ssosync deletes Control Tower groups

[reece]

Describe the bug

A recent run of ssosync deleted a bunch of Control Tower accounts. I don't know why this didn't happen in prior runs. (Perhaps they were added in a recent Control Tower release?)

To Reproduce
Steps to reproduce the behavior:

1. Example session:

snafu$ ./ssosync -u xxx@myome.com -g 'email:aws-*'
INFO[0000] Syncing AWS users and groups from Google Workspace SAML Application 
INFO[0000] syncing                                       sync_method=groups
INFO[0000] get google groups                             query="email:aws-*"
INFO[0006] get existing aws groups                      
INFO[0006] get existing aws users                       
INFO[0034] syncing changes                              
WARN[0034] deleting user                                 user=a...@myome.com
INFO[0035] creating user                                 user=s...@myome.com
WARN[0037] removing user from group                      group="AWS Admins" user=a...@myome.com
INFO[0038] adding user to group                          group="AWS Engineering" user=s...@myome.com
WARN[0038] removing user from group                      group="AWS Engineering" user=a...@myome.com
WARN[0041] deleting group                                group=AWSServiceCatalogAdmins
WARN[0041] deleting group                                group=AWSAuditAccountAdmins
WARN[0041] deleting group                                group=AWSControlTowerAdmins
WARN[0042] deleting group                                group=AWSSecurityAuditors
WARN[0042] deleting group                                group=AWSLogArchiveViewers
WARN[0042] deleting group                                group=AWSLogArchiveAdmins
WARN[0042] deleting group                                group=AWSSecurityAuditPowerUsers
WARN[0043] deleting group                                group=AWSAccountFactory
INFO[0043] sync completed                               

Expected behavior
While I'm aware that ssosync will delete groups that don't exist in Google, ssosync should never delete groups or accounts that are created by Control Tower (or otherwise part of AWS administration). I have filed this as a bug because, in my opinion, this is a serious deviation from expectations.

Additional context
The current experience for using Google as an identity provider for AWS is pretty poor. This command line tool should not be needed at all. I expect more from AWS, and I think it is in AWS's best interests to provide production-grade SSO integration with Google.

[ChrisPates]

So lets work through the two points:
With IAM Identity Center you can either use an external Identity Provider or the internal Identity Store to manage users and groups but not both. Where an external IdP is used the integration needs to be capable of bi-directional sync, only some are Okta for example.
Since ssosync provides only uni-directional sync from Google Directory to the IAM IdC identity store, this deletion behavior is consistent with what would be expected.

It may be possible to add one of the following feature:
Group 'Ignore' List: list of group names to not delete, which could include the AWS Control Tower default ones. You still wouldn't be able to assign use to them without, creating matching groups in the Google Directory.

The second point:
ssosync is not part of the IAM identity Center service, it is an open source project that demonstrates how a custom integration can be created. There is been a product feature request, outstanding for an official and and fully featured integration with Google.

However, there are some challenges with SCIM not least of which is inconsistencies in implementation that means that interoperability is not assured. Both Google and AWS a members of the working seeking to improve this (apologies I don't have the details to hand).
Google has chosen to manages this interoperability challenge for their platform by implementing the outbound SCIM v2.0 implementations themselves, they maintain a definitive list of integration and there isn't any option to create a custom or manual SCIM integration.

[reece]

@ChrisPates I appreciate the reply. I don't understand what you're trying to convey above.

Let's start with this: Do you agree that there is no circumstance in which ssosync should delete AWS Control Tower groups?

If yes, then it should be straightforward to implement an ignore list as you propose, and that it includes the above list at least by default. (In fact, I've done this in a private branch, but my Go is poor.)

[nandubatchu]

Is anyone reviewing the above PR?
Would like to avoid the auto-deletion of AWS Groups by Control Tower! 😞

[ChrisPates]

We will be but current activity is:

• addition of CICD pipelines to support community contributors and reviewers to test PRs in a consistent repeatable fashion
• release multiple fixes in v1.0.0-rc11
• merge in PR/103 - which adopts the new identity store api

Once these are out of the way we can hopefully get on top of the PR queue.

[ChrisPates]

This items has been merged into a more complete feature request Configurable handling of 'manually created' Users/Groups in IAM Identity Center #179, please review and provide feedback on that item.