initial implementation

.gitignore

@@ -0,0 +1,169 @@
+# Based on https://raw.githubusercontent.com/github/gitignore/main/Node.gitignore
+
+# Logs
+
+logs
+_.log
+npm-debug.log_
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+.pnpm-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+
+report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json
+
+# Runtime data
+
+pids
+_.pid
+_.seed
+\*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+
+lib-cov
+
+# Coverage directory used by tools like istanbul
+
+coverage
+\*.lcov
+
+# nyc test coverage
+
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+
+bower_components
+
+# node-waf configuration
+
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+
+build/Release
+
+# Dependency directories
+
+node_modules/
+jspm_packages/
+
+# Snowpack dependency directory (https://snowpack.dev/)
+
+web_modules/
+
+# TypeScript cache
+
+\*.tsbuildinfo
+
+# Optional npm cache directory
+
+.npm
+
+# Optional eslint cache
+
+.eslintcache
+
+# Optional stylelint cache
+
+.stylelintcache
+
+# Microbundle cache
+
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+
+.node_repl_history
+
+# Output of 'npm pack'
+
+\*.tgz
+
+# Yarn Integrity file
+
+.yarn-integrity
+
+# dotenv environment variable files
+
+.env
+.env.development.local
+.env.test.local
+.env.production.local
+.env.local
+
+# parcel-bundler cache (https://parceljs.org/)
+
+.cache
+.parcel-cache
+
+# Next.js build output
+
+.next
+out
+
+# Nuxt.js build / generate output
+
+.nuxt
+dist
+
+# Gatsby files
+
+.cache/
+
+# Comment in the public line in if your project uses Gatsby and not Next.js
+
+# https://nextjs.org/blog/next-9-1#public-directory-support
+
+# public
+
+# vuepress build output
+
+.vuepress/dist
+
+# vuepress v2.x temp and cache directory
+
+.temp
+.cache
+
+# Docusaurus cache and generated files
+
+.docusaurus
+
+# Serverless directories
+
+.serverless/
+
+# FuseBox cache
+
+.fusebox/
+
+# DynamoDB Local files
+
+.dynamodb/
+
+# TernJS port file
+
+.tern-port
+
+# Stores VSCode versions used for testing VSCode extensions
+
+.vscode-test
+
+# yarn v2
+
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.\*

README.md

@@ -0,0 +1,79 @@
+# Gitlab to Google SCIM
+
+To install dependencies:
+
+```bash
+bun install
+```
+
+To run:
+
+```bash
+bun run index.ts
+```
+
+
+## Configuration
+
+You need a few items of configuration. One side from Gitlab, and the other from Google Cloud to allow for API access to each.
+You will need the files produced by these steps for AWS Lambda deployment as well as locally running the sync tool.
+This how-to assumes you have Gitlab SSO configured and a Google SAML app to log in into Gitlab.
+
+
+### Google
+
+First, you have to setup your API. In the project you want to use go to the Console and select API & Services > Enable APIs and Services. Search for Admin SDK and Enable the API.
+
+You have to perform this [tutorial](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) to create a service account that you use to sync your users. Save the JSON file you create during the process. Please, keep this file safe, or store it in the AWS Secrets Manager.
+
+In the domain-wide delegation for the Admin API, you have to specify the following scopes for the user.
+
+https://www.googleapis.com/auth/admin.directory.group.readonly
+https://www.googleapis.com/auth/admin.directory.group.member.readonly
+https://www.googleapis.com/auth/admin.directory.user.readonly
+
+Back in the Console go to the Dashboard for the API & Services and select "Enable API and Services". In the Search box type Admin and select the Admin SDK option. Click the Enable button.
+
+You will have to specify the email address of an admin via the environment variable GOOGLE_ADMIN_EMAIL to assume this users role in the Directory.
+
+
+### Slack
+
+To create a slack app and an incoming webhook, follow [this page](https://api.slack.com/messaging/webhooks)
+
+
+### Gitlab
+
+You need two different credentials, a SCIM token and an API token with `api` access to the root group.
+
+To get a SCIM token:
+
+- Open Gitlab, on the left sidebar, at the top, select Search GitLab () to find your group.
+- Select Settings > SAML SSO. Select Generate a SCIM token.
+- Save the Token from the Your SCIM token field. Please, keep this token safe, or store it in the AWS Secrets Manager.
+- The SCIM API endpoint URL field will be automatically calculated.
+
+To get an API token, [create a Group Access Token](https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html#create-a-group-access-token-using-ui) or a [Personal Access Token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#create-a-personal-access-token).
+
+
+# Deployment configuration
+
+| Name | Required | Description |
+|---|---|---|
+| GOOGLE_DOMAIN | yes | google domain that is allowed in gitlab |
+| GOOGLE_ADMIN_EMAIL | yes | email of a google administrator that will be impersonated by the service account |
+| GOOGLE_SA_KEY_SECRET | no | AWS Secret name to retrieve the service account key from |
+| GOOGLE_SA_KEY_FILE | no | Filepath to retrieve the service account key from |
+| GOOGLE_SA_KEY | no | Service account key |
+| GITLAB_GROUP | yes | gitlab root group to sync users to |
+| GITLAB_URL | no | gitlab instance base url, defaults to https://gitlab.com |
+| GITLAB_SCIM_TOKEN_SECRET | no | AWS Secret name to retrieve the SCIM token from |
+| GITLAB_SCIM_TOKEN_FILE | no | Filepath to retrieve the SCIM token from |
+| GITLAB_SCIM_TOKEN | no | SCIM token |
+| GITLAB_API_TOKEN_SECRET | no | AWS Secret name to retrieve the API token from |
+| GITLAB_API_TOKEN_FILE | no | Filepath to retrieve the API token from |
+| GITLAB_API_TOKEN | no | API token |
+| ROLE_MAPPINGS_SECRET | no | AWS Secret name to retrieve the gitlab role mappings from |
+| ROLE_MAPPINGS_FILE | no | Filepath to retrieve the gitlab role mappings from |
+| ROLE_MAPPINGS | no | Role mappings for gitlab |
+| SLACK_WEBHOOK_URL | no | Slack Webhook url to send notifications to |