Add flag validation to prevent lambda execution with incorrect settings

Author: agnes-gajda

.github/workflows/release.yml

@@ -4,48 +4,30 @@ name: release
 on:
   push:
     tags:
-      - '*'
+      - 'v[0-9]+.[0-9]+.[0-9]+*'
 
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v3
-
-      - name: Setup go
-        uses: actions/setup-go@v4
-        with:
-          go-version: '1.20.x'
-
-      - name: Install staticcheck
-        run: go install honnef.co/go/tools/cmd/staticcheck@latest
-
-      - name: Run staticcheck
-        run: staticcheck ./...
-
-      - name: Run Tests
-        run: go test -p 1 -cover -race -v ./...
+permissions:
+  contents: write
 
+jobs:
   release:
     runs-on: ubuntu-latest
-    needs: [ test ]
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
-        
-      - name: Unshallow
-        run: git fetch --prune --unshallow
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
 
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: '1.20.x'
+          go-version: '1.21.x'
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v5
         with:
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

cmd/root.go

@@ -19,6 +19,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"regexp"
 
 	"github.com/aws/aws-lambda-go/events"
 	"github.com/aws/aws-lambda-go/lambda"
@@ -50,6 +51,16 @@ var rootCmd = &cobra.Command{
 	Long: `A command line tool to enable you to synchronise your Google
 Apps (Google Workspace) users to AWS Single Sign-on (AWS SSO)
 Complete documentation is available at https://github.com/awslabs/ssosync`,
+	PreRun: func(cmd *cobra.Command, args []string) {
+		awsGroupMatch, flagErr := cmd.Flags().GetString("aws-group-match")
+		if flagErr != nil {
+			log.Fatal("flag `aws-group-match` does not exist", flagErr)
+		}
+		_, compileErr := regexp.Compile(awsGroupMatch)
+		if compileErr != nil {
+			log.Fatalf("invalid aws-group-match flag value %s", awsGroupMatch, compileErr)
+		}
+	},
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(context.Background())
 		defer cancel()

internal/fac/extensions.go

@@ -10,29 +10,29 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
-// ErrNoAWSGroups indicates no AWS groups were received.
-var ErrNoAWSGroups = errors.New("received no AWS groups")
+// NoAWSGroupsErr indicates no AWS groups were received.
+var NoAWSGroupsErr = errors.New("received no AWS groups")
 
-// ErrorBadRegex represents a regex compilation error.
-type ErrorBadRegex struct {
+// BadRegexError represents a regex compilation error.
+type BadRegexError struct {
 	Message string
 	Err     error
 }
 
-func (e ErrorBadRegex) Error() string {
+func (e BadRegexError) Error() string {
 	return e.Message
 }
 
 // MatchAWSGroups will filter out the AWS groups that don't match the regex.
 // Returns an error on failure, a list of AWS groups that match on success.
 func MatchAWSGroups(awsGroups []*aws.Group, matchRegex string) ([]*aws.Group, error) {
 	if len(awsGroups) == 0 {
-		return nil, ErrNoAWSGroups
+		return nil, NoAWSGroupsErr
 	}
 
 	awsGroupRegex, err := regexp.Compile(matchRegex)
 	if err != nil {
-		return nil, ErrorBadRegex{Message: fmt.Sprintf("can't compile regex %s", matchRegex), Err: err}
+		return nil, BadRegexError{Message: fmt.Sprintf("can't compile regex %s", matchRegex), Err: err}
 	}
 
 	matchedGroups := make([]*aws.Group, 0)

internal/fac/extensions_test.go

@@ -54,19 +54,19 @@ func TestMatchAWSGroups(t *testing.T) {
 			name:          "returns an error when input groups empty",
 			awsGroupMatch: "aws-group-*",
 			inputGroups:   []*aws.Group{},
-			expectedErr:   ErrNoAWSGroups,
+			expectedErr:   NoAWSGroupsErr,
 		},
 		{
 			name:          "returns an error when input groups nil",
 			awsGroupMatch: "aws-group-*",
 			inputGroups:   []*aws.Group{},
-			expectedErr:   ErrNoAWSGroups,
+			expectedErr:   NoAWSGroupsErr,
 		},
 		{
 			name:          "returns an error when regex invalid",
 			awsGroupMatch: "[^0-1",
 			inputGroups:   []*aws.Group{{DisplayName: "aws-group-A"}},
-			expectedErr: ErrorBadRegex{
+			expectedErr: BadRegexError{
 				Message: "can't compile regex [^0-1",
 				Err:     &syntax.Error{Code: syntax.ErrMissingBracket, Expr: "[^0-1"},
 			},

internal/sync.go

@@ -325,6 +325,8 @@ func (s *syncGSuite) SyncGroupsUsers(query, awsGroupMatch string) error {
 	onlyAWSGroupsFromGoogle, matchErr := fac.MatchAWSGroups(awsGroups, awsGroupMatch)
 	if err != nil {
 		log.Errorf("error filtering AWS groups by %s", matchErr)
+		// Will continue with the full group which will delete the non Google groups.
+		// This flow is prevented by adding pre-run flag validation.
 	} else {
 		awsGroups = onlyAWSGroupsFromGoogle
 	}