slashdevops
diff --git a/‎README.md‎
Lines changed: 56 additions & 87 deletions b/‎README.md‎
Lines changed: 56 additions & 87 deletions
diff --git a/‎docs/AWS-SAM-Template.md‎
Lines changed: 130 additions & 21 deletions b/‎docs/AWS-SAM-Template.md‎
Lines changed: 130 additions & 21 deletions
@@ -30,11 +30,11 @@ For a detailed list of new features, improvements, and bug fixes in each release
 
 This project is compatible with the latest AWS Lambda runtimes. Since version `v0.0.19`, it uses the `provided.al2` runtime and `arm64` architecture.
 
-| Version Range        | AWS Lambda Runtime | Architecture       | Deprecation Date |
-| -------------------- | ------------------ | ------------------ | ---------------- |
-| `<= v0.0.18`         | Go 1.x             | amd64 (Intel)      | 2023-12-31       |
+| Version Range          | AWS Lambda Runtime | Architecture       | Deprecation Date |
+| ---------------------- | ------------------ | ------------------ | ---------------- |
+| `<= v0.0.18`           | Go 1.x             | amd64 (Intel)      | 2023-12-31       |
 | `>= v0.0.19 < v0.31.0` | provided.al2       | arm64 (Graviton 2) | 2026-06-30       |
-| `>= v0.31.0`         | provided.al2023    | arm64 (Graviton 2) | 2029-06-30       |
+| `>= v0.31.0`           | provided.al2023    | arm64 (Graviton 2) | 2029-06-30       |
 
 ## ⚙️ How It Works
 
@@ -48,6 +48,40 @@ For more details on the resources created by the CloudFormation template, please
 
 > **Note:** If this is your first time implementing AWS IAM Identity Center, please read [Using SSO](docs/Using-SSO.md).
 
+## Programs
+
+This repository builds two binaries from the `cmd/` directory:
+
+| Program | Source | Purpose |
+| ------- | ------ | ------- |
+| `idpscim` | `cmd/idpscim` | Main synchronization program that runs as the Lambda function, a local CLI, or a container command |
+| `idpscimcli` | `cmd/idpscimcli` | Helper CLI used to inspect AWS SCIM and Google Workspace data while validating configuration |
+
+After `make build`, the binaries are available in `build/`:
+
+```bash
+./build/idpscim --help
+./build/idpscimcli --help
+```
+
+## Documentation Map
+
+The repository documentation is organized as follows:
+
+| Document | Purpose |
+| ------- | ------- |
+| [docs/idpscim.md](docs/idpscim.md) | Main program reference for the `idpscim` sync executable |
+| [docs/idpscimcli.md](docs/idpscimcli.md) | Command reference for the `idpscimcli` validation and inspection CLI |
+| [docs/Configuration.md](docs/Configuration.md) | Configuration sources, examples, and environment variable usage |
+| [docs/AWS-SAM.md](docs/AWS-SAM.md) | Source deployment, Serverless Application Repository update flow, and maintainer publishing workflow |
+| [docs/AWS-SAM-Template.md](docs/AWS-SAM-Template.md) | Template parameters, generated resources, and Lambda environment mapping |
+| [docs/Development.md](docs/Development.md) | Local development workflow, build steps, tests, and SAM-based cloud testing |
+| [docs/Using-SSO.md](docs/Using-SSO.md) | Practical rollout guidance for AWS IAM Identity Center and Google Workspace group design |
+| [docs/State-File-example.md](docs/State-File-example.md) | Example state file structure and notes about how sync state is stored |
+| [docs/Demo.md](docs/Demo.md) | Visual walkthrough screenshots of the sync process and resulting AWS and Google Workspace data |
+| [docs/Release.md](docs/Release.md) | Maintainer release flow based on semantic version tags and GitHub Actions |
+| [docs/Whats-New.md](docs/Whats-New.md) | Release notes and notable changes across versions |
+
 ## 🚀 Getting Started
 
 The easiest way to deploy and use this project is through the [AWS Serverless Application Repository](https://serverlessrepo.aws.amazon.com/applications/us-east-1/889836709304/idp-scim-sync).
@@ -74,112 +108,53 @@ You have several options to use this project:
 
 * **AWS Serverless Application Repository (Recommended)**
   * Deploy the application directly from the [AWS Serverless Application Repository](https://serverlessrepo.aws.amazon.com/applications/us-east-1/889836709304/idp-scim-sync).
+  * To update an existing deployment to a newer published version, reuse the same original application name that you entered when you first deployed it. Do not use the generated `serverlessrepo-...` stack name. See [docs/AWS-SAM.md](docs/AWS-SAM.md) for the full update flow.
 
