diff --git a/assets/diagram.dot b/assets/diagram.dot index be5a28a..bbcf1c9 100644 --- a/assets/diagram.dot +++ b/assets/diagram.dot @@ -40,48 +40,19 @@ digraph "Diagram" { style = "filled,rounded", fillcolor = "#e4e4e4", ]; - subgraph "cluster-SubGraph.MyWebsite" { - graph [ - label = "MyWebsite", - labelloc = "b", - labeljust = "l", - margin = "10", - fontsize = "16", - penwidth = "2", - pencolor = "#888888", - style = "filled,rounded", - fillcolor = "#d6d6d6", - ]; - "VisualizeStack/MyWebsite/GithubOidc" [ - label = " GithubOidc", - fontsize = 12, - image = "/Users/pgollucci/.p6/p6m7g8/p6-cdk-github-oidc-provider/node_modules/cdk-dia/icons/aws/Service/Arch_Management-Governance/64/Arch_AWS-CloudFormation_64@5x.png", - imagescale = "true", - imagepos = "tc", - penwidth = "0", - shape = "node", - fixedsize = "true", - labelloc = "b", - width = 1.2, - height = 1.466, - ]; - "VisualizeStack/MyWebsite/GithubOidcRole" [ - label = " GithubOidcRole", - fontsize = 12, - image = "/Users/pgollucci/.p6/p6m7g8/p6-cdk-github-oidc-provider/node_modules/cdk-dia/icons/aws/Service/Arch_Security-Identity-Compliance/64/Arch_AWS-Identity-and-Access-Management_64@5x.png", - imagescale = "true", - imagepos = "tc", - penwidth = "0", - shape = "node", - fixedsize = "true", - labelloc = "b", - width = 1.2, - height = 1.466, - ]; - } + "VisualizeStack/MyWebsite/GithubOidcRole" [ + label = " GithubOidcRole", + fontsize = 12, + image = "/Users/pgollucci/.p6/p6m7g8/p6-cdk-github-oidc-provider/node_modules/cdk-dia/icons/aws/Service/Arch_Security-Identity-Compliance/64/Arch_AWS-Identity-and-Access-Management_64@5x.png", + imagescale = "true", + imagepos = "tc", + penwidth = "0", + shape = "node", + fixedsize = "true", + labelloc = "b", + width = 1.2, + height = 1.466, + ]; } } - "VisualizeStack/MyWebsite/GithubOidcRole" -> "VisualizeStack/MyWebsite/GithubOidc" [ - dir = "both", - ]; } \ No newline at end of file diff --git a/assets/diagram.png b/assets/diagram.png index 319deab..d37179a 100644 Binary files a/assets/diagram.png and b/assets/diagram.png differ diff --git a/src/p6-cdk-github-oidc-provider.ts b/src/p6-cdk-github-oidc-provider.ts index 3c4f136..8dfdce4 100644 --- a/src/p6-cdk-github-oidc-provider.ts +++ b/src/p6-cdk-github-oidc-provider.ts @@ -1,3 +1,4 @@ +import { Stack } from 'aws-cdk-lib' import * as iam from 'aws-cdk-lib/aws-iam' import { Construct } from 'constructs' @@ -11,8 +12,12 @@ export class P6CDKGithubOidcProvider extends Construct { constructor(scope: Construct, id: string, props: IP6CDKGithubOidcProviderProps) { super(scope, id) + const providerArn = `arn:aws:iam::${Stack.of(this).account}:oidc-provider/token.actions.githubusercontent.com` + + const existingOidcProvider = iam.OpenIdConnectProvider.fromOpenIdConnectProviderArn(this, 'ExistingOidcProvider', providerArn) + // Create the OIDC Provider for GitHub - const oidcProvider = new iam.OpenIdConnectProvider(this, 'GithubOidc', { + const oidcProvider = existingOidcProvider ?? new iam.OpenIdConnectProvider(this, 'GithubOidc', { url: 'https://token.actions.githubusercontent.com', clientIds: ['sts.amazonaws.com'], thumbprints: ['ffffffffffffffffffffffffffffffffffffffff'], diff --git a/test/__snapshots__/p6-cdk-github-oidc-provider.test.ts.snap b/test/__snapshots__/p6-cdk-github-oidc-provider.test.ts.snap index 550a558..df42956 100644 --- a/test/__snapshots__/p6-cdk-github-oidc-provider.test.ts.snap +++ b/test/__snapshots__/p6-cdk-github-oidc-provider.test.ts.snap @@ -2,130 +2,6 @@ exports[`snapshot test for GithubOidcProvider 