Skip to content

Commit

Permalink
Fix AWS OIDC TS example
Browse files Browse the repository at this point in the history
It's not possible to have a single stack which handles both the use case
of creating a new OIDC provider and also adding an audience if none
exists. This change removes the conditional creation of an OIDC provider
and assumes none exists.
  • Loading branch information
jkodroff committed Nov 1, 2024
1 parent b8e9ac1 commit 7887090
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 30 deletions.
3 changes: 3 additions & 0 deletions aws-ts-oidc-provider-pulumi-cloud/Pulumi.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,6 @@ template:
escProject:
description: The name of the ESC project in which to place a generated environment.
default: aws
escEnvironmentName:
description: The name of the ESC environment to generate.
default: aws-oidc-admin
42 changes: 12 additions & 30 deletions aws-ts-oidc-provider-pulumi-cloud/index.ts
Original file line number Diff line number Diff line change
@@ -1,13 +1,12 @@
// Copyright 2024, Pulumi Corporation. All rights reserved.

import * as aws from "@pulumi/aws";
import * as command from "@pulumi/command";
import * as pulumi from "@pulumi/pulumi";
import * as pulumiservice from "@pulumi/pulumiservice";
import * as tls from "@pulumi/tls";

const config = new pulumi.Config();
const escProject = config.require("escProject");
const escEnvName = config.require("escEnvironmentName");

const pulumiOrg = pulumi.getOrganization();

Expand All @@ -24,32 +23,13 @@ const certs = tls.getCertificateOutput({

const thumbprint = certs.certificates[0].sha1Fingerprint;

function getProviderArn() {
const existingProvider = aws.iam.getOpenIdConnectProviderOutput({
url: oidcIdpUrl,
});

if (existingProvider) {
console.log("OIDC Provider already exists. Adding current Pulumi org as an audience to the existing provider.");

new command.local.Command("oidc-client-id", {
create: pulumi.interpolate`aws iam add-client-id-to-open-id-connect-provider --open-id-connect-provider-arn ${existingProvider.arn} --client-id ${oidcAudience}`,
delete: pulumi.interpolate`aws iam remove-client-id-from-open-id-connect-provider --open-id-connect-provider-arn ${existingProvider.arn} --client-id ${oidcAudience}`,
});
return existingProvider.arn;
} else {
const provider = new aws.iam.OpenIdConnectProvider("oidcProvider", {
clientIdLists: [pulumiOrg],
url: oidcIdpUrl,
thumbprintLists: [thumbprint],
});
return provider.arn;
}
}

export const arn: pulumi.Output<string> = getProviderArn();
const provider = new aws.iam.OpenIdConnectProvider("oidcProvider", {
clientIdLists: [oidcAudience],
url: oidcIdpUrl,
thumbprintLists: [thumbprint],
});

const policyDocument = arn.apply(arn => aws.iam.getPolicyDocument({
const policyDocument = provider.arn.apply(arn => aws.iam.getPolicyDocument({
version: "2012-10-17",
statements: [{
effect: "Allow",
Expand All @@ -75,7 +55,7 @@ new aws.iam.RolePolicyAttachment("policy", {
role: role.name,
});

export const envYaml = pulumi.interpolate`
const envYaml = pulumi.interpolate`
values:
aws:
login:
Expand All @@ -90,9 +70,11 @@ values:
AWS_SESSION_TOKEN: \${aws.login.sessionToken}
`;

new pulumiservice.Environment("aws-oidc-admin", {
new pulumiservice.Environment("aws-esc-oidc-env", {
organization: pulumiOrg,
project: escProject,
name: "aws-oidc-admin",
name: escEnvName,
yaml: envYaml.apply(yaml => new pulumi.asset.StringAsset(yaml)),
});

export const escEnvironment = pulumi.interpolate`${escProject}/${escEnvName}`;

0 comments on commit 7887090

Please sign in to comment.