 * **AWS SAM**
   * Build and deploy the Lambda function from your local machine.
-  * **Requirements:**
-    * [Git](https://git-scm.com/)
-    * [Go](https://go.dev/learn/)
-    * [AWS SAM CLI](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html)
-  * **Commands:**
+  * Quick start:
 
 ```bash
-# Set your AWS CLI profile and region
 export AWS_PROFILE=<profile_name>
 export AWS_REGION=<region>
-
-# Validate the template
-sam validate
-
-# Build the project
-sam build
-
-# Deploy with a guided process
-sam deploy --guided --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM
+GIT_VERSION=dev sam build
+sam deploy --guided --stack-name idp-scim-sync --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM
 ```
 
+* For full validation, source deployment, publish, and update guidance, see [docs/AWS-SAM.md](docs/AWS-SAM.md) and [docs/AWS-SAM-Template.md](docs/AWS-SAM-Template.md).
+
 ### Locally
 
 * **Build from Source**
-  * **Requirements:**
-    * [Git](https://git-scm.com/)
-    * [Go](https://go.dev/learn/)
-    * [Make](https://www.gnu.org/software/make/)
-  * **Commands:**
+  * Quick start:
 
 ```bash
-# Compile for your operating system
 make
-
-# Cross-compile for Windows, macOS, and Linux
-make build-dist
+./build/idpscim --help
+./build/idpscimcli --help
 ```
 
+* **Run the programs**
+  * **idpscim** runs the actual synchronization logic.
+  * **idpscimcli** helps you validate your AWS SCIM and Google Workspace configuration before enabling automated sync.
+  * See [docs/idpscim.md](docs/idpscim.md), [docs/idpscimcli.md](docs/idpscimcli.md), [docs/Configuration.md](docs/Configuration.md), and [docs/Development.md](docs/Development.md) for examples, flags, and the full local workflow.
+
 * **Pre-built Binaries**
   * Download the binaries from the [GitHub Releases](https://github.com/slashdevops/idp-scim-sync/releases).
 
 * **Container Image**
   * Pull the image from the [GitHub Container Registry](https://github.com/slashdevops/idp-scim-sync/pkgs/container/idp-scim-sync).
+  * Container build and execution details are documented in [docs/idpscim.md](docs/idpscim.md), [docs/idpscimcli.md](docs/idpscimcli.md), and [docs/Development.md](docs/Development.md).
 
 ## Configurable User Fields
 
 By default, all optional user attributes are synced from Google Workspace to AWS SSO SCIM. You can control which optional fields are included using the `sync_user_fields` configuration option.
 
