Skip to content

feat: wildcard support in ignore-users and ignore-groups#4

Closed
kesor wants to merge 30 commits into
masterfrom
feat/wildcard-ignore-users
Closed

feat: wildcard support in ignore-users and ignore-groups#4
kesor wants to merge 30 commits into
masterfrom
feat/wildcard-ignore-users

Conversation

@kesor

@kesor kesor commented Jun 2, 2026

Copy link
Copy Markdown

Summary

Allow * in --ignore-users and --ignore-groups entries so patterns like *@contractors.example.com or AWS* can be used.

  • Only * is special — it matches any (possibly empty) substring. Every other character, including ?, [, ], and \, is matched literally. The matcher is hand-rolled rather than using path.Match/filepath.Match so patterns cannot pick up extra metacharacter semantics.
  • The ignore predicate is also consulted when picking AWS-only entries to delete (getUserOperations / getGroupOperations), so a wildcard pattern protects matching AWS users/groups from deletion even when they have no Google counterpart.
  • Patterns are trimmed once and cached on syncGSuite; empty entries are dropped.

Inspired by awslabs#306, rewritten to:

  • avoid path.Match (no ? / [] / \ semantics that could be misused),
  • drop the redundant double-check in the deletion loops — the operation-level filter already covers it,
  • remove the per-pattern Checking wildcard pattern debug spam,
  • cache trimmed patterns once instead of trimming on every call.

Test plan

  • go test ./internal/ -run 'TestMatch|TestIgnore|TestGet' passes
  • Manual: run a sync with --ignore-users '*@contractors.example.com' against a Google + AWS pair and confirm matching AWS users are not deleted
  • Manual: run a sync with --ignore-groups 'AWS*' and confirm matching AWS groups are not deleted

Tests added

  • matchIgnorePattern: exact, leading / trailing / middle / multiple wildcards, edge cases (* matches empty, **), and that ? / [] / \ are literal.
  • ignoreUser / ignoreGroup: whitespace trimming and empty-entry handling.
  • getUserOperations / getGroupOperations: ignored AWS-only entries are excluded from the delete list; nil predicate is handled.

Notes

The pre-existing internal/aws/client_test.go build failure (missing internal/mocks) is present on master and unrelated to this change.

ChrisPates and others added 29 commits January 20, 2026 15:34
@ChrisPates
update regex tennant id has changed length
33cf47d
@ChrisPates
Update runtime to provided.al2023
fb55723
@ChrisPates
299 scheduleexpression allowedpattern rejects valid singular rate exp…
f473ed7 
…ressions (awslabs#303)

ssue #, if available:
awslabs#299

Description of changes:
Refines the regex for rate: rate\((?:(?:\d{2,}+|[2-9]) (?:minutes|hours|days))|(?:1 (?:minute|hour|day))\)

Allows for:

rate(9 hours)
rate(17 hours)
rate(57 hours)
rate(123 days)
rate(1 hour)
but rejects:

rate(2 hour)
rate(20 hour)
rate(1 hours)
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
@44smkn @ChrisPates
fix: Use config.DefaultSyncMethod as the default for cfg.SyncMethod
a834422
@dependabot @ChrisPates
Bump golang.org/x/crypto from 0.40.0 to 0.45.0
b28cac2 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.40.0 to 0.45.0.
- [Commits](golang/crypto@v0.40.0...v0.45.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.45.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@ChrisPates @Luis-3M
Delete users if inactive only (awslabs#304)
1b60438 
* Feat: Delete users if inactive only

* Update ScheduleExpression regex

---------

Co-authored-by: Luis Moreira <luismendesmoreira@hotmail.com>
@dependabot
Bump google.golang.org/grpc from 1.74.2 to 1.79.3
f899c6d 
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.74.2 to 1.79.3.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.74.2...v1.79.3)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-version: 1.79.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @ChrisPates
Bump go.opentelemetry.io/otel from 1.39.0 to 1.41.0
28f19a0 
Bumps [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) from 1.39.0 to 1.41.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.39.0...v1.41.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel
  dependency-version: 1.41.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@ChrisPates
309 precache field regex does not all for disabled (awslabs#312)
52f5f79 
* Edit the regex for the CloudFormation template for the PRECACHE_ORG_UNITS, to allow for a single OU path other than '/'
* Updated handling of this environment variable so, if specified but and empty string or not set it disables precaching.
* Updated handling of other optional comma separated string env_variables to have the same way.
@ChrisPates
Update template.yaml
cc0c9e1
@ChrisPates
Update template.yaml
53518d6
@ChrisPates
309 precache field regex does not all for disabled (awslabs#312)
c6b623d 
* Edit the regex for the CloudFormation template for the PRECACHE_ORG_UNITS, to allow for a single OU path other than '/'
* Updated handling of this environment variable so, if specified but and empty string or not set it disables precaching.
* Updated handling of other optional comma separated string env_variables to have the same way.
@ChrisPates
Merge branch 'master' of https://github.com/awslabs/ssosync
b7f823c
@ChrisPates
Force BugFix Release
ce5d9d3
@ChrisPates
Merge branch 'master' of https://github.com/awslabs/ssosync
177a3fa
@ChrisPates
Update Pipeline to type: V2
77bab77
@ChrisPates
Configurable LogRetention and QuickStart, plus bugfixes (awslabs#316)
ddafd84 
Included in this change:

