Add flag validation to prevent lambda execution with incorrect settings

Author: agnes-gajda

cmd/root.go

@@ -19,6 +19,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"regexp"
 
 	"github.com/aws/aws-lambda-go/events"
 	"github.com/aws/aws-lambda-go/lambda"
@@ -50,6 +51,16 @@ var rootCmd = &cobra.Command{
 	Long: `A command line tool to enable you to synchronise your Google
 Apps (Google Workspace) users to AWS Single Sign-on (AWS SSO)
 Complete documentation is available at https://github.com/awslabs/ssosync`,
+	PreRun: func(cmd *cobra.Command, args []string) {
+		awsGroupMatch, flagErr := cmd.Flags().GetString("aws-group-match")
+		if flagErr != nil {
+			log.Fatal("flag `aws-group-match` does not exist", flagErr)
+		}
+		_, compileErr := regexp.Compile(awsGroupMatch)
+		if compileErr != nil {
+			log.Fatalf("invalid aws-group-match flag value %s", awsGroupMatch, compileErr)
+		}
+	},
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(context.Background())
 		defer cancel()

internal/fac/extensions.go

@@ -10,29 +10,29 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
-// ErrNoAWSGroups indicates no AWS groups were received.
-var ErrNoAWSGroups = errors.New("received no AWS groups")
+// NoAWSGroupsErr indicates no AWS groups were received.
+var NoAWSGroupsErr = errors.New("received no AWS groups")
 
-// ErrorBadRegex represents a regex compilation error.
-type ErrorBadRegex struct {
+// BadRegexError represents a regex compilation error.
+type BadRegexError struct {
 	Message string
 	Err     error
 }
 
-func (e ErrorBadRegex) Error() string {
+func (e BadRegexError) Error() string {
 	return e.Message
 }
 
 // MatchAWSGroups will filter out the AWS groups that don't match the regex.
 // Returns an error on failure, a list of AWS groups that match on success.
 func MatchAWSGroups(awsGroups []*aws.Group, matchRegex string) ([]*aws.Group, error) {
 	if len(awsGroups) == 0 {
-		return nil, ErrNoAWSGroups
+		return nil, NoAWSGroupsErr
 	}
 
 	awsGroupRegex, err := regexp.Compile(matchRegex)
 	if err != nil {
-		return nil, ErrorBadRegex{Message: fmt.Sprintf("can't compile regex %s", matchRegex), Err: err}
+		return nil, BadRegexError{Message: fmt.Sprintf("can't compile regex %s", matchRegex), Err: err}
 	}
 
 	matchedGroups := make([]*aws.Group, 0)

internal/fac/extensions_test.go

@@ -54,19 +54,19 @@ func TestMatchAWSGroups(t *testing.T) {
 			name:          "returns an error when input groups empty",
 			awsGroupMatch: "aws-group-*",
 			inputGroups:   []*aws.Group{},
-			expectedErr:   ErrNoAWSGroups,
+			expectedErr:   NoAWSGroupsErr,
 		},
 		{
 			name:          "returns an error when input groups nil",
 			awsGroupMatch: "aws-group-*",
 			inputGroups:   []*aws.Group{},
-			expectedErr:   ErrNoAWSGroups,
+			expectedErr:   NoAWSGroupsErr,
 		},
 		{
 			name:          "returns an error when regex invalid",
 			awsGroupMatch: "[^0-1",
 			inputGroups:   []*aws.Group{{DisplayName: "aws-group-A"}},
-			expectedErr: ErrorBadRegex{
+			expectedErr: BadRegexError{
 				Message: "can't compile regex [^0-1",
 				Err:     &syntax.Error{Code: syntax.ErrMissingBracket, Expr: "[^0-1"},
 			},

internal/sync.go

@@ -325,6 +325,8 @@ func (s *syncGSuite) SyncGroupsUsers(query, awsGroupMatch string) error {
 	onlyAWSGroupsFromGoogle, matchErr := fac.MatchAWSGroups(awsGroups, awsGroupMatch)
 	if err != nil {
 		log.Errorf("error filtering AWS groups by %s", matchErr)
+		// Will continue with the full group which will delete the non Google groups.
+		// This flow is prevented by adding pre-run flag validation.
 	} else {
 		awsGroups = onlyAWSGroupsFromGoogle
 	}