remove completed users from initial_users secret

tomklapiscak · tomklapiscak · commit 28fbe6cf8c48 · 2025-03-27T16:58:01.000Z
so that they are never resynced a second time (potentially undoing a customer update)
diff --git a/README.md b/README.md
@@ -77,4 +77,9 @@ mas-devops-create-initial-users-for-saas \
     --manage-api-port 8443 \
     --coreapi-port 8444 \
     --admin-dashboard-port 8445
+```
+
+Example of initial_users secret:
+```json
+{"john.smith1@example.com":"primary,john1,smith1","john.smith2@example.com":"primary,john2,smith2","john.smith3@example.com":"secondary,john3,smith3"}
 ```
diff --git a/bin/mas-devops-create-initial-users-for-saas b/bin/mas-devops-create-initial-users-for-saas
@@ -99,6 +99,8 @@ if __name__ == "__main__":
 
     if initial_users_secret_name is not None:
 
+        logger.info(f"Loading initial_users configuration from secret {initial_users_secret_name}")
+
         session = boto3.session.Session()
         aws_sm_client = session.client(
             service_name='secretsmanager',
@@ -118,6 +120,24 @@ if __name__ == "__main__":
     else:
         raise Exception("Something unexpected happened")
     
-    user_utils.create_initial_users_for_saas(initial_users)
-   
+    
+    result = user_utils.create_initial_users_for_saas(initial_users)
 
+    # if user details were sourced from an AWS SM secret, remove the completed entries from the secret
+    # so we don't try and resync them the next time round (and potentially undo an update made by a customer)
+    if initial_users_secret_name is not None:
+        has_updates = False
+        for completed_user in result["completed"]:
+            logger.info(f"Removing synced user {completed_user['email']} from {initial_users_secret_name} secret")
+            secret_json.pop(completed_user["email"])
+            has_updates = True
+
+        if has_updates:
+            logger.info(f"Updating secret {initial_users_secret_name}")
+            try:
+                aws_sm_client.update_secret( # pragma: allowlist secret
+                    SecretId=initial_users_secret_name,
+                    SecretString=json.dumps(secret_json)
+                )
+            except ClientError as e:
+                raise Exception(f"Failed to update secret {initial_users_secret_name}: {str(e)}")
diff --git a/src/mas/devops/users.py b/src/mas/devops/users.py
@@ -793,6 +793,10 @@ def parse_initial_users_from_aws_secret_json(self, secret_json):
         secondary = []
         for (email, csv) in secret_json.items():
             values = csv.split(",")
+
+            if len(values) != 3:
+                raise Exception(f"Wrong number of CSV values for {email} (expected 3 but got {len(values)})")
+
             user_type = values[0].strip()
             given_name = values[1].strip()
             family_name = values[2].strip()
@@ -834,15 +838,46 @@ def create_initial_users_for_saas(self, initial_users):
         if type(secondary_users) is not list:
             raise Exception("'users.secondary' is not a list")
 
+        if len(primary_users) == 0 and len(secondary_users) == 0:
+            self.logger.info("No users left to sync, nothing to do")
+            return {"completed": [], "failed": []}
+
         # before we do anything, let's check all MAS applications are ready
         for mas_application_id in self.mas_workspace_application_ids:
             self.await_mas_application_availability(mas_application_id)
 
+        completed = []
+        failed = []
+
         for primary_user in primary_users:
-            self.create_initial_user_for_saas(primary_user, "PRIMARY")
+            self.logger.info("")
+            try:
+                self.logger.info(f"Syncing primary user {primary_user['email']}")
+                self.create_initial_user_for_saas(primary_user, "PRIMARY")
+                completed.append(primary_user)
+                self.logger.info(f"Completed sync of primary user {primary_user['email']}")
+            except Exception as e:
+                self.logger.error(f"Sync of primary user {primary_user['email']} failed: {str(e)}")
+                failed.append(primary_user)
+            self.logger.info("")
 
         for secondary_user in secondary_users:
-            self.create_initial_user_for_saas(secondary_user, "SECONDARY")
+            self.logger.info("")
+            try:
+                self.logger.info("")
+                self.logger.info(f"Syncing secondary user {secondary_user['email']}")
+                self.create_initial_user_for_saas(secondary_user, "SECONDARY")
+                completed.append(secondary_user)
+                self.logger.info(f"Completed sync of secondary user {secondary_user['email']}")
+            except Exception as e:
+                self.logger.error(f"Sync of secondary user {secondary_user['email']} failed: {str(e)}")
+                failed.append(secondary_user)
+            self.logger.info("")
+
+        return {
+            "completed": completed,
+            "failed": failed
+        }
 
     def create_initial_user_for_saas(self, user, user_type):
         if "email" not in user:
