Skip to content

Commit

Permalink
feat: re-use the existing oidc-provider if it exists (#13)
Browse files Browse the repository at this point in the history
  • Loading branch information
@pgollucci
pgollucci authored Oct 30, 2024
1 parent 6dd76f4 commit f8a0c88
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 264 deletions.
55 changes: 13 additions & 42 deletions assets/diagram.dot
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,48 +40,19 @@ digraph "Diagram" {
style = "filled,rounded",
fillcolor = "#e4e4e4",
];
subgraph "cluster-SubGraph.MyWebsite" {
graph [
label = "MyWebsite",
labelloc = "b",
labeljust = "l",
margin = "10",
fontsize = "16",
penwidth = "2",
pencolor = "#888888",
style = "filled,rounded",
fillcolor = "#d6d6d6",
];
"VisualizeStack/MyWebsite/GithubOidc" [
label = " GithubOidc",
fontsize = 12,
image = "/Users/pgollucci/.p6/p6m7g8/p6-cdk-github-oidc-provider/node_modules/cdk-dia/icons/aws/Service/Arch_Management-Governance/64/[email protected]",
imagescale = "true",
imagepos = "tc",
penwidth = "0",
shape = "node",
fixedsize = "true",
labelloc = "b",
width = 1.2,
height = 1.466,
];
"VisualizeStack/MyWebsite/GithubOidcRole" [
label = " GithubOidcRole",
fontsize = 12,
image = "/Users/pgollucci/.p6/p6m7g8/p6-cdk-github-oidc-provider/node_modules/cdk-dia/icons/aws/Service/Arch_Security-Identity-Compliance/64/[email protected]",
imagescale = "true",
imagepos = "tc",
penwidth = "0",
shape = "node",
fixedsize = "true",
labelloc = "b",
width = 1.2,
height = 1.466,
];
}
"VisualizeStack/MyWebsite/GithubOidcRole" [
label = " GithubOidcRole",
fontsize = 12,
image = "/Users/pgollucci/.p6/p6m7g8/p6-cdk-github-oidc-provider/node_modules/cdk-dia/icons/aws/Service/Arch_Security-Identity-Compliance/64/[email protected]",
imagescale = "true",
imagepos = "tc",
penwidth = "0",
shape = "node",
fixedsize = "true",
labelloc = "b",
width = 1.2,
height = 1.466,
];
}
}
"VisualizeStack/MyWebsite/GithubOidcRole" -> "VisualizeStack/MyWebsite/GithubOidc" [
dir = "both",
];
}
Binary file modified assets/diagram.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
7 changes: 6 additions & 1 deletion src/p6-cdk-github-oidc-provider.ts
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import { Stack } from 'aws-cdk-lib'
import * as iam from 'aws-cdk-lib/aws-iam'
import { Construct } from 'constructs'

Expand All @@ -11,8 +12,12 @@ export class P6CDKGithubOidcProvider extends Construct {
constructor(scope: Construct, id: string, props: IP6CDKGithubOidcProviderProps) {
super(scope, id)

const providerArn = `arn:aws:iam::${Stack.of(this).account}:oidc-provider/token.actions.githubusercontent.com`

const existingOidcProvider = iam.OpenIdConnectProvider.fromOpenIdConnectProviderArn(this, 'ExistingOidcProvider', providerArn)

// Create the OIDC Provider for GitHub
const oidcProvider = new iam.OpenIdConnectProvider(this, 'GithubOidc', {
const oidcProvider = existingOidcProvider ?? new iam.OpenIdConnectProvider(this, 'GithubOidc', {
url: 'https://token.actions.githubusercontent.com',
clientIds: ['sts.amazonaws.com'],
thumbprints: ['ffffffffffffffffffffffffffffffffffffffff'],
Expand Down
231 changes: 10 additions & 221 deletions test/__snapshots__/p6-cdk-github-oidc-provider.test.ts.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,130 +2,6 @@

