awslabs#105 add delete protections

zooshgroup · Jan 9, 2023 · 7586b7d · 7586b7d
1 parent ef6b608
commit 7586b7d
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 14 deletions.
diff --git a/cmd/root.go b/cmd/root.go
@@ -235,6 +235,7 @@ func configLambda() {
 func addFlags(cmd *cobra.Command, cfg *config.Config) {
 	rootCmd.PersistentFlags().StringVarP(&cfg.GoogleCredentials, "google-admin", "a", config.DefaultGoogleCredentials, "path to find credentials file for Google Workspace")
 	rootCmd.PersistentFlags().BoolVarP(&cfg.Debug, "debug", "d", config.DefaultDebug, "enable verbose / debug logging")
+	rootCmd.PersistentFlags().BoolVarP(&cfg.Delete, "delete", "", config.DefaultDelete, "delete users and groups on AWS")
 	rootCmd.PersistentFlags().StringVarP(&cfg.LogFormat, "log-format", "", config.DefaultLogFormat, "log format")
 	rootCmd.PersistentFlags().StringVarP(&cfg.LogLevel, "log-level", "", config.DefaultLogLevel, "log level")
 	rootCmd.Flags().StringVarP(&cfg.SCIMAccessToken, "access-token", "t", "", "AWS SSO SCIM API Access Token")

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -5,6 +5,8 @@ package config
 type Config struct {
 	// Verbose toggles the verbosity
 	Debug bool
+	// Delete is whether to delete on AWS
+	Delete bool
 	// LogLevel is the level with with to log for this config
 	LogLevel string `mapstructure:"log_level"`
 	// LogFormat is the format that is used for logging
@@ -50,12 +52,15 @@ const (
 	DefaultGoogleCredentials = "credentials.json"
 	// DefaultSyncMethod is the default sync method to use.
 	DefaultSyncMethod = "groups"
+	// DefaultDelete is whether to delete users and groups from AWS
+	DefaultDelete = false
 )
 
 // New returns a new Config
 func New() *Config {
 	return &Config{
 		Debug:             DefaultDebug,
+		Delete:            DefaultDelete,
 		LogLevel:          DefaultLogLevel,
 		LogFormat:         DefaultLogFormat,
 		SyncMethod:        DefaultSyncMethod,

diff --git a/internal/sync.go b/internal/sync.go
@@ -408,13 +408,17 @@ func (s *syncGSuite) SyncGroupsUsers(queries []string) error {
 			return err
 		}
 
-		log.Warn("deleting user")
-		_, err = s.identityStoreClient.DeleteUser(
-			&identitystore.DeleteUserInput{IdentityStoreId: &s.cfg.IdentityStoreID, UserId: &awsUserFull.ID},
-		)
-		if err != nil {
-			log.Error("error deleting user")
-			return err
+		if s.cfg.Delete {
+			log.Warn("deleting user")
+			_, err = s.identityStoreClient.DeleteUser(
+				&identitystore.DeleteUserInput{IdentityStoreId: &s.cfg.IdentityStoreID, UserId: &awsUserFull.ID},
+			)
+			if err != nil {
+				log.Error("error deleting user")
+				return err
+			}
+		} else {
+			log.Error("Not deleting user from AWS users (use --delete to delete users and groups)")
 		}
 	}
 
@@ -556,13 +560,24 @@ func (s *syncGSuite) SyncGroupsUsers(queries []string) error {
 			return err
 		}
 
-		log.Warn("deleting group")
-		_, err = s.identityStoreClient.DeleteGroup(
-			&identitystore.DeleteGroupInput{IdentityStoreId: &s.cfg.IdentityStoreID, GroupId: &awsGroupFull.ID},
-		)
-		if err != nil {
-			log.Error("deleting group")
-			return err
+		// In mid-2022, AWS started using the prefix "AWS" for administrative
+		// purposes. Without this, ssosync deletes these administrative groups.
+		if awsGroup.DisplayName[:3] == "AWS" {
+			log.Warn("Refusing to delete")
+			continue
+		}
+
+		if s.cfg.Delete {
+			log.Warn("deleting group")
+			_, err = s.identityStoreClient.DeleteGroup(
+				&identitystore.DeleteGroupInput{IdentityStoreId: &s.cfg.IdentityStoreID, GroupId: &awsGroupFull.ID},
+			)
+			if err != nil {
+				log.Error("deleting group")
+				return err
+			}
+		} else {
+			log.Error("Not deleting group from AWS groups (use --delete to delete users and groups)")
 		}
 	}