backup-identitystores.sh

#!/bin/sh
#
# Backup the users and groups from your AWS IAM Identity
# Center (successor to AWS SSO) identity store.
#
# I wrote this because I initially modeled permission sets
# in Pulumi, before the AWS SSO API existed.  This script
# is a handy way to grab a backup before doing potentially
# dangerous operations until I import users/groups into Pulumi.
#
# By default it will backup all identity stores; to backup
# a specific one, provide its ID on the command line.
#
# Usage:
#    ./backup-identitystores.sh [identity-store-id]
#
# Output is written to a directory named "backup-<timestamp>".
# 

if [ -z "${1}" ]; then
    ids=$(aws sso-admin list-instances | jq -r '.Instances[].IdentityStoreId')
else
    ids=$1
fi

out_dir="backup-$(date +%Y%m%d%H%M%S)"
mkdir -p "${out_dir}"

for id in ${ids}; do
    # Ensure the identity store is valid.  Listing groups seems
    # to be the simplest and most performant approach.
    if ! aws identitystore list-groups --identity-store-id "${id}" >/dev/null 2>&1
    then
        echo "Invalid identity store: ${id}"
        exit 1
    fi

    echo "Backing up identity store: ${id}"
    users_json="${out_dir}/${id}-users.json"
    groups_json="${out_dir}/${id}-groups.json"
    aws identitystore list-users --identity-store-id "${id}" > "${users_json}"
    aws identitystore list-groups --identity-store-id "${id}" > "${groups_json}"

    group_ids=$(<"${groups_json}" jq -r '.Groups[].GroupId')
    for group in ${group_ids}; do
        aws identitystore list-group-memberships --identity-store-id "${id}" --group "${group}" > "${out_dir}/${id}-group-${group}.json"
    done

    echo "    Users:  $(<"${users_json}" jq -r '.Users[].UserName' | wc -l | tr -d ' ')"
    echo "    Groups: $(<"${groups_json}" jq -r '.Groups[].GroupName' | wc -l | tr -d ' ')"
done