Improving param validation in template

Author: ChrisPates

.gitignore

@@ -35,3 +35,6 @@ ssosync
 .DS_Store
 *.swp
 */.DS_Store
+cicd/.DS_Store
+release.yaml
+staging.yaml

cicd/build/package/release.patch

@@ -1,15 +1,38 @@
---- template.yaml	2023-10-25 09:44:33
-+++ release.yaml	2023-10-25 16:02:21
-@@ -27,7 +27,7 @@
-           - IncludeGroups
+--- template.yaml	2023-10-27 14:15:25
++++ release.yaml	2023-10-27 14:41:17
+@@ -11,7 +11,7 @@
+           - SCIMEndpointAccessToken
+           - IdentityStoreId
+       - Label:
+-          default: Google Workspace Credentials 
++          default: Google Workspace Credentials
+         Parameters:
+           - GoogleAdminEmail
+           - GoogleCredentials
+@@ -36,7 +36,7 @@
+           - ScheduleExpression
 
    AWS::ServerlessRepo::Application:
 -    Name: ssosync
 +    Name: SSOSync
      Description: Helping you populate AWS SSO directly with your Google Apps users.
      Author: Sebastian Doell
      SpdxLicenseId: Apache-2.0
-@@ -111,7 +111,7 @@
+@@ -113,13 +113,11 @@
+     Description: |
+       Google Workspace user filter query parameter, example: 'name:John* email:admin*', see: https://developers.google.com/admin-sdk/directory/v1/guides/search-users
+     Default: '*'
+-    AllowedPattern: "(*)|(name|Name|NAME)(:([a-zA-Z0-9]{1,64})(\*))|(name|Name|NAME)(=([a-zA-Z0-9 ]{1,64}))|(email|Email|EMAIL)(:([a-zA-Z0-9.-_]{1,64})(\*))|(email|Email|EMAIL)(=([a-zA-Z0-9.-_]{1,64})@([a-zA-Z0-9.-]{5,260}))"
+   GoogleGroupMatch:
+     Type: String
+     Description: |
+       Google Workspace group filter query parameter, example: 'name:Admin* email:aws-*', see: https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
+     Default: 'name:AWS*'
+-    AllowedPattern: "((name|Name|NAME)(:([a-zA-Z0-9]{1,64})\*)|(name|Name|NAME)(=([a-zA-Z0-9 ]{1,64})))|((email|Email|EMAIL)(:([a-zA-Z0-9.-_]{1,64})\*)|(email|Email|EMAIL)(=([a-zA-Z0-9.-_]{1,64})@([a-zA-Z0-9.-]{5,260})))"
+   IgnoreGroups:
+     Type: String
+     Description: |
+@@ -132,7 +130,7 @@
      Default: 'none'
    IncludeGroups:
      Type: String
@@ -18,7 +41,7 @@
        Include only these Google Workspace groups. (Only applicable for SyncMethod user_groups)
      Default: '*'
    SyncMethod:
-@@ -121,16 +121,16 @@
+@@ -142,16 +140,16 @@
      AllowedValues:
        - groups
        - users_groups
@@ -38,8 +61,8 @@
 +      Handler: bootstrap
        Architectures:
          - arm64
-       Timeout: 300
-@@ -163,8 +163,6 @@
+       Timeout: !Ref TimeOut
+@@ -184,8 +182,6 @@
                  - !Ref AWSSCIMAccessTokenSecret
                  - !Ref AWSRegionSecret
                  - !Ref AWSIdentityStoreIDSecret
@@ -48,7 +71,7 @@
              - Sid: IdentityStoreAccesPolicy
                Effect: Allow
                Action:
-@@ -187,8 +185,6 @@
+@@ -214,8 +210,6 @@
            Properties:
              Enabled: true
              Schedule: !Ref ScheduleExpression

cicd/build/package/staging.patch

@@ -1,15 +1,24 @@
---- template.yaml	2023-10-25 09:44:33
-+++ staging.yaml	2023-10-25 16:02:07
-@@ -27,7 +27,7 @@
-           - IncludeGroups
+--- template.yaml	2023-10-27 14:15:25
++++ staging.yaml	2023-10-27 14:15:30
+@@ -11,7 +11,7 @@
+           - SCIMEndpointAccessToken
+           - IdentityStoreId
+       - Label:
+-          default: Google Workspace Credentials 
++          default: Google Workspace Credentials
+         Parameters:
+           - GoogleAdminEmail
+           - GoogleCredentials
+@@ -36,7 +36,7 @@
+           - ScheduleExpression
 
