Merge pull request #153 from awslabs/improved-param-validation

ChrisPates · web-flow · commit 31f325ca93f4 · 2023-10-30T19:12:34.000Z
Improved param validation
diff --git a/.gitignore b/.gitignore
@@ -35,3 +35,8 @@ ssosync
 .DS_Store
 *.swp
 */.DS_Store
+cicd/.DS_Store
+release.yaml
+staging.yaml
+*.orig
+*.rej
diff --git a/cicd/build/package/release.patch b/cicd/build/package/release.patch
@@ -1,59 +1,11 @@
---- template.yaml	2023-10-25 09:44:33
-+++ release.yaml	2023-10-25 16:02:21
-@@ -27,7 +27,7 @@
-           - IncludeGroups
+--- template.yaml	2023-10-27 16:34:16
++++ release.yaml	2023-10-27 16:34:37
+@@ -36,7 +36,7 @@
+           - ScheduleExpression
  
    AWS::ServerlessRepo::Application:
 -    Name: ssosync
 +    Name: SSOSync
      Description: Helping you populate AWS SSO directly with your Google Apps users.
      Author: Sebastian Doell
      SpdxLicenseId: Apache-2.0
-@@ -111,7 +111,7 @@
-     Default: 'none'
-   IncludeGroups:
-     Type: String
--    Description: |
-+    Description: | 
-       Include only these Google Workspace groups. (Only applicable for SyncMethod user_groups)
-     Default: '*'
-   SyncMethod:
-@@ -121,16 +121,16 @@
-     AllowedValues:
-       - groups
-       - users_groups
-+      
-+      
-+      
- 
--
--
--
- Resources:
-   SSOSyncFunction:
-     Type: AWS::Serverless::Function
-     Properties:
-       Runtime: provided.al2
--      Handler: dist/ssosync_linux_arm64/ssosync
-+      Handler: bootstrap
-       Architectures:
-         - arm64
-       Timeout: 300
-@@ -163,8 +163,6 @@
-                 - !Ref AWSSCIMAccessTokenSecret
-                 - !Ref AWSRegionSecret
-                 - !Ref AWSIdentityStoreIDSecret
--        - Version: '2012-10-17'
--          Statement:
-             - Sid: IdentityStoreAccesPolicy
-               Effect: Allow
-               Action:
-@@ -187,8 +185,6 @@
-           Properties:
-             Enabled: true
-             Schedule: !Ref ScheduleExpression
--    Metadata:
--      BuildMethod: makefile
- 
-   AWSGoogleCredentialsSecret:
-     Type: "AWS::SecretsManager::Secret"
diff --git a/cicd/build/package/staging.patch b/cicd/build/package/staging.patch
@@ -1,86 +1,11 @@
---- template.yaml	2023-10-25 09:44:33
-+++ staging.yaml	2023-10-25 16:02:07
-@@ -27,7 +27,7 @@
-           - IncludeGroups
+--- template.yaml	2023-10-30 14:21:20
++++ staging.yaml	2023-10-30 14:21:59
+@@ -38,7 +38,7 @@
+           - ScheduleExpression
  
    AWS::ServerlessRepo::Application:
 -    Name: ssosync
 +    Name: SSOSync-Staging
      Description: Helping you populate AWS SSO directly with your Google Apps users.
      Author: Sebastian Doell
      SpdxLicenseId: Apache-2.0
-@@ -111,7 +111,7 @@
-     Default: 'none'
-   IncludeGroups:
-     Type: String
--    Description: |
-+    Description: | 
-       Include only these Google Workspace groups. (Only applicable for SyncMethod user_groups)
-     Default: '*'
-   SyncMethod:
-@@ -121,16 +121,17 @@
-     AllowedValues:
-       - groups
-       - users_groups
-+      
-+      
-+      
- 
--
--
--
- Resources:
-   SSOSyncFunction:
-     Type: AWS::Serverless::Function
-     Properties:
-+      FunctionName: SSOSyncFunction
-       Runtime: provided.al2
--      Handler: dist/ssosync_linux_arm64/ssosync
-+      Handler: bootstrap
-       Architectures:
-         - arm64
-       Timeout: 300
-@@ -163,8 +164,6 @@
-                 - !Ref AWSSCIMAccessTokenSecret
-                 - !Ref AWSRegionSecret
-                 - !Ref AWSIdentityStoreIDSecret
--        - Version: '2012-10-17'
--          Statement:
-             - Sid: IdentityStoreAccesPolicy
-               Effect: Allow
-               Action:
-@@ -180,16 +179,14 @@
-                 - "identitystore:DeleteGroup"
-               Resource:
-                 - "*"
--      Events:
--        SyncScheduledEvent:
--          Type: Schedule
--          Name: AWSSyncSchedule
--          Properties:
--            Enabled: true
--            Schedule: !Ref ScheduleExpression
--    Metadata:
--      BuildMethod: makefile
- 
-+            - Sid: CodePipelinePolicy
-+              Effect: Allow
-+              Action:
-+                - codepipeline:PutJobSuccessResult
-+                - codepipeline:PutJobFailureResult
-+              Resource: "*"
-+
-   AWSGoogleCredentialsSecret:
-     Type: "AWS::SecretsManager::Secret"
-     Properties:
-@@ -225,3 +222,10 @@
-     Properties:
-       Name: SSOSyncIdentityStoreID
-       SecretString: !Ref IdentityStoreID
-+
-+Outputs:
-+  FunctionArn:
-+    Description: "The Arn of the deployed lambda function"
-+    Value: !GetAtt SSOSyncFunction.Arn
-+    Export:
-+      Name: SSOSyncFunctionARN
diff --git a/cicd/cloudformation/secrets.yaml b/cicd/cloudformation/secrets.yaml
@@ -6,72 +6,148 @@ Description:
   (via privately shared app in the AWS Serverless Application Repository (SAR).
 
