simplify the logic

ctrlplanedev · Dec 3, 2024 · 428480b · 428480b
1 parent 257e502
commit 428480b
Showing 1 changed file with 40 additions and 38 deletions.
diff --git a/packages/api/src/router/workspace-integrations.ts b/packages/api/src/router/workspace-integrations.ts
@@ -22,6 +22,16 @@ import { Permission } from "@ctrlplane/validators/auth";
 
 import { createTRPCRouter, protectedProcedure } from "../trpc";
 
+const iamClient = new IAMClient({
+  region: "us-east-1",
+  credentials: defaultProvider(),
+});
+
+const stsClient = new STSClient({
+  region: "us-east-1",
+  credentials: defaultProvider(),
+});
+
 export const integrationsRouter = createTRPCRouter({
   google: createTRPCRouter({
     createServiceAccount: protectedProcedure
@@ -167,16 +177,6 @@ export const integrationsRouter = createTRPCRouter({
             message: "AWS Role Arn already defined.",
           });
 
-        const iamClient = new IAMClient({
-          region: "us-east-1",
-          credentials: defaultProvider(),
-        });
-
-        const stsClient = new STSClient({
-          region: "us-east-1",
-          credentials: defaultProvider(),
-        });
-
         const { Arn: currentArn, Account: accountId } = await stsClient.send(
           new GetCallerIdentityCommand({}),
         );
@@ -190,33 +190,40 @@ export const integrationsRouter = createTRPCRouter({
 
         const isSSORole = currentArn.includes("AWSReservedSSO");
 
-        const sanitizedRoleArn = isSSORole
-          ? `arn:aws:iam::${accountId}:role/aws-reserved/sso.amazonaws.com/*/${currentArn.split("/")[1]}`
-          : `arn:aws:iam::${accountId}:role/${currentArn.split("/")[1]}`;
-
         const roleName = `ctrlplane-${ws.slug}`;
 
-        const assumeRolePolicyDocument = {
-          Version: "2012-10-17",
-          Statement: [
-            {
-              Effect: "Allow",
-              Principal: {
-                AWS: isSSORole
-                  ? `arn:aws:iam::${accountId}:root`
-                  : sanitizedRoleArn,
-              },
-              Action: "sts:AssumeRole",
-              ...(isSSORole && {
-                Condition: {
-                  ArnLike: {
-                    "aws:PrincipalArn": [sanitizedRoleArn],
+        const assumeRolePolicyDocument = isSSORole
+          ? {
+              Version: "2012-10-17",
+              Statement: [
+                {
+                  Effect: "Allow",
+                  Principal: {
+                    AWS: `arn:aws:iam::${accountId}:root`,
+                  },
+                  Action: "sts:AssumeRole",
+                  Condition: {
+                    ArnLike: {
+                      "aws:PrincipalArn": [
+                        `arn:aws:iam::${accountId}:role/aws-reserved/sso.amazonaws.com/*/${currentArn.split("/")[1]}`,
+                      ],
+                    },
                   },
                 },
-              }),
-            },
-          ],
-        };
+              ],
+            }
+          : {
+              Version: "2012-10-17",
+              Statement: [
+                {
+                  Effect: "Allow",
+                  Principal: {
+                    AWS: `arn:aws:iam::${accountId}:role/${currentArn.split("/")[1]}`,
+                  },
+                  Action: "sts:AssumeRole",
+                },
+              ],
+            };
 
         const createRoleResponse = await iamClient.send(
           new CreateRoleCommand({
@@ -297,11 +304,6 @@ export const integrationsRouter = createTRPCRouter({
             message: "AWS Role does not exist.",
           });
 
-        const iamClient = new IAMClient({
-          region: "us-east-1",
-          credentials: defaultProvider(),
-        });
-
         const roleName = `ctrlplane-${ws.slug}`;
 
         await iamClient.send(