-**Available fields:**
-
-| Field               | Description                                                                 |
-| ------------------- | --------------------------------------------------------------------------- |
-| `phoneNumbers`      | User's phone numbers                                                        |
-| `addresses`         | User's addresses (street, city, region, postal code, country)               |
-| `title`             | User's job title                                                            |
-| `preferredLanguage` | User's preferred language                                                   |
-| `locale`            | User's locale                                                               |
-| `timezone`          | User's timezone                                                             |
-| `nickName`          | User's nickname                                                             |
-| `profileURL`        | User's profile URL                                                          |
-| `userType`          | User type attribute                                                         |
-| `enterpriseData`    | Enterprise extension (employeeNumber, costCenter, organization, department, division, manager) |
-
-**Required fields** (always synced, not configurable): `name`, `userName`, `displayName`, `emails`, `active`.
-
-### Configuration Examples
-
-**Config file (.idpscim.yaml):**
-
-```yaml
-# Sync only phone numbers, addresses, and enterprise data
-sync_user_fields:
-  - phoneNumbers
-  - addresses
-  - enterpriseData
-```
-
-**Environment variable (Lambda / SAM):**
-
-```bash
-IDPSCIM_SYNC_USER_FIELDS=phoneNumbers,addresses,enterpriseData
-```
-
-**CLI flag:**
-
-```bash
-idpscim --sync-user-fields phoneNumbers,addresses,enterpriseData
-```
-
-**SAM template parameter:**
-
-Set the `SyncUserFields` parameter when deploying:
-
-```bash
-sam deploy --parameter-overrides SyncUserFields=phoneNumbers,addresses,enterpriseData
-```
+Supported optional fields include `phoneNumbers`, `addresses`, `title`, `preferredLanguage`, `locale`, `timezone`, `nickName`, `profileURL`, `userType`, and `enterpriseData`.
 
-### Behavior Notes
+Required fields are always synchronized: `name`, `userName`, `displayName`, `emails`, and `active`.
 
-* **Default (empty or not set):** When `sync_user_fields` is empty or not configured, all optional fields are synced. This preserves backward compatibility with existing deployments.
-* **Specifying fields:** Only the listed fields will be synced. For example, setting `sync_user_fields: [phoneNumbers]` will sync only phone numbers; addresses, enterprise data, and other optional attributes will not be sent to AWS SSO SCIM.
-* **Invalid field names:** If an invalid field name is provided, the application will fail at startup with a clear error message listing the unrecognized field.
-* **Changing on an existing deployment:** The first sync after modifying this configuration will detect all users as "changed" (due to hash differences) and update them in AWS SSO. This is expected behavior — it will clear the excluded fields from SCIM.
+For config file examples, environment variable usage, CLI flags, SAM parameter usage, and behavior notes, see [docs/Configuration.md](docs/Configuration.md) and [docs/idpscim.md](docs/idpscim.md).
 
 ## 📦 Repositories
 
@@ -200,12 +175,6 @@ If you are coming from the [awslabs/ssosync](https://github.com/awslabs/ssosync)
 * This project only implements filtering for Google Workspace Groups, not Users.
 * This project supports selecting which optional user attributes to sync via `--sync-user-fields` (e.g., phone numbers, addresses, enterprise data).
 * The flag names are different.
-* Not all features of `ssosync` are implemented here, and they may not be in the future.
-
-## 🧩 Components
-
-* **idpscim**: A program for keeping AWS IAM Identity Center groups and users synced with your Google Workspace directory. See the [idpscim documentation](docs/idpscim.md) for more details.
-* **idpscimcli**: A command-line tool to check and validate some of the functionalities implemented in `idpscim`. See the [idpscimcli documentation](docs/idpscimcli.md) for more details.
 
