forked from awslabs/ssosync
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplate.yaml
114 lines (110 loc) · 3.65 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: "Advanced Configuration"
Parameters:
- SyncMethod
- GoogleUserMatch
- GoogleGroupMatch
- LogLevel
- LogFormat
- ScheduleExpression
- IgnoreGroups
- IncludeGroups
AWS::ServerlessRepo::Application:
Name: ssosync
Description: Helping you populate AWS SSO directly with your Google Apps users.
Author: Sebastian Doell
SpdxLicenseId: Apache-2.0
# paths are relative to .aws-sam/build directory
LicenseUrl: LICENSE
ReadmeUrl: SAR.md
Labels: [serverless, sso, lambda, scim]
HomePageUrl: https://github.com/awslabs/ssosync
# Update the semantic version and run sam publish to publish a new version of your app
SemanticVersion: 1.0.0-rc.8
# best practice is to use git tags for each release and link to the version tag as your source code URL
SourceCodeUrl: https://github.com/awslabs/ssosync/tree/1.0.0-rc.8
Parameters:
ScheduleExpression:
Type: String
Description: Schedule for trigger the execution of ssosync (see CloudWatch schedule expressions)
Default: rate(15 minutes)
LogLevel:
Type: String
Description: Log level for Lambda function logging
Default: warn
AllowedValues:
- panic
- fatal
- error
- warn
- info
- debug
- trace
LogFormat:
Type: String
Description: Log format for Lambda function logging
Default: json
AllowedValues:
- json
- text
GoogleUserMatch:
Type: String
Description: |
Google user query parameter, example: 'name:John* email:admin*', see: https://developers.google.com/admin-sdk/directory/v1/guides/search-users
GoogleGroupMatch:
Type: String
Description: |
Google group query parameter, example: 'name:Admin* email:aws-*', see: https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
SyncMethod:
Type: String
Description: Sync method to use
Default: users_groups
AllowedValues:
- groups
- users_groups
IgnoreGroups:
Type: String
Description: Ignores these Google groups, separated by comma
IncludeGroups:
Type: String
Description: Include only these Google groups, separated by comma
Resources:
SSOSyncFunction:
Type: AWS::Serverless::Function
Properties:
Runtime: go1.x
Handler: dist/ssosync_linux_amd64/ssosync
Timeout: 900
Environment:
Variables:
SSOSYNC_LOG_LEVEL: !Ref LogLevel
SSOSYNC_LOG_FORMAT: !Ref LogFormat
SSOSYNC_GOOGLE_CREDENTIALS: '{{resolve:secretsmanager:SSOSyncGoogleCredentials}}'
SSOSYNC_GOOGLE_ADMIN: '{{resolve:secretsmanager:SSOSyncGoogleAdminEmail}}'
SSOSYNC_SCIM_ENDPOINT: '{{resolve:secretsmanager:SSOSyncSCIMEndpointUrl}}'
SSOSYNC_SCIM_ACCESS_TOKEN: '{{resolve:secretsmanager:SSOSyncSCIMAccessToken}}'
SSOSYNC_USER_MATCH: !Ref GoogleUserMatch
SSOSYNC_GROUP_MATCH: !Ref GoogleGroupMatch
SSOSYNC_SYNC_METHOD: !Ref SyncMethod
SSOSYNC_IGNORE_GROUPS: !Ref IgnoreGroups
SSOSYNC_INCLUDE_GROUPS: !Ref IncludeGroups
Policies:
- Statement:
- Sid: SSMGetParameterPolicy
Effect: Allow
Action:
- "secretsmanager:Get*"
Resource:
- "*"
Events:
SyncScheduledEvent:
Type: Schedule
Name: AWSSyncSchedule
Properties:
Enabled: true
Schedule: !Ref ScheduleExpression