I-70 allow to skip users and groups deletion

cmd/idpscim/cmd/root.go

@@ -104,6 +104,8 @@ func init() {
 
 	rootCmd.PersistentFlags().StringVarP(&cfg.SyncMethod, "sync-method", "m", config.DefaultSyncMethod, "Sync method to use [groups]")
 	rootCmd.PersistentFlags().BoolVarP(&cfg.UseSecretsManager, "use-secrets-manager", "g", config.DefaultUseSecretsManager, "use AWS Secrets Manager content or not (default false)")
+	rootCmd.PersistentFlags().BoolVar(&cfg.PreventGroupDeletion, "prevent-group-deletion", config.DefaultPreventGroupDeletion, "determines are we delete groups from AWS Identity Store or not")
+	rootCmd.PersistentFlags().BoolVar(&cfg.PreventUserDeletion, "prevent-user-deletion", config.DefaultPreventUserDeletion, "determines are we delete users from AWS Identity Store or not")
 }
 
 // initConfig reads in config file and ENV variables if set.
@@ -126,6 +128,8 @@ func initConfig() {
 		"aws_scim_endpoint",
 		"aws_scim_endpoint_secret_name",
 		"use_secrets_manager",
+		"prevent_group_deletion",
+		"prevent_user_deletion",
 	}
 	for _, e := range envVars {
 		if err := viper.BindEnv(e); err != nil {
@@ -211,18 +215,8 @@ func getSecrets() {
 		log.Fatalf(errors.Wrap(err, "cannot create aws secrets manager service").Error())
 	}
 
-	log.WithField("name", cfg.GWSUserEmailSecretName).Debug("reading secret")
-	unwrap, err := secrets.GetSecretValue(context.Background(), cfg.GWSUserEmailSecretName)
-	if err != nil {
-		log.Fatalf(errors.Wrap(err, "cannot get secretmanager value").Error())
-	}
-	cfg.GWSUserEmail = unwrap
-	log.WithFields(
-		log.Fields{"secretARN": cfg.GWSUserEmailSecretName},
-	).Debug("read secret")
-
 	log.WithField("name", cfg.GWSServiceAccountFileSecretName).Debug("reading secret")
-	unwrap, err = secrets.GetSecretValue(context.Background(), cfg.GWSServiceAccountFileSecretName)
+	unwrap, err := secrets.GetSecretValue(context.Background(), cfg.GWSServiceAccountFileSecretName)
 	if err != nil {
 		log.Fatalf(errors.Wrap(err, "cannot get secretmanager value").Error())
 	}
@@ -231,6 +225,18 @@ func getSecrets() {
 		log.Fields{"secretARN": cfg.GWSServiceAccountFileSecretName},
 	).Debug("read secret")
 
+	if cfg.GWSUserEmailSecretName != "" {
+		log.WithField("name", cfg.GWSUserEmailSecretName).Debug("reading secret")
+		unwrap, err = secrets.GetSecretValue(context.Background(), cfg.GWSUserEmailSecretName)
+		if err != nil {
+			log.Fatalf(errors.Wrap(err, "cannot get secretmanager value").Error())
+		}
+		cfg.GWSUserEmail = unwrap
+		log.WithFields(
+			log.Fields{"secretARN": cfg.GWSUserEmailSecretName},
+		).Debug("read secret")
+	}
+
 	log.WithField("name", cfg.AWSSCIMAccessTokenSecretName).Debug("reading secret")
 	unwrap, err = secrets.GetSecretValue(context.Background(), cfg.AWSSCIMAccessTokenSecretName)
 	if err != nil {
@@ -241,15 +247,17 @@ func getSecrets() {
 		log.Fields{"secretARN": cfg.AWSSCIMAccessTokenSecretName},
 	).Debug("read secret")
 
-	log.WithField("name", cfg.AWSSCIMEndpointSecretName).Debug("reading secret")
-	unwrap, err = secrets.GetSecretValue(context.Background(), cfg.AWSSCIMEndpointSecretName)
-	if err != nil {
-		log.Fatalf(errors.Wrap(err, "cannot get secretmanager value").Error())
+	if cfg.AWSSCIMEndpointSecretName != "" {
+		log.WithField("name", cfg.AWSSCIMEndpointSecretName).Debug("reading secret")
+		unwrap, err = secrets.GetSecretValue(context.Background(), cfg.AWSSCIMEndpointSecretName)
+		if err != nil {
+			log.Fatalf(errors.Wrap(err, "cannot get secretmanager value").Error())
+		}
+		cfg.AWSSCIMEndpoint = unwrap
+		log.WithFields(
+			log.Fields{"secretARN": cfg.AWSSCIMEndpointSecretName},
+		).Debug("read secret")
 	}
-	cfg.AWSSCIMEndpoint = unwrap
-	log.WithFields(
-		log.Fields{"secretARN": cfg.AWSSCIMEndpointSecretName},
-	).Debug("read secret")
 }
 
 func sync() error {
@@ -340,7 +348,7 @@ func syncGroups() error {
 		log.Fatalf(errors.Wrap(err, "cannot create s3 repository").Error())
 	}
 
