From 7887090163e90f5c994521ad8818ba371e2633b5 Mon Sep 17 00:00:00 2001 From: Josh Kodroff Date: Fri, 1 Nov 2024 15:07:30 -0400 Subject: [PATCH 1/2] Fix AWS OIDC TS example It's not possible to have a single stack which handles both the use case of creating a new OIDC provider and also adding an audience if none exists. This change removes the conditional creation of an OIDC provider and assumes none exists. --- aws-ts-oidc-provider-pulumi-cloud/Pulumi.yaml | 3 ++ aws-ts-oidc-provider-pulumi-cloud/index.ts | 42 ++++++------------- 2 files changed, 15 insertions(+), 30 deletions(-) diff --git a/aws-ts-oidc-provider-pulumi-cloud/Pulumi.yaml b/aws-ts-oidc-provider-pulumi-cloud/Pulumi.yaml index 625a021a3..e17b436b2 100644 --- a/aws-ts-oidc-provider-pulumi-cloud/Pulumi.yaml +++ b/aws-ts-oidc-provider-pulumi-cloud/Pulumi.yaml @@ -11,3 +11,6 @@ template: escProject: description: The name of the ESC project in which to place a generated environment. default: aws + escEnvironmentName: + description: The name of the ESC environment to generate. + default: aws-oidc-admin diff --git a/aws-ts-oidc-provider-pulumi-cloud/index.ts b/aws-ts-oidc-provider-pulumi-cloud/index.ts index 27546ff8c..7256df614 100644 --- a/aws-ts-oidc-provider-pulumi-cloud/index.ts +++ b/aws-ts-oidc-provider-pulumi-cloud/index.ts @@ -1,13 +1,12 @@ // Copyright 2024, Pulumi Corporation. All rights reserved. - import * as aws from "@pulumi/aws"; -import * as command from "@pulumi/command"; import * as pulumi from "@pulumi/pulumi"; import * as pulumiservice from "@pulumi/pulumiservice"; import * as tls from "@pulumi/tls"; const config = new pulumi.Config(); const escProject = config.require("escProject"); +const escEnvName = config.require("escEnvironmentName"); const pulumiOrg = pulumi.getOrganization(); @@ -24,32 +23,13 @@ const certs = tls.getCertificateOutput({ const thumbprint = certs.certificates[0].sha1Fingerprint; -function getProviderArn() { - const existingProvider = aws.iam.getOpenIdConnectProviderOutput({ - url: oidcIdpUrl, - }); - - if (existingProvider) { - console.log("OIDC Provider already exists. Adding current Pulumi org as an audience to the existing provider."); - - new command.local.Command("oidc-client-id", { - create: pulumi.interpolate`aws iam add-client-id-to-open-id-connect-provider --open-id-connect-provider-arn ${existingProvider.arn} --client-id ${oidcAudience}`, - delete: pulumi.interpolate`aws iam remove-client-id-from-open-id-connect-provider --open-id-connect-provider-arn ${existingProvider.arn} --client-id ${oidcAudience}`, - }); - return existingProvider.arn; - } else { - const provider = new aws.iam.OpenIdConnectProvider("oidcProvider", { - clientIdLists: [pulumiOrg], - url: oidcIdpUrl, - thumbprintLists: [thumbprint], - }); - return provider.arn; - } -} - -export const arn: pulumi.Output = getProviderArn(); +const provider = new aws.iam.OpenIdConnectProvider("oidcProvider", { + clientIdLists: [oidcAudience], + url: oidcIdpUrl, + thumbprintLists: [thumbprint], +}); -const policyDocument = arn.apply(arn => aws.iam.getPolicyDocument({ +const policyDocument = provider.arn.apply(arn => aws.iam.getPolicyDocument({ version: "2012-10-17", statements: [{ effect: "Allow", @@ -75,7 +55,7 @@ new aws.iam.RolePolicyAttachment("policy", { role: role.name, }); -export const envYaml = pulumi.interpolate` +const envYaml = pulumi.interpolate` values: aws: login: @@ -90,9 +70,11 @@ values: AWS_SESSION_TOKEN: \${aws.login.sessionToken} `; -new pulumiservice.Environment("aws-oidc-admin", { +new pulumiservice.Environment("aws-esc-oidc-env", { organization: pulumiOrg, project: escProject, - name: "aws-oidc-admin", + name: escEnvName, yaml: envYaml.apply(yaml => new pulumi.asset.StringAsset(yaml)), }); + +export const escEnvironment = pulumi.interpolate`${escProject}/${escEnvName}`; \ No newline at end of file From bd32722f0687903d9a14ee35f707325a38e643e8 Mon Sep 17 00:00:00 2001 From: Josh Kodroff Date: Mon, 4 Nov 2024 13:56:50 -0500 Subject: [PATCH 2/2] Fix linting. --- aws-ts-oidc-provider-pulumi-cloud/index.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/aws-ts-oidc-provider-pulumi-cloud/index.ts b/aws-ts-oidc-provider-pulumi-cloud/index.ts index 7256df614..16214b093 100644 --- a/aws-ts-oidc-provider-pulumi-cloud/index.ts +++ b/aws-ts-oidc-provider-pulumi-cloud/index.ts @@ -13,7 +13,7 @@ const pulumiOrg = pulumi.getOrganization(); // NOTE: At the time of writing, if you are still using the legacy "default" // organization, the format for the audience OIDC claim is different. Best // practice is to avoid using the legacy default project. -const oidcAudience = escProject == "default" ? pulumiOrg : `aws:${pulumiOrg}`; +const oidcAudience = escProject === "default" ? pulumiOrg : `aws:${pulumiOrg}`; const oidcIdpUrl: string = "https://api.pulumi.com/oidc"; @@ -50,6 +50,7 @@ const role = new aws.iam.Role("pulumi-cloud-admin", { assumeRolePolicy: policyDocument.json, }); +// tslint:disable-next-line:no-unused-expression new aws.iam.RolePolicyAttachment("policy", { policyArn: "arn:aws:iam::aws:policy/AdministratorAccess", role: role.name, @@ -70,6 +71,7 @@ values: AWS_SESSION_TOKEN: \${aws.login.sessionToken} `; +// tslint:disable-next-line:no-unused-expression new pulumiservice.Environment("aws-esc-oidc-env", { organization: pulumiOrg, project: escProject, @@ -77,4 +79,4 @@ new pulumiservice.Environment("aws-esc-oidc-env", { yaml: envYaml.apply(yaml => new pulumi.asset.StringAsset(yaml)), }); -export const escEnvironment = pulumi.interpolate`${escProject}/${escEnvName}`; \ No newline at end of file +export const escEnvironment = pulumi.interpolate`${escProject}/${escEnvName}`;