Parameter PrecacheOrgUnits : When left empty will disable the pre-caching of both Groups and Users
Parameter LogRetention : Added, config CloudWatch Log Group retention period, previously it defaulted to Indefinitely this default has been retain however, it is strongly recommended a more frugal option is selected.
Parameter ScheduleExpression : When left empty will disable scheduling of the SSOSync lambda function. The default for this is unchanged Rate(15 minutes), where the lambda is being triggered by an external event or as part of CICD pipeline (such ac CodePipeline), this prevent concurrency limits being encountered.
The Parameters page has also been re-grouped to be more intuitive.
Quick Start templates:

Added a simple template that can launched directly from CloudFormation, this can simply be launched from the repo. Currently, template creates a deployment in a single account with two nested stacks one for the secrets and the other for the lambda function. To update the deployment, download the latest version of the template and update the stack.

* implement disabled schedule
* Apply disable PreCache to Groups
* Improve logging for precache activity
* Remove Explicit RoleName
* Added Log Retention Setting.
* Tidy Up the Parameters page
* Add QuickStart
* Add job to update version strings in quickstart on release
@ChrisPates
fixes
eba2b14
@ChrisPates
Update README.md
6f271e1
@ChrisPates
Investigating Change in non-Delegated behavior
561a1c6
@ChrisPates
Revert "Investigating Change in non-Delegated behavior"
2a5dc86 
This reverts commit 561a1c6.
@ChrisPates
Update sync.go
93f385a
@ChrisPates
Update workflows
77a9357 
Adjust SemanticVersion update sed regex
Update node actions to latest versions
@ChrisPates
Update release.yml
03578cb
@ChrisPates
Update release.yml
94a0c05
@ChrisPates
Update release.yml
033445c
@ChrisPates
Update release.yml
6a79623
@ChrisPates
Update release.yml
43bd79a
@ChrisPates
Split workflows
46af4cf
Copilot AI review requested due to automatic review settings June 2, 2026 10:05
Copilot AI reviewed Jun 2, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds wildcard (*) pattern support to --ignore-users and --ignore-groups, and extends ignore handling so matching AWS-only users/groups are also excluded from deletion operations.

Changes:

  • Implemented a custom *-only matcher (matchIgnorePattern) and cached, trimmed ignore patterns on syncGSuite.
  • Updated getUserOperations / getGroupOperations to consult ignore predicates before scheduling AWS-only deletions.
  • Updated README documentation and added unit tests covering wildcard matching and the updated operations behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
README.md Documents wildcard semantics and deletion-guard behavior for ignore lists.
internal/sync.go Replaces exact-match ignore sets with cached pattern lists; adds * matcher and uses ignore predicates to prevent deletes.
internal/sync_test.go Adds tests for wildcard matching, ignore trimming/empty handling, and delete-list filtering with ignore predicates.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread internal/sync.go
Comment on lines 868 to +873
for _, awsGroup := range awsGroups {
if _, found := googleMap[awsGroup.DisplayName]; !found {
if ignoreGroup != nil && ignoreGroup(awsGroup.DisplayName) {
log.WithField("group", awsGroup.DisplayName).Info("skip delete: ignore list")
continue
}
Comment thread README.md
Comment on lines +194 to +198
Ignored users and groups are protected in both directions: they are skipped
when Google is enumerated, and they are also skipped when picking AWS
entries to delete. This means a pattern like `*@contractors.example.com`
acts as a deletion guard for accounts that exist only in AWS.

@kesor
feat: wildcard support in ignore-users and ignore-groups
7e0586d 
Allow `*` in --ignore-users and --ignore-groups entries. Only `*` is
special (matches any, possibly empty, substring); every other character
including `?`, `[`, `]`, and `\` is matched literally. The matcher is
hand-rolled rather than using path.Match so patterns cannot pick up
extra metacharacter semantics.

The ignore predicate is also consulted when picking AWS-only entries to
delete, so a pattern like `*@contractors.example.com` protects matching
AWS users from deletion even when they have no Google counterpart.

Patterns are trimmed once and cached on the syncGSuite; empty entries
are dropped.

Inspired by awslabs#306, rewritten to avoid path.Match, drop
the redundant double-check in the deletion loops, and remove per-call
debug log spam.
@kesor kesor force-pushed the feat/wildcard-ignore-users branch from 6e912df to 7e0586d Compare June 2, 2026 10:31
@kesor kesor deleted the branch master June 2, 2026 10:33
@kesor kesor closed this Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kesor @ChrisPates @44smkn