 ## 📄 License
 
 
@@ -1,23 +1,132 @@
 # AWS SAM Template
 
-This project use [AWS SAM](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification.html), a tool for creating serverless applications.  This facilitates the creation of serverless applications that can be deployed to [AWS Lambda](https://aws.amazon.com/lambda/) and others different resources using [AWS CloudFormation.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html).
-
-## Resources
-
-The  file [template.yaml](https://github.com/slashdevops/idp-scim-sync/blob/main/template.yaml) after being transformed by the [AWS SAM package command](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-package.html) in `packaged.yaml` creates the following resources:
-
-| #   | Type                        | CloudFormation Logical ID                  |
-| --- | --------------------------- | ------------------------------------------ |
-| 1   | AWS::SecretsManager::Secret | AWSGWSServiceAccountFileSecret             |
-| 2   | AWS::SecretsManager::Secret | AWSGWSUserEmailSecret                      |
-| 3   | AWS::SecretsManager::Secret | AWSSCIMAccessTokenSecret                   |
-| 4   | AWS::SecretsManager::Secret | AWSSCIMEndpointSecret                      |
-| 5   | AWS::S3::Bucket             | Bucket                                     |
-| 6   | AWS::S3::BucketPolicy       | BucketPolicy                               |
-| 7   | AWS::KMS::Key               | KMSKey                                     |
-| 8   | AWS::KMS::Alias             | KMSKeyAlias                                |
-| 9   | AWS::Lambda::Function       | LambdaFunction                             |
-| 10  | AWS::Logs::LogGroup         | LambdaFunctionLogGroup                     |
-| 11  | AWS::IAM::Role              | LambdaFunctionRole                         |
-| 12  | AWS::Events::Rule           | LambdaFunctionSyncScheduledEvent           |
-| 13  | AWS::Lambda::Permission     | LambdaFunctionSyncScheduledEventPermission |
+This project uses [AWS SAM](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification.html) to define the Lambda-based deployment of `idp-scim-sync`. The source template is [template.yaml](../template.yaml).
+
+## What The Template Does
+
+The template deploys the main `idpscim` program as a scheduled Lambda function that synchronizes Google Workspace groups and users into AWS IAM Identity Center through the SCIM API.
+
+At a high level, the template does the following:
+
+- Creates the Lambda function and schedules it with EventBridge.
+- Stores sensitive credentials in Secrets Manager.
+- Creates an encrypted S3 bucket for the sync state file.
+- Creates the IAM role and permissions required by the Lambda function.
+- Creates the CloudWatch log group used by the function.
+- Adds metadata required to publish the application to the AWS Serverless Application Repository.
+
+## Build And Publish Metadata
+
+The template includes two important metadata blocks:
+
+| Metadata | Purpose |
+| --- | --- |
+| `AWS::Serverless::Function` `BuildMethod: makefile` | Tells `sam build` to invoke `build-LambdaFunction` from [Makefile](../Makefile) |
+| `AWS::ServerlessRepo::Application` | Provides the public application metadata used by the AWS Serverless Application Repository |
+
+This means the SAM build for this project is not a generic Go Lambda build. It is repository-specific and intentionally compiles [cmd/idpscim/main.go](../cmd/idpscim/main.go) into a `bootstrap` binary.
+
+## Parameters
+
+The template parameters are grouped into three practical areas.
+
+### Runtime And Sync Behavior
+
+| Parameter | Purpose | Default |
+| --- | --- | --- |
+| `ScheduleExpression` | EventBridge schedule for the Lambda execution | `rate(15 minutes)` |
+| `SyncMethod` | Sync strategy implemented by the application | `groups` |
+| `SyncUserFields` | Optional user attributes to synchronize | empty |
+| `GWSGroupsFilter` | Google Workspace group filter | empty |
+| `LogLevel` | Application log level | `info` |
+| `LogFormat` | Application log format | `json` |
+| `MemorySize` | Lambda memory allocation | `256` |
+| `Timeout` | Lambda timeout in seconds | `300` |
+| `Runtime` | Lambda runtime | `provided.al2023` |