-	ss, err := core.NewSyncService(idpService, scimService, repo, core.WithIdentityProviderGroupsFilter(cfg.GWSGroupsFilter))
+	ss, err := core.NewSyncService(idpService, scimService, repo, core.WithIdentityProviderGroupsFilter(cfg.GWSGroupsFilter), core.WithSCIMGroupDeleteionPrevention(cfg.PreventGroupDeletion), core.WithSCIMUserDeleteionPrevention(cfg.PreventUserDeletion))
 	if err != nil {
 		return errors.Wrap(err, "cannot create sync service")
 	}

cmd/idpscimcli/cmd/root.go

@@ -66,6 +66,7 @@ func initConfig() {
 		"gws_users_filter",
 		"aws_scim_access_token",
 		"aws_scim_endpoint",
+		"prevent_group_deletion",
 	}
 	for _, e := range envVars {
 		if err := viper.BindEnv(e); err != nil {

internal/config/config.go

@@ -31,16 +31,22 @@ const (
 	DefaultGWSServiceAccountFileSecretName = "IDPSCIM_GWSServiceAccountFile"
 
 	// DefaultGWSUserEmailSecretName is the name of the secret containing the user email.
-	DefaultGWSUserEmailSecretName = "IDPSCIM_GWSUserEmail"
+	DefaultGWSUserEmailSecretName = ""
 
 	// DefaultAWSSCIMEndpointSecretName is the name of the secret containing the SCIM endpoint.
-	DefaultAWSSCIMEndpointSecretName = "IDPSCIM_SCIMEndpoint"
+	DefaultAWSSCIMEndpointSecretName = ""
 
 	// DefaultAWSSCIMAccessTokenSecretName is the name of the secret containing the SCIM access token.
 	DefaultAWSSCIMAccessTokenSecretName = "IDPSCIM_SCIMAccessToken"
 
 	// DefaultUseSecretsManager determines if we will use the AWS Secrets Manager secrets or program parameter values
 	DefaultUseSecretsManager = false
+
+	// DefaultPreventGroupDeletion determines are we delete groups from AWS Identity Store or not
+	DefaultPreventGroupDeletion = false
+
+	// DefaultPreventUserDeletion determines are we delete users from AWS Identity Store or not
+	DefaultPreventUserDeletion = false
 )
 
 // Config represents the configuration of the application.
@@ -72,6 +78,12 @@ type Config struct {
 
 	// UseSecretsManager determines if we will use the AWS Secrets Manager secrets or program parameter values
 	UseSecretsManager bool `mapstructure:"use_secrets_manager" json:"use_secrets_manager" yaml:"use_secrets_manager"`
+
+	// PreventGroupDeletion determines are we delete groups from AWS Identity Store or not
+	PreventGroupDeletion bool `mapstructure:"prevent_group_deletion" json:"prevent_group_deletion", yaml:"prevent_group_deletion"`
+
+	// PreventGroupDeletion determines are we delete users from AWS Identity Store or not
+	PreventUserDeletion bool `mapstructure:"prevent_user_deletion" json:"prevent_user_deletion", yaml:"prevent_user_deletion"`
 }
 
 // New returns a new Config
@@ -90,5 +102,7 @@ func New() Config {
 		AWSSCIMEndpointSecretName:       DefaultAWSSCIMEndpointSecretName,
 		AWSSCIMAccessTokenSecretName:    DefaultAWSSCIMAccessTokenSecretName,
 		UseSecretsManager:               DefaultUseSecretsManager,
+		PreventGroupDeletion:            DefaultPreventGroupDeletion,
+		PreventUserDeletion:             DefaultPreventUserDeletion,
 	}
 }

internal/config/config_test.go

@@ -24,4 +24,5 @@ func TestNew(t *testing.T) {
 	assert.Equal(cfg.AWSSCIMEndpointSecretName, DefaultAWSSCIMEndpointSecretName)
 	assert.Equal(cfg.AWSSCIMAccessTokenSecretName, DefaultAWSSCIMAccessTokenSecretName)
 	assert.Equal(cfg.UseSecretsManager, DefaultUseSecretsManager)
+	assert.Equal(cfg.PreventGroupDeletion, DefaultUseSecretsManager)
 }

internal/core/actions.go

@@ -17,6 +17,8 @@ func scimSync(
 	idpGroupsResult *model.GroupsResult,
 	idpUsersResult *model.UsersResult,
 	idpGroupsMembersResult *model.GroupsMembersResult,
+	preventUserDeletion bool,
+	preventGroupDeletion bool,
 ) (*model.GroupsResult, *model.UsersResult, *model.GroupsMembersResult, error) {
 	log.Warn("reconciling the SCIM data with the Identity Provider data")
 
@@ -39,6 +41,10 @@ func scimSync(
 		return nil, nil, nil, fmt.Errorf("error reconciling groups: %w", err)
 	}
 