exports[`snapshot test for GithubOidcProvider 1`] = `
{
"Mappings": {
"LatestNodeRuntimeMap": {
"af-south-1": {
"value": "nodejs20.x",
},
"ap-east-1": {
"value": "nodejs20.x",
},
"ap-northeast-1": {
"value": "nodejs20.x",
},
"ap-northeast-2": {
"value": "nodejs20.x",
},
"ap-northeast-3": {
"value": "nodejs20.x",
},
"ap-south-1": {
"value": "nodejs20.x",
},
"ap-south-2": {
"value": "nodejs20.x",
},
"ap-southeast-1": {
"value": "nodejs20.x",
},
"ap-southeast-2": {
"value": "nodejs20.x",
},
"ap-southeast-3": {
"value": "nodejs20.x",
},
"ap-southeast-4": {
"value": "nodejs20.x",
},
"ap-southeast-5": {
"value": "nodejs20.x",
},
"ap-southeast-7": {
"value": "nodejs20.x",
},
"ca-central-1": {
"value": "nodejs20.x",
},
"ca-west-1": {
"value": "nodejs20.x",
},
"cn-north-1": {
"value": "nodejs18.x",
},
"cn-northwest-1": {
"value": "nodejs18.x",
},
"eu-central-1": {
"value": "nodejs20.x",
},
"eu-central-2": {
"value": "nodejs20.x",
},
"eu-isoe-west-1": {
"value": "nodejs18.x",
},
"eu-north-1": {
"value": "nodejs20.x",
},
"eu-south-1": {
"value": "nodejs20.x",
},
"eu-south-2": {
"value": "nodejs20.x",
},
"eu-west-1": {
"value": "nodejs20.x",
},
"eu-west-2": {
"value": "nodejs20.x",
},
"eu-west-3": {
"value": "nodejs20.x",
},
"il-central-1": {
"value": "nodejs20.x",
},
"me-central-1": {
"value": "nodejs20.x",
},
"me-south-1": {
"value": "nodejs20.x",
},
"mx-central-1": {
"value": "nodejs20.x",
},
"sa-east-1": {
"value": "nodejs20.x",
},
"us-east-1": {
"value": "nodejs20.x",
},
"us-east-2": {
"value": "nodejs20.x",
},
"us-gov-east-1": {
"value": "nodejs18.x",
},
"us-gov-west-1": {
"value": "nodejs18.x",
},
"us-iso-east-1": {
"value": "nodejs18.x",
},
"us-iso-west-1": {
"value": "nodejs18.x",
},
"us-isob-east-1": {
"value": "nodejs18.x",
},
"us-west-1": {
"value": "nodejs20.x",
},
"us-west-2": {
"value": "nodejs20.x",
},
},
},
"Parameters": {
"BootstrapVersion": {
"Default": "/cdk-bootstrap/hnb659fds/version",
Expand All @@ -134,102 +10,6 @@ exports[`snapshot test for GithubOidcProvider 1`] = `
},
},
"Resources": {
"CustomAWSCDKOpenIdConnectProviderCustomResourceProviderHandlerF2C543E0": {
"DependsOn": [
"CustomAWSCDKOpenIdConnectProviderCustomResourceProviderRole517FED65",
],
"Properties": {
"Code": {
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}",
},
"S3Key": "977fc1649d2dbcce16e23f6332faef6fa0f48aa74a0afe35f4a3467754e20cd8.zip",
},
"Handler": "__entrypoint__.handler",
"MemorySize": 128,
"Role": {
"Fn::GetAtt": [
"CustomAWSCDKOpenIdConnectProviderCustomResourceProviderRole517FED65",
"Arn",
],
},
"Runtime": {
"Fn::FindInMap": [
"LatestNodeRuntimeMap",
{
"Ref": "AWS::Region",
},
"value",
],
},
"Timeout": 900,
},
"Type": "AWS::Lambda::Function",
},
"CustomAWSCDKOpenIdConnectProviderCustomResourceProviderRole517FED65": {
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com",
},
},
],
"Version": "2012-10-17",
},
"ManagedPolicyArns": [
{
"Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
},
],
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"iam:CreateOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider",
"iam:UpdateOpenIDConnectProviderThumbprint",
"iam:AddClientIDToOpenIDConnectProvider",
"iam:RemoveClientIDFromOpenIDConnectProvider",
],
"Effect": "Allow",
"Resource": "*",
},
],
"Version": "2012-10-17",
},
"PolicyName": "Inline",
},
],
},
"Type": "AWS::IAM::Role",
},
"GithubOidcTestGithubOidc6E61C521": {
"DeletionPolicy": "Delete",
"Properties": {
"ClientIDList": [
"sts.amazonaws.com",
],
"CodeHash": "977fc1649d2dbcce16e23f6332faef6fa0f48aa74a0afe35f4a3467754e20cd8",
"ServiceToken": {
"Fn::GetAtt": [
"CustomAWSCDKOpenIdConnectProviderCustomResourceProviderHandlerF2C543E0",
"Arn",
],
},
"ThumbprintList": [
"ffffffffffffffffffffffffffffffffffffffff",
],
"Url": "https://token.actions.githubusercontent.com",
},
"Type": "Custom::AWSCDKOpenIdConnectProvider",
"UpdateReplacePolicy": "Delete",
},
"GithubOidcTestGithubOidcRoleB8226496": {
"Properties": {
"AssumeRolePolicyDocument": {
Expand All @@ -247,7 +27,16 @@ exports[`snapshot test for GithubOidcProvider 1`] = `
"Effect": "Allow",
"Principal": {
"Federated": {
"Ref": "GithubOidcTestGithubOidc6E61C521",
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId",
},
":oidc-provider/token.actions.githubusercontent.com",
],
],
},
},
},
Expand Down

0 comments on commit f8a0c88

Please sign in to comment.