+| `Architecture` | Lambda CPU architecture | `arm64` |
+| `LambdaFunctionHandler` | Lambda handler entrypoint | `bootstrap` |
+| `LambdaFunctionName` | Lambda function name | `idp-scim-sync` |
+| `LogGroupName` | CloudWatch log group name | `/aws/lambda/idp-scim-sync` |
+| `LogGroupRetentionDays` | CloudWatch log retention | `7` |
+| `RoleNameSuffix` | Optional suffix to avoid IAM role name collisions | empty |
+
+### State File Storage
+
+| Parameter | Purpose | Default |
+| --- | --- | --- |
+| `BucketNamePrefix` | Prefix used to build the state bucket name | `idp-scim-sync-state` |
+| `BucketKey` | S3 object key for the saved sync state | `data/state.json` |
+
+The final bucket name is assembled as:
+
+```text
+<BucketNamePrefix>-<AWS Account ID>-<AWS Region>
+```
+
+### Credentials And Secret Names
+
+| Parameter | Purpose | Default |
+| --- | --- | --- |
+| `GWSServiceAccountFile` | Google Workspace service account JSON contents | none |
+| `GWSServiceAccountFileSecretName` | Secret name for that JSON | `IDPSCIM_GWSServiceAccountFile` |
+| `GWSUserEmail` | Delegated Google Workspace user email | none |
+| `GWSUserEmailSecretName` | Secret name for that email | `IDPSCIM_GWSUserEmail` |
+| `SCIMEndpoint` | AWS IAM Identity Center SCIM endpoint | none |
+| `SCIMEndpointSecretName` | Secret name for the SCIM endpoint | `IDPSCIM_SCIMEndpoint` |
+| `SCIMAccessToken` | AWS IAM Identity Center SCIM access token | none |
+| `SCIMAccessTokenSecretName` | Secret name for the SCIM token | `IDPSCIM_SCIMAccessToken` |
+
+The sensitive input values are stored in Secrets Manager, and the Lambda function receives the secret names through environment variables. The function then resolves the actual secret values at runtime.
+
+## Resources Created
+
+After packaging and deployment, the template creates the following resources:
+
+| # | Type | Logical ID | Purpose |
+| --- | --- | --- | --- |
+| 1 | `AWS::Serverless::Function` | `LambdaFunction` | Runs the sync logic from `idpscim` |
+| 2 | `AWS::IAM::Role` | `LambdaFunctionRole` | Grants Lambda access to Secrets Manager, S3, KMS, logs, and X-Ray |
+| 3 | `AWS::SecretsManager::Secret` | `AWSGWSServiceAccountFileSecret` | Stores Google Workspace credentials |
+| 4 | `AWS::SecretsManager::Secret` | `AWSGWSUserEmailSecret` | Stores the delegated Google Workspace email |
+| 5 | `AWS::SecretsManager::Secret` | `AWSSCIMEndpointSecret` | Stores the AWS SCIM endpoint |
+| 6 | `AWS::SecretsManager::Secret` | `AWSSCIMAccessTokenSecret` | Stores the AWS SCIM token |
+| 7 | `AWS::KMS::Key` | `KMSKey` | Encrypts the S3 state bucket |
+| 8 | `AWS::KMS::Alias` | `KMSKeyAlias` | Stable alias for the KMS key |
+| 9 | `AWS::S3::Bucket` | `Bucket` | Stores the sync state file |
+| 10 | `AWS::S3::BucketPolicy` | `BucketPolicy` | Restricts access to the state bucket and enforces TLS |
+| 11 | `AWS::Logs::LogGroup` | `LambdaFunctionLogGroup` | Stores Lambda logs |
+
+The scheduled trigger is defined inside the `AWS::Serverless::Function` as a SAM `Schedule` event, which expands into the EventBridge rule and the matching Lambda invoke permission during transformation.
+
+## Lambda Environment
+
+The Lambda function receives configuration through environment variables mapped from template parameters and created secret names.
+
+Important environment variables include:
+
+- `IDPSCIM_LOG_LEVEL`
+- `IDPSCIM_LOG_FORMAT`
+- `IDPSCIM_SYNC_METHOD`
+- `IDPSCIM_SYNC_USER_FIELDS`
+- `IDPSCIM_GWS_GROUPS_FILTER`
+- `IDPSCIM_AWS_S3_BUCKET_NAME`
+- `IDPSCIM_AWS_S3_BUCKET_KEY`
+- `IDPSCIM_GWS_USER_EMAIL_SECRET_NAME`
+- `IDPSCIM_GWS_SERVICE_ACCOUNT_FILE_SECRET_NAME`
+- `IDPSCIM_AWS_SCIM_ENDPOINT_SECRET_NAME`
+- `IDPSCIM_AWS_SCIM_ACCESS_TOKEN_SECRET_NAME`
+
+## Outputs
+
+The template exports two useful outputs:
+
+| Output | Description |
+| --- | --- |
+| `LambdaFunctionArn` | ARN of the deployed Lambda function |
+| `LambdaFunctionName` | Name of the deployed Lambda function |
+
+## Related Documentation
+
+- [AWS-SAM.md](AWS-SAM.md) for deployment, update, and publish workflows
+- [Configuration.md](Configuration.md) for application configuration behavior
+- [README.md](../README.md) for high-level usage guidance