Merge branch 'awslabs-master'

.github/workflows/main.yml

@@ -16,12 +16,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Setup go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version: '1.21'
+          go-version: '1.23.x'
 
       - name: Install staticcheck
         run: go install honnef.co/go/tools/cmd/staticcheck@latest

.github/workflows/release.yml

@@ -11,12 +11,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Setup go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: '1.17.x'
+          go-version: '1.23.x'
 
       - name: Install staticcheck
         run: go install honnef.co/go/tools/cmd/staticcheck@latest
@@ -32,20 +32,20 @@ jobs:
     needs: [ test ]
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Unshallow
         run: git fetch --prune --unshallow
 
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: '1.17.x'
+          go-version: '1.23.x'
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
+        uses: goreleaser/goreleaser-action@v4
         with:
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -34,3 +34,11 @@ ssosync
 # Noise from os/editors
 .DS_Store
 *.swp
+*/.DS_Store
+cicd/.DS_Store
+release.yaml
+staging.yaml
+*.orig
+*.rej
+cicd/.DS_Store
+*.swo

Makefile

@@ -20,6 +20,10 @@ go-build:
 clean:
 	rm -f $(OUTPUT) $(PACKAGED_TEMPLATE)
 
+build-SSOSyncFunction:
+	GOOS=linux GOARCH=arm64 go build -o bootstrap main.go
+	cp dist/ssosync_linux_arm64/ssosync $(ARTIFACTS_DIR)/bootstrap
+
 .PHONY: install
 install:
 	go get ./...
@@ -45,6 +49,7 @@ publish:
 
 .PHONY: package
 package: build
+	cp dist/ssosync_linux_arm64/ssosync ./bootstrap
 	sam package --s3-bucket $(S3_BUCKET) --output-template-file $(PACKAGED_TEMPLATE) --s3-prefix $(S3_PREFIX)
 
