Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to avoid deleting AWS groups that are missing in Google #220

Closed
dancorne opened this issue Oct 25, 2024 · 2 comments
Closed

Option to avoid deleting AWS groups that are missing in Google #220

dancorne opened this issue Oct 25, 2024 · 2 comments

Comments

@dancorne
Copy link

Is your feature request related to a problem? Please describe.
We use the users_groups sync method to sync from Google to Identity Centre. The main reason for this is we have Identity Centre groups created directly in AWS, and membership is handled purely in AWS-hosted systems. The default groups sync method would delete these as they aren't present in Google.

Describe the solution you'd like
It would be useful to be able to skip deleting groups in the groups method, based on some naming pattern that can be configured. Eg a regex env variable SKIP_GROUP_DELETE=aws-group.*

Describe alternatives you've considered
We've been running the users_groups method for a while with INCLUDE_GROUPS which currently works. However, we'd like to use the groups method as it appears to be more efficient (users_groups runs close to the 15min limit for us) and better supported (I don't think the nested group fix made it into the users_groups method, for example).

Additional context
@ChrisPates
Copy link
Contributor

This is a variation on an existing feature request I'll merge them.

The good news is this feature is being worked shortly however it has some dependencies such as improving the group match logic, embedding the Google guuids into the aws groups, so we can really be sure about which groups were created manually on the aws side.

Strictly speaking this is anti pattern to scum replication best practice but it's been so heavily requested we looking at it.

Kind regards,

Chris

@dancorne
Copy link
Author

Thanks! Sorry, had missed that issue when opening this one, I'll close this off and subscribe to that one.

Strictly speaking this is anti pattern to scum replication best practice

We'd considered this, but it seemed more complicated than necessary to have AWS-built systems authenticate back to Google to update Google directories that then need to sync back to AWS (with a delay because we need to schedule the Lambda).

FWIW it's worked well so far: the Google team can manage the directory and the AWS team can handle permissions for AWS, by assigning permission sets to existing groups and managing membership for AWS-specific groups. Theoretically the AWS team should probably manage things in Google, but that means managing systems outside of AWS which is more friction 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ChrisPates @dancorne