199 group flattening can lead to conflicts due to non uniqueness (#201)

Adding de-dup logic for group membership.
awslabs · Jun 19, 2024 · a5bb2ae · a5bb2ae
1 parent 6cb78e1
commit a5bb2ae
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/cicd/account_execution/staging/buildspec.yml b/cicd/account_execution/staging/buildspec.yml
@@ -20,7 +20,7 @@ phases:
       # Update params with the values for this run for a developer account
       - |
         jq -n \
-        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GoogleAdminEmailArn\": \"$SecretGoogleAdminEmail\", \"GoogleCredentialsArn\": \"$SecretGoogleCredentials\", \"SCIMEndpointUrlArn\": \"$SecretSCIMEndpoint\", \"SCIMAccessTokenArn\": \"$SecretSCIMAccessToken\", \"RegionArn\": \"$SecretRegion\", \"IdentityStoreIdArn\": \"$SecretIdentityStoreID\", \"GroupMatch\": \"name:AWS*\"}" \
+        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GoogleAdminEmailArn\": \"$SecretGoogleAdminEmail\", \"GoogleCredentialsArn\": \"$SecretGoogleCredentials\", \"SCIMEndpointUrlArn\": \"$SecretSCIMEndpoint\", \"SCIMAccessTokenArn\": \"$SecretSCIMAccessToken\", \"RegionArn\": \"$SecretRegion\", \"IdentityStoreIdArn\": \"$SecretIdentityStoreID\", \"GroupMatch\": \"name:AWS*,name=NestedGroups\"}" \
         --argjson StackPolicy "{\"Statement\":[{\"Effect\": \"Allow\", \"NotAction\": \"Update:Delete\", \"Principal\": \"*\", \"Resource\": \"*\"}]}" \
         '$ARGS.named' > ./deploy/developer.json
       - cat ./deploy/developer.json

diff --git a/internal/sync.go b/internal/sync.go
@@ -596,13 +596,25 @@ func (s *syncGSuite) getGoogleGroupsAndUsers(queryGroups string, queryUsers stri
 		membersUsers := s.getGoogleUsersInGroup(g, gUserDetailCache, gGroupDetailCache)
 
 		// If we've not seen the user email address before add it to the list of unique users
+		// also, we need to deduplicate the list of members.
+		gUniqMembers := make(map[string]*admin.User)
                 for _, m := range membersUsers {
 			_, ok := gUniqUsers[m.PrimaryEmail]
 			if !ok {
 				gUniqUsers[m.PrimaryEmail] = gUserDetailCache[m.PrimaryEmail]
 			}
+
+			_, ok = gUniqMembers[m.PrimaryEmail]
+                        if !ok {
+                                gUniqMembers[m.PrimaryEmail] = gUserDetailCache[m.PrimaryEmail]
+                        }
 		}
-		gGroupsUsers[g.Name] = membersUsers
+
+	        gMembers := make([]*admin.User, 0)
+	        for _, member := range gUniqMembers {
+                        gMembers = append(gMembers, member)
+                }
+		gGroupsUsers[g.Name] = gMembers
 	}
 
 	for _, user := range gUniqUsers {