 .PHONY: deploy

cicd/account_execution/staging/buildspec.yml

@@ -0,0 +1,57 @@
+version: 0.2
+
+phases:
+
+  build:
+    commands:
+      # Create parameters
+      - export AppVersion="${GitTag#v}-${GitVersionHash}"
+
+      # Copy in the executable
+      - cp ${CODEBUILD_SRC_DIR_Built}/dist/ssosync_linux_amd64_v1/ssosync ./
+
+      # Copy in the tests
+      - cp -r cicd/tests ./
+
+      # Copy in the stack and params templates
+      - mkdir deploy
+      - cp cicd/account_execution/staging/stack.yml ./deploy/
+
+      # Update params with the values for this run for a developer account
+      - |
+        jq -n \
+        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GoogleAdminEmailArn\": \"$SecretGoogleAdminEmail\", \"GoogleCredentialsArn\": \"$SecretGoogleCredentials\", \"SCIMEndpointUrlArn\": \"$SecretSCIMEndpoint\", \"SCIMAccessTokenArn\": \"$SecretSCIMAccessToken\", \"RegionArn\": \"$SecretRegion\", \"IdentityStoreIdArn\": \"$SecretIdentityStoreID\", \"GroupMatch\": \"name:AWS*,name=NestedGroups\"}" \
+        --argjson StackPolicy "{\"Statement\":[{\"Effect\": \"Allow\", \"NotAction\": \"Update:Delete\", \"Principal\": \"*\", \"Resource\": \"*\"}]}" \
+        '$ARGS.named' > ./deploy/developer.json
+      - cat ./deploy/developer.json
+
+      # Update params with the values for this run for the management account
+      - |
+        jq -n \
+        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GoogleAdminEmailArn\": \"$SecretGoogleAdminEmail\", \"GoogleCredentialsArn\": \"$SecretGoogleCredentials\", \"SCIMEndpointUrlArn\": \"$SecretSCIMEndpoint\", \"SCIMAccessTokenArn\": \"$SecretSCIMAccessToken\", \"RegionArn\": \"$SecretRegion\", \"IdentityStoreIdArn\": \"$SecretIdentityStoreID\", \"GroupMatch\": \"name:Man*\"}" \
+        --argjson StackPolicy "{\"Statement\":[{\"Effect\": \"Allow\", \"NotAction\": \"Update:Delete\", \"Principal\": \"*\", \"Resource\": \"*\"}]}" \
+        '$ARGS.named' > ./deploy/cli.json
+      - cat ./deploy/cli.json
+
+      # Update params with the values for this run for the delegated account
+      - |
+        jq -n \
+        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\",  \"GoogleAdminEmailArn\": \"$SecretGoogleAdminEmail\", \"GoogleCredentialsArn\": \"$SecretGoogleCredentials\", \"SCIMEndpointUrlArn\": \"$SecretSCIMEndpoint\", \"SCIMAccessTokenArn\": \"$SecretSCIMAccessToken\", \"RegionArn\": \"$SecretRegion\", \"IdentityStoreIdArn\": \"$SecretIdentityStoreID\", \"GroupMatch\": \"name:Del*\"}" \
+        --argjson StackPolicy "{\"Statement\":[{\"Effect\": \"Allow\", \"NotAction\": \"Update:Delete\", \"Principal\": \"*\", \"Resource\": \"*\"}]}" \
+        '$ARGS.named' > ./deploy/lambda.json
+      - cat ./deploy/lambda.json
+
+      # Update params with the values for this run for non-delegated account
+      - |
+        jq -n \
+        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GoogleAdminEmailArn\": \"$SecretGoogleAdminEmail\", \"GoogleCredentialsArn\": \"$SecretGoogleCredentials\", \"SCIMEndpointUrlArn\": \"$SecretSCIMEndpoint\", \"SCIMAccessTokenArn\": \"$SecretSCIMAccessToken\", \"RegionArn\": \"$SecretRegion\", \"IdentityStoreIdArn\": \"$SecretIdentityStoreID\", \"GroupMatch\": \"name:Non*\"}" \
+        --argjson StackPolicy "{\"Statement\":[{\"Effect\": \"Allow\", \"NotAction\": \"Update:Delete\", \"Principal\": \"*\", \"Resource\": \"*\"}]}" \
+        '$ARGS.named' > ./deploy/codepipeline.json
+      - cat ./deploy/codepipeline.json
+
+
+artifacts:
+  files:
+    - ssosync
+    - deploy/**/*
+    - tests/**/*

cicd/account_execution/staging/stack.yml

@@ -0,0 +1,77 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Transform: 'AWS::Serverless-2016-10-31'
+
+Description: 
+  This CloudFormation template will deploy an instance of the SSOSync-Staging
+  candidate releases (via privately shared app in the AWS Serverless Application
+  Repository (SAR) within the Staging Account.
+
+Parameters:
+  AppArn:
+    Description: The candidate release in the SAR
+    Default: 'arn:aws:serverlessrepo:<AWS::Region>:<AccountId>:applications/<ApplicationName>'
+    Type: String
+  AppVersion:
+    Description: The version of this build in SAR
+    Default: 'v1.0.0-rc.10'
+    Type: String
+  GoogleAdminEmailArn:
+    Type: String
+  GoogleCredentialsArn:
+    Type: String
+  SCIMEndpointUrlArn:
+    Type: String
+  SCIMAccessTokenArn:
+    Type: String
+  RegionArn:
+    Type: String
+  IdentityStoreIdArn:
+    Type: String
+  GroupMatch:
+    Description: The search string to match Groups in Google Workspace
+    Default: 'name:AWS*'
+    Type: String
+
+Resources:
+  SARApp:
+    Type: AWS::Serverless::Application
+    Properties:
+      Location:
+        ApplicationId: !Ref AppArn
+        SemanticVersion: !Ref AppVersion
+      Parameters:
+        FunctionName: SSOSyncFunction
+        GoogleAdminEmail: !Join
+          - ''
+          - - '{{resolve:secretsmanager:'
+            - !Ref GoogleAdminEmailArn
+            - '}}'
+        GoogleCredentials: !Join
+          - ''
+          - - '{{resolve:secretsmanager:'
+            - !Ref GoogleCredentialsArn
+            - '}}'
+        SCIMEndpointUrl: !Join
+          - ''
+          - - '{{resolve:secretsmanager:'
+            - !Ref SCIMEndpointUrlArn
+            - '}}'
+        SCIMEndpointAccessToken: !Join
+          - ''
+          - - '{{resolve:secretsmanager:'
+            - !Ref SCIMAccessTokenArn
+            - '}}'
+        Region: !Join
+          - ''
+          - - '{{resolve:secretsmanager:'
+            - !Ref RegionArn
+            - '}}'
+        IdentityStoreID: !Join
+          - ''
+          - - '{{resolve:secretsmanager:'
+            - !Ref IdentityStoreIdArn
+            - '}}'
+        SyncMethod: groups
+        GoogleGroupMatch: !Ref GroupMatch
+        LogLevel: info
+        LogFormat: json

