Option to make APIs / S3 uploads "always update" the solution about aws-iam-identity-center-extensions HOT 2 OPEN

@allquixotic , agree 100% on the solution reliance on DDB causing it to go out of sync. When we originally designed the solution, we were banking on the premise that all changes would be made through the solution interface. However, we've come to realise that this premise is neither always correct (nor) a safe assumption to make.

In order to handle this and the other issues we've seen , we're working on a refactoring of the flows for permission set management.

We will stop using solution peristence (i.e. DDB) for lookup of (a) whether the permission set exists and (b) to understand how it looks like, to determine delta with the incoming permission set object. Instead, we will look up SSO directly for both (a) and (b). Additionally, we will update our S3 persistence with the lookup result every time a permisison set operation is triggered. As a side note, solution's S3 persistence is always populated irrespective of the interface enabled, to facilitate user's switching their config from API to S3 interface modes and viceversa multiple times for permissionsets.

We've been putting off our nightlyRun feature for quite some time now, so our plan is to first push that PR in, and then add this refactor on top of the nightlyRun.

Do let us know if this works in line with what your expectations are.

from aws-iam-identity-center-extensions.

Getting rid of solution persistence (DynamoDB) sounds awesome to me. I fully agree that we should remove this additional layer of data storage, as it just creates additional headaches of data that needs to be kept in sync. Querying the live source of truth is much more reliable.

from aws-iam-identity-center-extensions.