Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#88: add delete protections #105

Closed
wants to merge 2 commits into from
Closed

#88: add delete protections #105

wants to merge 2 commits into from

Conversation

reece
Copy link

@reece reece commented Nov 15, 2022

Issue #88

Description of changes:

This PR provides two protections against inadvertent deletions:

  1. --delete is now required to delete users and groups. (A single flag controls both behaviors.)
  2. Groups with a name beginning "AWS" will never be deleted because they likely correspond to Control Tower administrative groups.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@nandubatchu
Copy link

Hey @reece - I was not aware of this and accidentally ended up deleting all my control tower groups - is there any way to recover them?

@reece
Copy link
Author

reece commented Dec 19, 2022
edited
Loading

I was able to recreate the control tower groups by renrolling each account. Good luck. My heart dropped when I discovered that the control tower groups had been deleted, but it all worked out okay in the end.

sonrai-doyle
sonrai-doyle reviewed Jan 6, 2023
View reviewed changes
internal/sync.go
// In mid-2022, AWS started using the prefix "AWS" for administrative
// purposes. Without this, ssosync deletes these administrative groups.
if awsGroup.DisplayName[:3] == "AWS" {
log.Warn("Refusing to delete")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
log.Warn("Refusing to delete")
log.Warn("Refusing to delete group with the prefix 'AWS'")

tolnai pushed a commit to zooshgroup/aws-google-ssosync that referenced this pull request Jan 9, 2023
awslabs#105 add delete protections
52d7985
tolnai pushed a commit to zooshgroup/aws-google-ssosync that referenced this pull request Jan 9, 2023
awslabs#105 add delete protections
7586b7d
@thapakazi
Copy link

I was able to recreate the control tower groups by renrolling each account. Good luck. My heart dropped when I discovered that the control tower groups had been deleted, but it all worked out okay in the end.

even if those are delete, why would one need sso for control tower ?

@reece
Copy link
Author

reece commented Jun 14, 2023

To use Google as the identity provider for all AWS access.

@reece
Copy link
Author

reece commented Sep 7, 2023

Closing due to lack of response from code maintainers.

@reece reece closed this Sep 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sonrai-doyle sonrai-doyle sonrai-doyle left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@reece @nandubatchu @thapakazi @sonrai-doyle