cicd/staging/testing/buildspec.yml → cicd/account_execution/testing/buildspec.yml

@@ -3,7 +3,6 @@ version: 0.2
 env:
   variables:
     ShareWith: "NOT-SHARED"
-    pipeline: "SSOSync-Test"
     interval: 10
     Success: '"Succeeded"'
     InProgress: '"InProgress"'

cicd/build/build/buildspec.yml

@@ -8,25 +8,28 @@ env:
 phases:
   install: 
     commands:
+      # Add goreleaser repo
+      - echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
+
+      # Update the repos
+      - apt -qq --yes update
+      - apt -qq --yes upgrade
+
       # Install go.lang
-      - wget -q https://storage.googleapis.com/golang/go${GoVersion}.linux-amd64.tar.gz
-      - rm -rf /go
-      - tar -C / -xzf go${GoVersion}.linux-amd64.tar.gz
-      - export PATH="/go/bin:$PATH" && export GOPATH="/go" && export PATH="$GOPATH/bin:$PATH"
-      - rm go${GoVersion}.linux-amd64.tar.gz
-      - go version
-
-      # Install golint
+      - GoVersion=${GOLANG_20_VERSION}
+
+      # Install golint - now deprecated
       - go install golang.org/x/lint/golint@latest
 
-      # Install staticcheck
-      - go install honnef.co/go/tools/cmd/staticcheck@latest
+      # Install staticcheck - use static install from tarball
+      - wget -qO- https://github.com/dominikh/go-tools/releases/download/2023.1.6/staticcheck_linux_386.tar.gz | tar -xvz -C ./
 
       # Install Testify to use common assertions and mocks in tests
-      - go get -u github.com/stretchr/testify
+      - go get github.com/stretchr/testify
 
-      # Install goreleaser
-      - go install github.com/goreleaser/goreleaser@latest
+      # Install goreleaser - go install method broken due to dependancies using apt static binary approach
+      #      - go install github.com/goreleaser/goreleaser@latest
+      - apt -qq --yes install goreleaser
 
   pre_build: 
     commands:
@@ -38,7 +41,7 @@ phases:
       - go get ./...
 
       # Run staticcheck
-      - staticcheck ./...
+      - staticcheck/staticcheck ./...
 
       # Ensure code passes all lint tests
       #- golint -set_exit_status ./...
@@ -68,8 +71,8 @@ phases:
       # Tweak the .goreleaser.yml so it uses the vairables from .Env
       - patch .goreleaser.yml cicd/build/build/goreleaser.patch
 
-      # Make main but only for the lambda (linux amd64)
-      - goreleaser build --snapshot --rm-dist --single-target
+      # Make main 
+      - goreleaser build --snapshot --clean
 