+	if preventGroupDeletion {
+		groupsDelete = &model.GroupsResult{}
+	}
+
 	groupsCreated, groupsUpdated, err := reconcilingGroups(ctx, scim, groupsCreate, groupsUpdate, groupsDelete)
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("error reconciling groups: %w", err)
@@ -62,6 +68,10 @@ func scimSync(
 		return nil, nil, nil, fmt.Errorf("error operating with users: %w", err)
 	}
 
+	if preventUserDeletion {
+		usersDelete = &model.UsersResult{}
+	}
+
 	usersCreated, usersUpdated, err := reconcilingUsers(ctx, scim, usersCreate, usersUpdate, usersDelete)
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("error reconciling users: %w", err)
@@ -108,6 +118,8 @@ func stateSync(
 	idpGroupsResult *model.GroupsResult,
 	idpUsersResult *model.UsersResult,
 	idpGroupsMembersResult *model.GroupsMembersResult,
+	preventUserDeletion bool,
+	preventGroupDeletion bool,
 ) (*model.GroupsResult, *model.UsersResult, *model.GroupsMembersResult, error) {
 	var totalGroupsResult *model.GroupsResult
 	var totalUsersResult *model.UsersResult
@@ -143,6 +155,10 @@ func stateSync(
 			return nil, nil, nil, fmt.Errorf("error reconciling groups: %w", err)
 		}
 
+		if preventGroupDeletion {
+			groupsDelete = &model.GroupsResult{}
+		}
+
 		groupsCreated, groupsUpdated, err := reconcilingGroups(ctx, scim, groupsCreate, groupsUpdate, groupsDelete)
 		if err != nil {
 			return nil, nil, nil, fmt.Errorf("error reconciling groups: %w", err)
@@ -168,6 +184,10 @@ func stateSync(
 			return nil, nil, nil, fmt.Errorf("error operating with users: %w", err)
 		}
 
+		if preventUserDeletion {
+			usersDelete = &model.UsersResult{}
+		}
+
 		usersCreated, usersUpdated, err := reconcilingUsers(ctx, scim, usersCreate, usersUpdate, usersDelete)
 		if err != nil {
 			return nil, nil, nil, fmt.Errorf("error reconciling users: %w", err)

internal/core/options.go

@@ -19,3 +19,15 @@ func WithIdentityProviderUsersFilter(filter []string) SyncServiceOption {
 		ss.provUsersFilter = filter
 	}
 }
+
+func WithSCIMGroupDeleteionPrevention(preventGroupDeletion bool) SyncServiceOption {
+	return func(ss *SyncService) {
+		ss.scimPreventGroupDeletion = preventGroupDeletion
+	}
+}
+
+func WithSCIMUserDeleteionPrevention(preventUserDeletion bool) SyncServiceOption {
+	return func(ss *SyncService) {
+		ss.scimPreventUserDeletion = preventUserDeletion
+	}
+}

internal/core/sync.go

@@ -26,11 +26,13 @@ var (
 
 // SyncService represent the sync service and the core of the sync process
 type SyncService struct {
-	provGroupsFilter []string
-	provUsersFilter  []string
-	prov             IdentityProviderService
-	scim             SCIMService
-	repo             StateRepository
+	provGroupsFilter         []string
+	provUsersFilter          []string
+	scimPreventGroupDeletion bool
+	scimPreventUserDeletion  bool
+	prov                     IdentityProviderService
+	scim                     SCIMService
+	repo                     StateRepository
 }
 
 // NewSyncService creates a new sync service.
@@ -46,11 +48,13 @@ func NewSyncService(prov IdentityProviderService, scim SCIMService, repo StateRe
 	}
 
 	ss := &SyncService{
-		prov:             prov,
-		provGroupsFilter: []string{}, // fill in with the opts
-		provUsersFilter:  []string{}, // fill in with the opts
-		scim:             scim,
-		repo:             repo,
+		prov:                     prov,
+		provGroupsFilter:         []string{}, // fill in with the opts
+		provUsersFilter:          []string{}, // fill in with the opts
+		scimPreventUserDeletion:  false,
+		scimPreventGroupDeletion: false,
+		scim:                     scim,
+		repo:                     repo,
 	}
 
 	for _, opt := range opts {
@@ -139,6 +143,8 @@ func (ss *SyncService) SyncGroupsAndTheirMembers(ctx context.Context) error {
 			idpGroupsResult,
 			idpUsersResult,
 			idpGroupsMembersResult,
+			ss.scimPreventUserDeletion,
+			ss.scimPreventGroupDeletion,
 		)
 		if err != nil {
 			return fmt.Errorf("error doing the first sync: %w", err)
@@ -152,6 +158,8 @@ func (ss *SyncService) SyncGroupsAndTheirMembers(ctx context.Context) error {
 			idpGroupsResult,
 			idpUsersResult,
 			idpGroupsMembersResult,
+			ss.scimPreventUserDeletion,
+			ss.scimPreventGroupDeletion,
 		)
 		if err != nil {
 			return fmt.Errorf("error syncing state: %w", err)