9a-zA-Z-=@. _]*)*'
SyncMethod:
Type: String
Description: |
Which sync method do you want to use with ssosync?
Default: groups
AllowedValues:
- groups
- users_groups
Conditions:
SetFunctionName: !Not [!Equals [!Ref "FunctionName", ""]]
OnSchedule: !Not [!Equals [!Ref "ScheduleExpression", ""]]
SetGoogleUserMatch: !Or [!Not [!Equals [!Ref "GoogleUserMatch", ""]], !Equals [!Ref "SyncMethod", users_groups]]
SetGoogleGroupMatch: !Or [!Not [!Equals [!Ref "GoogleGroupMatch", ""]], !Equals [!Ref "SyncMethod", users_groups]]
SetIgnoreGroups: !Not [!Equals [!Ref "IgnoreGroups", ""]]
SetIgnoreUsers: !Not [!Equals [!Ref "IgnoreUsers", ""]]
SetIncludeGroups: !Or [!Not [!Equals [!Ref "IncludeGroups", ""]], !Equals [!Ref "SyncMethod", groups]]
NotIndefinite: !Not [!Equals [!Ref "LogRetention", ""]]
Resources:
SSOSyncFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !If [SetFunctionName, !Ref FunctionName, AWS::NoValue]
Runtime: provided.al2
Handler: bootstrap
Architectures:
- arm64
Timeout: !Ref TimeOut
Environment:
Variables:
SSOSYNC_LOG_LEVEL: !Ref LogLevel
SSOSYNC_LOG_FORMAT: !Ref LogFormat
SSOSYNC_GOOGLE_CREDENTIALS: !Ref AWSGoogleCredentialsSecret
SSOSYNC_GOOGLE_ADMIN: !Ref AWSGoogleAdminEmail
SSOSYNC_SCIM_ENDPOINT: !Ref AWSSCIMEndpointSecret
SSOSYNC_SCIM_ACCESS_TOKEN: !Ref AWSSCIMAccessTokenSecret
SSOSYNC_REGION: !Ref AWSRegionSecret
SSOSYNC_IDENTITY_STORE_ID: !Ref AWSIdentityStoreIDSecret
SSOSYNC_USER_MATCH: !If [SetGoogleUserMatch, !Ref GoogleUserMatch, AWS::NoValue]
SSOSYNC_GROUP_MATCH: !If [SetGoogleGroupMatch, !Ref GoogleGroupMatch, AWS::NoValue]
SSOSYNC_SYNC_METHOD: !Ref SyncMethod
SSOSYNC_IGNORE_GROUPS: !If [SetIgnoreGroups, !Ref IgnoreGroups, AWS::NoValue]
SSOSYNC_IGNORE_USERS: !If [SetIgnoreUsers, !Ref IgnoreUsers, AWS::NoValue]
SSOSYNC_INCLUDE_GROUPS: !If [SetIncludeGroups, !Ref IncludeGroups, AWS::NoValue]
Policies:
- Version: '2012-10-17'
Statement:
- Sid: SSMGetParameterPolicy
Effect: Allow
Action:
- "secretsmanager:Get*"
Resource:
- !Ref AWSGoogleCredentialsSecret
- !Ref AWSGoogleAdminEmail
- !Ref AWSSCIMEndpointSecret
- !Ref AWSSCIMAccessTokenSecret
- !Ref AWSRegionSecret
- !Ref AWSIdentityStoreIDSecret
- Sid: IdentityStoreAccesPolicy
Effect: Allow
Action:
- "identitystore:DeleteUser"
- "identitystore:CreateGroup"
- "identitystore:CreateGroupMembership"
- "identitystore:ListGroups"
- "identitystore:ListUsers"
- "identitystore:ListGroupMemberships"
- "identitystore:IsMemberInGroups"
- "identitystore:GetGroupMembershipId"
- "identitystore:DeleteGroupMembership"
- "identitystore:DeleteGroup"
Resource:
- "*"
- Sid: CodePipelinePolicy
Effect: Allow
Action:
- codepipeline:PutJobSuccessResult
- codepipeline:PutJobFailureResult
Resource: "*"
Events:
SyncScheduledEvent:
Type: Schedule
Name: AWSSyncSchedule
Properties:
Enabled: !If [OnSchedule, false, true]
Schedule: !If [OnSchedule, !Ref ScheduleExpression, "rate(15 minutes)"]
# Explicit log group that refers to the Lambda function
LogGroup:
Type: AWS::Logs::LogGroup
Condition: NotIndefinite
Properties:
LogGroupName: !Sub "/aws/lambda/${SSOSyncFunction}"
# Explicit retention time
RetentionInDays: !Ref LogRetention
AWSGoogleCredentialsSecret:
Type: "AWS::SecretsManager::Secret"
Properties:
Name: SSOSyncGoogleCredentials
SecretString: !Ref GoogleCredentials
AWSGoogleAdminEmail:
Type: "AWS::SecretsManager::Secret"
Properties:
Name: SSOSyncGoogleAdminEmail
SecretString: !Ref GoogleAdminEmail
AWSSCIMEndpointSecret: # This can be moved to custom provider
Type: "AWS::SecretsManager::Secret"
Properties:
Name: SSOSyncSCIMEndpointUrl
SecretString: !Ref SCIMEndpointUrl
AWSSCIMAccessTokenSecret: # This can be moved to custom provider
Type: "AWS::SecretsManager::Secret"
Properties:
Name: SSOSyncSCIMAccessToken
SecretString: !Ref SCIMEndpointAccessToken
AWSRegionSecret:
Type: "AWS::SecretsManager::Secret"
Properties:
Name: SSOSyncRegion
SecretString: !Ref Region
AWSIdentityStoreIDSecret:
Type: "AWS::SecretsManager::Secret"
Properties:
Name: SSOSyncIdentityStoreID
SecretString: !Ref IdentityStoreID
Outputs:
FunctionArn:
Description: "The Arn of the deployed lambda function"
Value: !GetAtt SSOSyncFunction.Arn
Export:
Name: SSOSyncFunctionARN