1`] = ` { - "Mappings": { - "LatestNodeRuntimeMap": { - "af-south-1": { - "value": "nodejs20.x", - }, - "ap-east-1": { - "value": "nodejs20.x", - }, - "ap-northeast-1": { - "value": "nodejs20.x", - }, - "ap-northeast-2": { - "value": "nodejs20.x", - }, - "ap-northeast-3": { - "value": "nodejs20.x", - }, - "ap-south-1": { - "value": "nodejs20.x", - }, - "ap-south-2": { - "value": "nodejs20.x", - }, - "ap-southeast-1": { - "value": "nodejs20.x", - }, - "ap-southeast-2": { - "value": "nodejs20.x", - }, - "ap-southeast-3": { - "value": "nodejs20.x", - }, - "ap-southeast-4": { - "value": "nodejs20.x", - }, - "ap-southeast-5": { - "value": "nodejs20.x", - }, - "ap-southeast-7": { - "value": "nodejs20.x", - }, - "ca-central-1": { - "value": "nodejs20.x", - }, - "ca-west-1": { - "value": "nodejs20.x", - }, - "cn-north-1": { - "value": "nodejs18.x", - }, - "cn-northwest-1": { - "value": "nodejs18.x", - }, - "eu-central-1": { - "value": "nodejs20.x", - }, - "eu-central-2": { - "value": "nodejs20.x", - }, - "eu-isoe-west-1": { - "value": "nodejs18.x", - }, - "eu-north-1": { - "value": "nodejs20.x", - }, - "eu-south-1": { - "value": "nodejs20.x", - }, - "eu-south-2": { - "value": "nodejs20.x", - }, - "eu-west-1": { - "value": "nodejs20.x", - }, - "eu-west-2": { - "value": "nodejs20.x", - }, - "eu-west-3": { - "value": "nodejs20.x", - }, - "il-central-1": { - "value": "nodejs20.x", - }, - "me-central-1": { - "value": "nodejs20.x", - }, - "me-south-1": { - "value": "nodejs20.x", - }, - "mx-central-1": { - "value": "nodejs20.x", - }, - "sa-east-1": { - "value": "nodejs20.x", - }, - "us-east-1": { - "value": "nodejs20.x", - }, - "us-east-2": { - "value": "nodejs20.x", - }, - "us-gov-east-1": { - "value": "nodejs18.x", - }, - "us-gov-west-1": { - "value": "nodejs18.x", - }, - "us-iso-east-1": { - "value": "nodejs18.x", - }, - "us-iso-west-1": { - "value": "nodejs18.x", - }, - "us-isob-east-1": { - "value": "nodejs18.x", - }, - "us-west-1": { - "value": "nodejs20.x", - }, - "us-west-2": { - "value": "nodejs20.x", - }, - }, - }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", @@ -134,102 +10,6 @@ exports[`snapshot test for GithubOidcProvider 1`] = ` }, }, "Resources": { - "CustomAWSCDKOpenIdConnectProviderCustomResourceProviderHandlerF2C543E0": { - "DependsOn": [ - "CustomAWSCDKOpenIdConnectProviderCustomResourceProviderRole517FED65", - ], - "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", - }, - "S3Key": "977fc1649d2dbcce16e23f6332faef6fa0f48aa74a0afe35f4a3467754e20cd8.zip", - }, - "Handler": "__entrypoint__.handler", - "MemorySize": 128, - "Role": { - "Fn::GetAtt": [ - "CustomAWSCDKOpenIdConnectProviderCustomResourceProviderRole517FED65", - "Arn", - ], - }, - "Runtime": { - "Fn::FindInMap": [ - "LatestNodeRuntimeMap", - { - "Ref": "AWS::Region", - }, - "value", - ], - }, - "Timeout": 900, - }, - "Type": "AWS::Lambda::Function", - }, - "CustomAWSCDKOpenIdConnectProviderCustomResourceProviderRole517FED65": { - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com", - }, - }, - ], - "Version": "2012-10-17", - }, - "ManagedPolicyArns": [ - { - "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", - }, - ], - "Policies": [ - { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "iam:CreateOpenIDConnectProvider", - "iam:DeleteOpenIDConnectProvider", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:AddClientIDToOpenIDConnectProvider", - "iam:RemoveClientIDFromOpenIDConnectProvider", - ], - "Effect": "Allow", - "Resource": "*", - }, - ], - "Version": "2012-10-17", - }, - "PolicyName": "Inline", - }, - ], - }, - "Type": "AWS::IAM::Role", - }, - "GithubOidcTestGithubOidc6E61C521": { - "DeletionPolicy": "Delete", - "Properties": { - "ClientIDList": [ - "sts.amazonaws.com", - ], - "CodeHash": "977fc1649d2dbcce16e23f6332faef6fa0f48aa74a0afe35f4a3467754e20cd8", - "ServiceToken": { - "Fn::GetAtt": [ - "CustomAWSCDKOpenIdConnectProviderCustomResourceProviderHandlerF2C543E0", - "Arn", - ], - }, - "ThumbprintList": [ - "ffffffffffffffffffffffffffffffffffffffff", - ], - "Url": "https://token.actions.githubusercontent.com", - }, - "Type": "Custom::AWSCDKOpenIdConnectProvider", - "UpdateReplacePolicy": "Delete", - }, "GithubOidcTestGithubOidcRoleB8226496": { "Properties": { "AssumeRolePolicyDocument": { @@ -247,7 +27,16 @@ exports[`snapshot test for GithubOidcProvider 1`] = ` "Effect": "Allow", "Principal": { "Federated": { - "Ref": "GithubOidcTestGithubOidc6E61C521", + "Fn::Join": [ + "", + [ + "arn:aws:iam::", + { + "Ref": "AWS::AccountId", + }, + ":oidc-provider/token.actions.githubusercontent.com", + ], + ], }, }, },