 Parameters:
+  GoogleAuthMethod:
+    Type: String
+    AllowedValues: ["Google Credentials", "Workload Identity Federation", "Both"]
+    Default: "Google Credentials"
   GoogleCredentials:
-    Description: Credentials to log into Google (content of credentials.json)
+    Description: Google Workspaces Credentials File, to log into Google (content of credentials.json)
     Type: String
     NoEcho: true
   GoogleAdminEmail:
     Description: Google Workspaces Admin email
     Type: String
     NoEcho: true
+  WIFServiceAccountEmail:
+    Description: Workload Identity Federation, the email address of service account used to impersonate a user using 
+    Type: String
+    NoEcho: true
+  WIFClientLibraryConfig:
+    Description: Workload Identity Federation, the client library config file for the provider (AWS Account)  (contents of clientLibraryConfig-provider.json)
+    Type: String
+    NoEcho: true
   SCIMEndpointUrl:
     Description: AWS IAM Identity Center SCIM Endpoint Url
     Type: String
     NoEcho: true
+    AllowedPattern: "https://scim.(us(-gov)?|ap|ca|cn|eu|sa)-(central|(north|south)?(east|west)?)-([0-9]{1}).amazonaws.com/(.*)-([a-z0-9]{4})-([a-z0-9]{4})-([a-z0-9]{12})/scim/v2/"
   SCIMEndpointAccessToken:
     Description: AWS IAM Identity Center SCIM AccessToken
     Type: String
     NoEcho: true  
-  Region:
-    Description: Region in which IAM Identity Center is deployed
-    Type: String
   IdentityStoreId:
     Description: The Id of the Identity Store for the AWS IAM Identity Center instance see (settings page)
     Type: String
+    AllowedPattern: "d-[1-z0-9]{10}"
     
 
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
       - Label:
-          default: Google Workspace
+          default: Google Authentication Method
+        Parameters:
+          - GoogleAuthMethod
+      - Label:
+          default: Parameters for Google Credentials based authentication, required if either Google Credentials or Both have been selected for Google Authentication Method
         Parameters:
           - GoogleAdminEmail
           - GoogleCredentials
+      - Label: 
+          default: Parameters for Workload Identity Federation based authentication, required if either Workload Identity Federation or Both have been selected for Google Authentication Method
+        Parameters:
+          - WIFServiceAccountEmail
+          - WIFClientLibraryConfig
       - Label:
-          default: AWS SSO
+          default: AWS IAM Identity Center
         Parameters:
           - SCIMEndpointUrl
           - SCIMEndpointAccessToken
+          - IdentityStoreId
             
     ParameterLabels:
+      GoogleAuthMethod:
+        default: "Which Google Auth Methods do you want to test with?"
       GoogleCredentials:
         default: "contents of credentials.json"
       GoogleAdminEmail:
         default: "admin@WorkspaceDomain"
+      WIFServiceAccountEmail:
+        default: "service-account@@WorkspaceDomain"
+      WIFClientLibraryConfig:
+        default: "contents of clientLibraryConfig-provider.json"
       SCIMEndpointUrl:
         default: "https://scim.<region>.amazonaws.com/<instance id>/scim/v2/"
       SCIMEndpointAccessToken:
         default: "AWS SSO SCIM Access Token"
-      Region:
-        default: "us-east-1"
       IdentityStoreId:
         default: "d-1234567abc"
 
