From 35795b211a6ca9d037c1b2adf666d437846b4e71 Mon Sep 17 00:00:00 2001 From: Alexander Amiri Date: Thu, 12 Mar 2026 11:11:34 +0100 Subject: [PATCH] Never update existing Google group metadata Skip PUT /groups/{key} for existing groups to prevent accidentally renaming or overwriting unrelated groups that share a display name or alias. Only create new groups; existing ones get member sync only. Root cause: the Lambda renamed jz-ledelsen@java.no to javazone@java.no because it matched on the display name during the PUT update. --- terraform/lambda-src/team_provisioner/handler.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/terraform/lambda-src/team_provisioner/handler.py b/terraform/lambda-src/team_provisioner/handler.py index 5253bd8..63b5952 100644 --- a/terraform/lambda-src/team_provisioner/handler.py +++ b/terraform/lambda-src/team_provisioner/handler.py @@ -1215,7 +1215,10 @@ def handle_sync_groups_and_heros(event): existing = _google_api("GET", f"/groups/{group_key}", access_token) if existing and not existing.get("already_exists"): - _google_api("PUT", f"/groups/{group_key}", access_token, group_body) + # Group exists — do NOT update name/description/email. + # Updating existing groups can rename unrelated groups that + # share a display name or alias (e.g. jz-ledelsen → javazone). + logger.info("Google group %s already exists — skipping metadata update", google_email) else: _google_api("POST", "/groups", access_token, group_body)