diff --git a/aws-ts-oidc-provider-pulumi-cloud/Pulumi.yaml b/aws-ts-oidc-provider-pulumi-cloud/Pulumi.yaml index 625a021a3..e17b436b2 100644 --- a/aws-ts-oidc-provider-pulumi-cloud/Pulumi.yaml +++ b/aws-ts-oidc-provider-pulumi-cloud/Pulumi.yaml @@ -11,3 +11,6 @@ template: escProject: description: The name of the ESC project in which to place a generated environment. default: aws + escEnvironmentName: + description: The name of the ESC environment to generate. + default: aws-oidc-admin diff --git a/aws-ts-oidc-provider-pulumi-cloud/index.ts b/aws-ts-oidc-provider-pulumi-cloud/index.ts index 27546ff8c..16214b093 100644 --- a/aws-ts-oidc-provider-pulumi-cloud/index.ts +++ b/aws-ts-oidc-provider-pulumi-cloud/index.ts @@ -1,20 +1,19 @@ // Copyright 2024, Pulumi Corporation. All rights reserved. - import * as aws from "@pulumi/aws"; -import * as command from "@pulumi/command"; import * as pulumi from "@pulumi/pulumi"; import * as pulumiservice from "@pulumi/pulumiservice"; import * as tls from "@pulumi/tls"; const config = new pulumi.Config(); const escProject = config.require("escProject"); +const escEnvName = config.require("escEnvironmentName"); const pulumiOrg = pulumi.getOrganization(); // NOTE: At the time of writing, if you are still using the legacy "default" // organization, the format for the audience OIDC claim is different. Best // practice is to avoid using the legacy default project. -const oidcAudience = escProject == "default" ? pulumiOrg : `aws:${pulumiOrg}`; +const oidcAudience = escProject === "default" ? pulumiOrg : `aws:${pulumiOrg}`; const oidcIdpUrl: string = "https://api.pulumi.com/oidc"; @@ -24,32 +23,13 @@ const certs = tls.getCertificateOutput({ const thumbprint = certs.certificates[0].sha1Fingerprint; -function getProviderArn() { - const existingProvider = aws.iam.getOpenIdConnectProviderOutput({ - url: oidcIdpUrl, - }); - - if (existingProvider) { - console.log("OIDC Provider already exists. Adding current Pulumi org as an audience to the existing provider."); - - new command.local.Command("oidc-client-id", { - create: pulumi.interpolate`aws iam add-client-id-to-open-id-connect-provider --open-id-connect-provider-arn ${existingProvider.arn} --client-id ${oidcAudience}`, - delete: pulumi.interpolate`aws iam remove-client-id-from-open-id-connect-provider --open-id-connect-provider-arn ${existingProvider.arn} --client-id ${oidcAudience}`, - }); - return existingProvider.arn; - } else { - const provider = new aws.iam.OpenIdConnectProvider("oidcProvider", { - clientIdLists: [pulumiOrg], - url: oidcIdpUrl, - thumbprintLists: [thumbprint], - }); - return provider.arn; - } -} - -export const arn: pulumi.Output = getProviderArn(); +const provider = new aws.iam.OpenIdConnectProvider("oidcProvider", { + clientIdLists: [oidcAudience], + url: oidcIdpUrl, + thumbprintLists: [thumbprint], +}); -const policyDocument = arn.apply(arn => aws.iam.getPolicyDocument({ +const policyDocument = provider.arn.apply(arn => aws.iam.getPolicyDocument({ version: "2012-10-17", statements: [{ effect: "Allow", @@ -70,12 +50,13 @@ const role = new aws.iam.Role("pulumi-cloud-admin", { assumeRolePolicy: policyDocument.json, }); +// tslint:disable-next-line:no-unused-expression new aws.iam.RolePolicyAttachment("policy", { policyArn: "arn:aws:iam::aws:policy/AdministratorAccess", role: role.name, }); -export const envYaml = pulumi.interpolate` +const envYaml = pulumi.interpolate` values: aws: login: @@ -90,9 +71,12 @@ values: AWS_SESSION_TOKEN: \${aws.login.sessionToken} `; -new pulumiservice.Environment("aws-oidc-admin", { +// tslint:disable-next-line:no-unused-expression +new pulumiservice.Environment("aws-esc-oidc-env", { organization: pulumiOrg, project: escProject, - name: "aws-oidc-admin", + name: escEnvName, yaml: envYaml.apply(yaml => new pulumi.asset.StringAsset(yaml)), }); + +export const escEnvironment = pulumi.interpolate`${escProject}/${escEnvName}`;