 
       # Check we've packaged something useful

cicd/build/build/goreleaser.patch

@@ -1,8 +1,21 @@
---- .goreleaser.yml	2022-06-15 08:38:24.000000000 +0100
-+++ .goreleaser-codebuild.yml	2022-06-21 12:33:43.000000000 +0100
-@@ -22,7 +22,7 @@
-     - goos: windows
-       goarch: 386
+--- .goreleaser.yml.default	2023-10-25 11:30:58
++++ .goreleaser.yml	2023-10-25 11:32:18
+@@ -9,20 +9,11 @@
+     - CGO_ENABLED=0
+   goos:
+     - linux
+-    - darwin
+-    - windows
+   goarch:
+-    - 386
+     - amd64
+-    - arm
+     - arm64
+-  ignore:
+-    - goos: darwin
+-      goarch: 386
+-    - goos: windows
+-      goarch: 386
    ldflags:
 -     - -s -w -X github.com/awslabs/ssosync/cmd.version={{.Version}} -X github.com/awslabs/ssosync/cmd.commit={{.Commit}} -X github.com/awslabs/ssosync/cmd.date={{.Date}} -X github.com/awslabs/ssosync/cmd.builtBy=goreleaser
 +     - -s -w -X github.com/awslabs/ssosync/cmd.version={{.Env.GitTag}} -X github.com/awslabs/ssosync/cmd.commit={{.Env.GitCommit}} -X github.com/awslabs/ssosync/cmd.date={{.Date}} -X github.com/awslabs/ssosync/cmd.builtBy=goreleaser -X github.com/awslabs/ssosync/cmd.goversion={{.Env.GoVersion}}

cicd/build/package/buildspec.yml

@@ -1,23 +1,27 @@
 version: 0.2
 
+env:
+  variables:
+    ShareWith: "NOT-SHARED"
+
 phases:
-  install:
+  pre_build:
     commands:
       # Print all environment variables (handy for AWS CodeBuild logs)
       - env
 
-  pre_build:
-    commands:
       - cp -r ${CODEBUILD_SRC_DIR_Built}/* ./
       - ls -la
 
       # Check that the files need to package exist
       - ls README.md
       - ls SAR.md
-      - ls dist/ssosync_linux_amd64_v1/ssosync
+      - ls dist/ssosync_linux_arm64/ssosync
+      - ls dist/ssosync_linux_amd64_v1/ssosync 
 
       # Check that the executable works
       - ./dist/ssosync_linux_amd64_v1/ssosync --version 
+      - mv dist/ssosync_linux_arm64/ssosync bootstrap
 
   build:
     commands:
@@ -30,11 +34,30 @@ phases:
       - patch release.yaml cicd/build/package/release.patch
       - sam package --no-progressbar --template-file release.yaml --s3-bucket ${S3Bucket} --output-template-file packaged-release.yaml
 
-  post_build:
-    commands:
       - ls packaged-staging.yaml
       - ls packaged-release.yaml
 
+  post_build:
+    commands:
+      # Create parameters
+      - export AppVersion="${GitTag#v}-${GitVersionHash}"
+      - aws ssm put-parameter --name "/SSOSync/Staging/Version" --value ${AppVersion} --type String --overwrite
+
+      # remove the previous builds
+      #- aws serverlessrepo delete-application --application-id ${AppArn}
+
+      # Package our application with AWS SAM
+      - echo sam publish --template packaged-staging.yaml --semantic-version ${AppVersion}
+      - sam publish --template packaged-staging.yaml --semantic-version ${AppVersion}
+
+      # Share with the StagingAccount
+      - |
+        if expr "${ShareWith}" : "NOT-SHARED" >/dev/null; then
+          echo "Skipping Sharing"
+        else
+          aws serverlessrepo put-application-policy --application-id ${AppArn} --statements Principals=${ShareWith},Actions=Deploy
+        fi
+
 artifacts:
   files:
     - packaged-staging.yaml