    AWS::ServerlessRepo::Application:
 -    Name: ssosync
 +    Name: SSOSync-Staging
      Description: Helping you populate AWS SSO directly with your Google Apps users.
      Author: Sebastian Doell
      SpdxLicenseId: Apache-2.0
-@@ -111,7 +111,7 @@
+@@ -132,7 +132,7 @@
      Default: 'none'
    IncludeGroups:
      Type: String
@@ -18,7 +27,7 @@
        Include only these Google Workspace groups. (Only applicable for SyncMethod user_groups)
      Default: '*'
    SyncMethod:
-@@ -121,16 +121,17 @@
+@@ -142,16 +142,17 @@
      AllowedValues:
        - groups
        - users_groups
@@ -39,8 +48,8 @@
 +      Handler: bootstrap
        Architectures:
          - arm64
-       Timeout: 300
-@@ -163,8 +164,6 @@
+       Timeout: !Ref TimeOut
+@@ -184,8 +185,6 @@
                  - !Ref AWSSCIMAccessTokenSecret
                  - !Ref AWSRegionSecret
                  - !Ref AWSIdentityStoreIDSecret
@@ -49,10 +58,10 @@
              - Sid: IdentityStoreAccesPolicy
                Effect: Allow
                Action:
-@@ -180,16 +179,14 @@
-                 - "identitystore:DeleteGroup"
-               Resource:
-                 - "*"
+@@ -207,15 +206,6 @@
+                 - codepipeline:PutJobSuccessResult
+                 - codepipeline:PutJobFailureResult
+               Resource: "*"
 -      Events:
 -        SyncScheduledEvent:
 -          Type: Schedule
@@ -63,20 +72,21 @@
 -    Metadata:
 -      BuildMethod: makefile
 
-+            - Sid: CodePipelinePolicy
-+              Effect: Allow
-+              Action:
-+                - codepipeline:PutJobSuccessResult
-+                - codepipeline:PutJobFailureResult
-+              Resource: "*"
-+
    AWSGoogleCredentialsSecret:
      Type: "AWS::SecretsManager::Secret"
+@@ -245,10 +235,17 @@
+     Type: "AWS::SecretsManager::Secret"
      Properties:
-@@ -225,3 +222,10 @@
+       Name: SSOSyncRegion
+-      SecretString: !Select [1, !Split [".", !Ref SCIMEndpointUrl]]
++      SecretString: !Ref Region
+ 
+   AWSIdentityStoreIDSecret:
+     Type: "AWS::SecretsManager::Secret"
      Properties:
        Name: SSOSyncIdentityStoreID
-       SecretString: !Ref IdentityStoreID
+-      SecretString: !Ref IdentityStoreID
++      SecretString: !Select [1, !Split [".", !Ref SCIMEndpointUrl]]
 +
 +Outputs:
 +  FunctionArn:

cicd/cloudformation/secrets.yaml

@@ -6,72 +6,148 @@ Description:
   (via privately shared app in the AWS Serverless Application Repository (SAR).
 
 Parameters:
+  GoogleAuthMethod:
+    Type: String
+    AllowedValues: ["Google Credentials", "Workload Identity Federation", "Both"]
+    Default: "Google Credentials"
   GoogleCredentials:
-    Description: Credentials to log into Google (content of credentials.json)
+    Description: Google Workspaces Credentials File, to log into Google (content of credentials.json)
     Type: String
     NoEcho: true
   GoogleAdminEmail:
     Description: Google Workspaces Admin email
     Type: String
     NoEcho: true
+  WIFServiceAccountEmail:
+    Description: Workload Identity Federation, the email address of service account used to impersonate a user using 
+    Type: String
+    NoEcho: true
+  WIFClientLibraryConfig:
+    Description: Workload Identity Federation, the client library config file for the provider (AWS Account)  (contents of clientLibraryConfig-provider.json)
+    Type: String
+    NoEcho: true
   SCIMEndpointUrl:
     Description: AWS IAM Identity Center SCIM Endpoint Url
     Type: String
     NoEcho: true
+    AllowedPattern: "https://scim.(us(-gov)?|ap|ca|cn|eu|sa)-(central|(north|south)?(east|west)?)-([0-9]{1}).amazonaws.com/(.*)-([a-z0-9]{4})-([a-z0-9]{4})-([a-z0-9]{12})/scim/v2/"
   SCIMEndpointAccessToken:
     Description: AWS IAM Identity Center SCIM AccessToken
     Type: String
     NoEcho: true  
-  Region:
-    Description: Region in which IAM Identity Center is deployed
-    Type: String
   IdentityStoreId:
     Description: The Id of the Identity Store for the AWS IAM Identity Center instance see (settings page)
     Type: String
+    AllowedPattern: "d-[1-z0-9]{10}"
 