+Conditions:
+  GoogleCreds: !Or [!Equals [!Ref "GoogleAuthMethod", Google Credentials], !Equals [!Ref "GoogleAuthMethod", Both]]
+  WIFCreds: !Or [!Equals [!Ref "GoogleAuthMethod", Workload Identity Federation], !Equals [!Ref "GoogleAuthMethod", Both]]
+
+
+Rules:
+  # Fail when any assertion returns false
+  # If they have selected Google Credentials then check they have provided valid data for GoogleCredentials
+  GoogleCredentialsOnly:
+    RuleCondition: !Or [!Equals [!Ref "GoogleAuthMethod", Google Credentials], !Equals [!Ref "GoogleAuthMethod", Both]]
+    Assertions:
+      - AssertDescription: You have selected Google Credentials, You need to provide a Google Admin email address.
+        Assert: !Not
+          - !Equals
+            - !Ref GoogleAdminEmail
+            - "" 
+      - AssertDescription: You have selected Google Credentials, You need to provide the content of a Credentials file (json).
+        Assert: !Not
+          - !Equals
+            - !Ref GoogleCredentials
+            - ""
+  # If they have selected Workload Identity Federation, then check they have provide valid data for WIF
+  WorkloadIdentityFederationOnly:
+    RuleCondition: !Or [!Equals [!Ref "GoogleAuthMethod", Workload Identity Federation], !Equals [!Ref "GoogleAuthMethod", Both]]
+    Assertions:
+      - AssertDescription: You have selected Workload Identity Federation, You need to provide a Google Service Account email address.
+        Assert: !Not
+          - !Equals
+            - !Ref WIFServiceAccountEmail
+            - ""
+      - AssertDescription: You have selected Workload Identity Federation, You need to provide the content of a Client Library Config file (json).
+        Assert: !Not
+          - !Equals
+            - !Ref WIFClientLibraryConfig
+            - ""
+
 Resources:
-  
   GoogleCredentialSecret:
     Type: "AWS::SecretsManager::Secret"
+    Condition: GoogleCreds
     Properties:
       Name: TestGoogleCredentials
       SecretString: !Ref GoogleCredentials
 
   GoogleAdminEmailSecret:
     Type: "AWS::SecretsManager::Secret"
+    Condition: GoogleCreds
     Properties:
       Name: TestGoogleAdminEmail
       SecretString: !Ref GoogleAdminEmail
 
+  WIFServiceAccountEmailSecret:
+    Type: "AWS::SecretsManager::Secret"
+    Condition: WIFCreds
+    Properties:
+      Name: TestWIFServiceAccountEmail
+      SecretString: !Ref WIFServiceAccountEmail
+
+  WIFClientLibraryConfigSecret:
+    Type: "AWS::SecretsManager::Secret"
+    Condition: WIFCreds
+    Properties:
+      Name: TestWIFClientLibraryConfigSecret
+      SecretString: !Ref WIFClientLibraryConfig
+
   SSoSCIMUrlSecret: # This can be moved to custom provider
     Type: "AWS::SecretsManager::Secret"
     Properties:
@@ -88,7 +164,7 @@ Resources:
     Type: "AWS::SecretsManager::Secret"
     Properties:
       Name: TestRegion
-      SecretString: !Ref Region
+      SecretString: !Select [1, !Split [".", !Ref SCIMEndpointUrl]]
 
   IdentityStoreIdSecret:
     Type: "AWS::SecretsManager::Secret"
diff --git a/cicd/staging/build/stack.yml b/cicd/staging/build/stack.yml
@@ -28,33 +28,14 @@ Resources:
         ApplicationId: !Ref AppArn
         SemanticVersion: !Ref AppVersion
       Parameters:
+        FunctionName: SSOSyncFunction
         GoogleAdminEmail: '{{resolve:secretsmanager:TestGoogleAdminEmail}}'
         GoogleCredentials: '{{resolve:secretsmanager:TestGoogleCredentials}}'
         SCIMEndpointUrl: '{{resolve:secretsmanager:TestSCIMEndpointUrl}}'
         SCIMEndpointAccessToken: '{{resolve:secretsmanager:TestSCIMAccessToken}}'
         Region: '{{resolve:secretsmanager:TestRegion}}'
         IdentityStoreID: '{{resolve:secretsmanager:TestIdentityStoreId}}'
         SyncMethod: groups
-        GoogleUserMatch: 'name:*'
         GoogleGroupMatch: !Ref GroupMatch
         LogLevel: warn
         LogFormat: json
-        IgnoreUsers: None
-        IgnoreGroups: None
-        IncludeGroups: None
-        ScheduleExpression: 'rate(1 day)'
-
-  FunctionArnParam:
-    Type: AWS::SSM::Parameter
-    Properties:
-      Name: "/SSOSync/Staging/FunctionArn"
-      Type: String
-      Value: !GetAtt SARApp.Outputs.FunctionArn
-      Description: The Arn of the lambda function ssosync
- 
-Outputs:
-  FunctionArn:
-    Description: "The Arn of the deployed lambda function"
-    Value: !GetAtt SARApp.Outputs.FunctionArn
-    Export:
-      Name: FunctionArn
diff --git a/template.yaml b/template.yaml
