Skip to content

Commit

Permalink
Fix OIDC TS example. (#1712)
Browse files Browse the repository at this point in the history
Update the OIDC ESC setup example to account for ESC projects and the
newer OIDC subject claims format.
  • Loading branch information
jkodroff authored Oct 5, 2024
2 parents 54f59bf + 3e5912e commit 1432c2c
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 48 deletions.
6 changes: 4 additions & 2 deletions aws-ts-oidc-provider-pulumi-cloud/Pulumi.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,11 @@ description: ${DESCRIPTION}
runtime: nodejs

template:
description: A minimal TypeScript Pulumi program to set up AWS OIDC
description: AWS OIDC setup for Pulumi ESC
config:
aws:region:
description: AWS Region
default: us-west-2

escProject:
description: The name of the ESC project in which to place a generated environment.
default: aws
85 changes: 40 additions & 45 deletions aws-ts-oidc-provider-pulumi-cloud/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,36 +6,42 @@ import * as pulumi from "@pulumi/pulumi";
import * as pulumiservice from "@pulumi/pulumiservice";
import * as tls from "@pulumi/tls";

// Configurations
const audience = pulumi.getOrganization();
const config = new pulumi.Config();
const escProject = config.require("escProject");

const pulumiOrg = pulumi.getOrganization();

// NOTE: At the time of writing, if you are still using the legacy "default"
// organization, the format for the audience OIDC claim is different. Best
// practice is to avoid using the legacy default project.
const oidcAudience = escProject == "default" ? pulumiOrg : `aws:${pulumiOrg}`;

const oidcIdpUrl: string = "https://api.pulumi.com/oidc";

// Get TLS thumbprint for OIDC Provider
const certs = tls.getCertificateOutput({
url: oidcIdpUrl,
});

const thumbprint = certs.certificates[0].sha1Fingerprint;

function getProviderArn() {
const existingProvider = aws.iam.getOpenIdConnectProviderOutput({
url: oidcIdpUrl,
});

if (existingProvider) {
console.log("OIDC Provider already exists ...");
// upsert audience
const cmd = new command.local.Command("oidc-client-id", {
create: pulumi.interpolate`aws iam add-client-id-to-open-id-connect-provider --open-id-connect-provider-arn ${existingProvider.arn} --client-id aws:${audience}`,
delete: pulumi.interpolate`aws iam remove-client-id-from-open-id-connect-provider --open-id-connect-provider-arn ${existingProvider.arn} --client-id aws:${audience}`,
console.log("OIDC Provider already exists. Adding current Pulumi org as an audience to the existing provider.");

new command.local.Command("oidc-client-id", {
create: pulumi.interpolate`aws iam add-client-id-to-open-id-connect-provider --open-id-connect-provider-arn ${existingProvider.arn} --client-id ${oidcAudience}`,
delete: pulumi.interpolate`aws iam remove-client-id-from-open-id-connect-provider --open-id-connect-provider-arn ${existingProvider.arn} --client-id ${oidcAudience}`,
});
return existingProvider.arn;
} else {
console.log("Creating OIDC Provider ...");
const provider = new aws.iam.OpenIdConnectProvider("oidcProvider", {
clientIdLists: [audience],
clientIdLists: [pulumiOrg],
url: oidcIdpUrl,
thumbprintLists: [thumbprint],
}, {
protect: true,
});
return provider.arn;
}
Expand All @@ -55,49 +61,38 @@ const policyDocument = arn.apply(arn => aws.iam.getPolicyDocument({
conditions: [{
test: "StringEquals",
variable: `api.pulumi.com/oidc:aud`,
values: [`aws:${audience}`], // new format
values: [oidcAudience],
}],
}],
}));

// // Create a new role that can be assumed by the OIDC provider
const role = new aws.iam.Role("role", {
const role = new aws.iam.Role("pulumi-cloud-admin", {
assumeRolePolicy: policyDocument.json,
});

// Attach the AWS managed policy "AdministratorAccess" to the role.
const rpa = new aws.iam.RolePolicyAttachment("policy", {
new aws.iam.RolePolicyAttachment("policy", {
policyArn: "arn:aws:iam::aws:policy/AdministratorAccess",
role: role.name,
});

const envJson = pulumi.jsonStringify({
"values": {
"aws": {
"login": {
"fn::open::aws-login": {
"oidc": {
"duration": "1h",
"roleArn": role.arn,
"sessionName": "pulumi-environments-session",
},
},
},
},
"environmentVariables": {
"AWS_ACCESS_KEY_ID": "${aws.login.accessKeyId}",
"AWS_SECRET_ACCESS_KEY": "${aws.login.secretAccessKey}",
"AWS_SESSION_TOKEN": "${aws.login.sessionToken}",
},
},
});

const envAsset = envJson.apply(json => new pulumi.asset.StringAsset(json));
export const envYaml = pulumi.interpolate`
values:
aws:
login:
fn::open::aws-login:
oidc:
duration: 1h
roleArn: ${role.arn}
sessionName: pulumi-esc
environmentVariables:
AWS_ACCESS_KEY_ID: \${aws.login.accessKeyId}
AWS_SECRET_ACCESS_KEY: \${aws.login.secretAccessKey}
AWS_SESSION_TOKEN: \${aws.login.sessionToken}
`;

// Create a new environment
const env = new pulumiservice.Environment("aws-oidc-admin", {
name: "test",
// project: "auth", // post esc-GA
organization: audience,
yaml: envAsset,
new pulumiservice.Environment("aws-oidc-admin", {
organization: pulumiOrg,
project: escProject,
name: "aws-oidc-admin",
yaml: envYaml.apply(yaml => new pulumi.asset.StringAsset(yaml)),
});
2 changes: 1 addition & 1 deletion aws-ts-oidc-provider-pulumi-cloud/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"@pulumi/aws": "^6.52.0",
"@pulumi/command": "^1.0.1",
"@pulumi/pulumi": "^3.133.0",
"@pulumi/pulumiservice": "0.23.2",
"@pulumi/pulumiservice": "^0.26.1",
"@pulumi/tls": "^5.0.6"
}
}

0 comments on commit 1432c2c

Please sign in to comment.