 
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
       - Label:
-          default: Google Workspace
+          default: Google Authentication Method
+        Parameters:
+          - GoogleAuthMethod
+      - Label:
+          default: Parameters for Google Credentials based authentication, required if either Google Credentials or Both have been selected for Google Authentication Method
         Parameters:
           - GoogleAdminEmail
           - GoogleCredentials
+      - Label: 
+          default: Parameters for Workload Identity Federation based authentication, required if either Workload Identity Federation or Both have been selected for Google Authentication Method
+        Parameters:
+          - WIFServiceAccountEmail
+          - WIFClientLibraryConfig
       - Label:
-          default: AWS SSO
+          default: AWS IAM Identity Center
         Parameters:
           - SCIMEndpointUrl
           - SCIMEndpointAccessToken
+          - IdentityStoreId
 
     ParameterLabels:
+      GoogleAuthMethod:
+        default: "Which Google Auth Methods do you want to test with?"
       GoogleCredentials:
         default: "contents of credentials.json"
       GoogleAdminEmail:
         default: "admin@WorkspaceDomain"
+      WIFServiceAccountEmail:
+        default: "service-account@@WorkspaceDomain"
+      WIFClientLibraryConfig:
+        default: "contents of clientLibraryConfig-provider.json"
       SCIMEndpointUrl:
         default: "https://scim.<region>.amazonaws.com/<instance id>/scim/v2/"
       SCIMEndpointAccessToken:
         default: "AWS SSO SCIM Access Token"
-      Region:
-        default: "us-east-1"
       IdentityStoreId:
         default: "d-1234567abc"
 
+Conditions:
+  GoogleCreds: !Or [!Equals [!Ref "GoogleAuthMethod", Google Credentials], !Equals [!Ref "GoogleAuthMethod", Both]]
+  WIFCreds: !Or [!Equals [!Ref "GoogleAuthMethod", Workload Identity Federation], !Equals [!Ref "GoogleAuthMethod", Both]]
+
+
+Rules:
+  # Fail when any assertion returns false
+  # If they have selected Google Credentials then check they have provided valid data for GoogleCredentials
+  GoogleCredentialsOnly:
+    RuleCondition: !Or [!Equals [!Ref "GoogleAuthMethod", Google Credentials], !Equals [!Ref "GoogleAuthMethod", Both]]
+    Assertions:
+      - AssertDescription: You have selected Google Credentials, You need to provide a Google Admin email address.
+        Assert: !Not
+          - !Equals
+            - !Ref GoogleAdminEmail
+            - "" 
+      - AssertDescription: You have selected Google Credentials, You need to provide the content of a Credentials file (json).
+        Assert: !Not
+          - !Equals
+            - !Ref GoogleCredentials
+            - ""
+  # If they have selected Workload Identity Federation, then check they have provide valid data for WIF
+  WorkloadIdentityFederationOnly:
+    RuleCondition: !Or [!Equals [!Ref "GoogleAuthMethod", Workload Identity Federation], !Equals [!Ref "GoogleAuthMethod", Both]]
+    Assertions:
+      - AssertDescription: You have selected Workload Identity Federation, You need to provide a Google Service Account email address.
+        Assert: !Not
+          - !Equals
+            - !Ref WIFServiceAccountEmail
+            - ""
+      - AssertDescription: You have selected Workload Identity Federation, You need to provide the content of a Client Library Config file (json).
+        Assert: !Not
+          - !Equals
+            - !Ref WIFClientLibraryConfig
+            - ""
+
 Resources:
-  
   GoogleCredentialSecret:
     Type: "AWS::SecretsManager::Secret"
+    Condition: GoogleCreds
     Properties:
       Name: TestGoogleCredentials
       SecretString: !Ref GoogleCredentials
 
   GoogleAdminEmailSecret:
     Type: "AWS::SecretsManager::Secret"
+    Condition: GoogleCreds
     Properties:
       Name: TestGoogleAdminEmail
       SecretString: !Ref GoogleAdminEmail
 
+  WIFServiceAccountEmailSecret:
+    Type: "AWS::SecretsManager::Secret"
+    Condition: WIFCreds
+    Properties:
+      Name: TestWIFServiceAccountEmail
+      SecretString: !Ref WIFServiceAccountEmail
+
+  WIFClientLibraryConfigSecret:
+    Type: "AWS::SecretsManager::Secret"
+    Condition: WIFCreds
+    Properties:
+      Name: TestWIFClientLibraryConfigSecret
+      SecretString: !Ref WIFClientLibraryConfig
+
   SSoSCIMUrlSecret: # This can be moved to custom provider
     Type: "AWS::SecretsManager::Secret"
     Properties:
@@ -88,7 +164,7 @@ Resources:
     Type: "AWS::SecretsManager::Secret"
     Properties:
       Name: TestRegion
-      SecretString: !Ref Region
+      SecretString: !Select [1, !Split [".", !Ref SCIMEndpointUrl]]
 
   IdentityStoreIdSecret:
     Type: "AWS::SecretsManager::Secret"