Merge pull request #184 from CircleCI-Public/implement-oidc

feat: oidc implementation

README.MD

@@ -1,52 +1,25 @@
-# AWS ECS Orb for CircleCI
+# AWS ECS Orb
 
-[![CircleCI Build Status](https://circleci.com/gh/CircleCI-Public/aws-ecs-orb.svg?style=shield "CircleCI Build Status")](https://circleci.com/gh/CircleCI-Public/aws-ecs-orb) [![CircleCI Orb Version](https://img.shields.io/badge/endpoint.svg?url=https://badges.circleci.io/orb/circleci/aws-ecs)](https://circleci.com/orbs/registry/orb/circleci/aws-ecs) [![GitHub License](https://img.shields.io/badge/license-MIT-lightgrey.svg)](https://raw.githubusercontent.com/CircleCI-Public/aws-ecs-orb/master/LICENSE) [![CircleCI Community](https://img.shields.io/badge/community-CircleCI%20Discuss-343434.svg)](https://discuss.circleci.com/c/ecosystem/orbs)
+[![CircleCI Build Status](https://circleci.com/gh/CircleCI-Public/aws-ecs-orb.svg?style=shield "CircleCI Build Status")](https://circleci.com/gh/CircleCI-Public/aws-ecs-orb) [![CircleCI Orb Version](https://img.shields.io/badge/endpoint.svg?url=https://badges.circleci.io/orb/circleci/aws-ecs)](https://circleci.com/orbs/registry/orb/circleci/aws-ecs) [![GitHub License](https://img.shields.io/badge/license-MIT-blue.svg)](https://raw.githubusercontent.com/CircleCI-Public/aws-ecs-orb/master/LICENSE) [![CircleCI Community](https://img.shields.io/badge/community-CircleCI%20Discuss-343434.svg)](https://discuss.circleci.com/c/ecosystem/orbs)
 
 
 A CircleCI Orb to simplify deployments to Amazon Elastic Container Service (ECS). Supports EC2 and Fargate launch type deployments.
 
-## Features
-
-This orb allows convenient updating of ECS services when only the Docker
-image name/tag and/or environment variables in a service's container definitions need to be updated.
-A sample project that demonstrates using the orb is available on this GitHub repository branch: https://github.com/CircleCI-Public/circleci-demo-aws-ecs-ecr
-
 ## Resources
 
 [CircleCI Orb Registry Page](https://circleci.com/orbs/registry/orb/circleci/aws-ecs) - The official registry page of this orb for all versions, executors, commands, and jobs described.
-[CircleCI Orb Docs](https://circleci.com/docs/2.0/orb-intro/#section=configuration) - Docs for using and creating CircleCI Orbs.
-
-## Usage
-
-See the [orb registry listing](https://circleci.com/orbs/registry/orb/circleci/aws-ecs) for usage guidelines.
 
-## Requirements
-- `python` should be available in `PATH`. Supported versions are Python 2 version 2.7.1 and above and Python 3 version 3.4.9 and above.
-- The `aws` CLI should be available in `PATH`. Otherwise, `pip` is required to be available as the job will then attempt to install `aws` via `pip`. The default profile of `aws` will be used.
-- `bash` to be present in `/bin/bash`. Otherwise, `/bin/sh` will be used, but the orb has not been tested for compatibility with other shells.
-
-## How to Contribute
+[CircleCI Orb Docs](https://circleci.com/docs/2.0/orb-intro/#section=configuration) - Docs for using and creating CircleCI Orbs.
 
-We welcome [issues](https://github.com/CircleCI-Public/aws-ecs-orb/issues) to and [pull requests](https://github.com/CircleCI-Public/aws-ecs-orb/pulls) against this repository!
+### Examples
 
-For internal contributors, please view the development docs: [here](https://github.com/CircleCI-Public/aws-ecs-orb/tree/master/dev-docs)
+Please visit the [orb registry listing](https://circleci.com/orbs/registry/orb/circleci/aws-ecs) for usage examples and guidelines.
 
-### How to Publish
-* Create and push a branch with your new features.
-* When ready to publish a new production version, create a Pull Request from fore _feature branch_ to `master`.
-* The title of the pull request must contain a special semver tag: `[semver:<segement>]` where `<segment>` is replaced by one of the following values.
 
-| Increment | Description|
-| ----------| -----------|
-| major     | Issue a 1.0.0 incremented release|
-| minor     | Issue a x.1.0 incremented release|
-| patch     | Issue a x.x.1 incremented release|
-| skip      | Do not issue a release|
 
-Example: `[semver:major]`
+### How to Contribute
 
-* Squash and merge. Ensure the semver tag is preserved and entered as a part of the commit message.
-* On merge, after manual approval, the orb will automatically be published to the Orb Registry.
+We welcome [issues](https://github.com/CircleCI-Public/aws-ecs-orb/issues) to and [pull requests](https://github.com/CircleCI-Public/aws-ecs-orb/pulls) against this repository!
 
 
 For further questions/comments about this or other orbs, visit the Orb Category of [CircleCI Discuss](https://discuss.circleci.com/c/orbs).

src/commands/update-service.yml

@@ -72,7 +72,7 @@ parameters:
   container-secret-updates:
     description: >
       Use this to update or set the values of secret variables that will be defined for the containers.
-      (Existing secrets variables not included in this parameter will not beremoved)
+      (Existing secrets variables not included in this parameter will not be removed)
 
       Expected format:
       container=<container-name>,name=<env-var-name>,valueFrom=<env-var-value>,container=...,name=...,valueFrom=...,

src/examples/deploy-ecs-scheduled-task.yml

@@ -0,0 +1,29 @@
+description: |
+  Use the AWS CLI and this orb to deploy an ECS Scheduled Task Rule after updating a task definition.
+  The update-task-definition or update-task-definition-from-json command must be run first.
+usage:
+  version: 2.1
+  orbs:
+    aws-cli: circleci/[email protected]
+    aws-ecs: circleci/[email protected]
+  jobs:
+    deploy-scheduled-task:
+      docker:
+        - image: cimg/python:3.10
+      steps:
+        - aws-cli/setup:
+            # This example uses CircleCI's OpenID Connect Token to generate temporary AWS keys
+            role-arn: "arn:aws:iam::123456789012:role/OIDC_ARN"
+            aws-region: AWS_REGION
+            profile-name: "OIDC-PROFILE"
+            session-duration: 3600
+            role-session-name: "example-session-name"
+        - aws-ecs/update-task-definition-from-json:
+            task-definition-json: my-app-definition.json
+        - aws-ecs/deploy-ecs-scheduled-task:
+            rule-name: "example-rule"
+  workflows:
+    deploy:
+      jobs:
+        - deploy-scheduled-task:
+            context: [CircleCI_OIDC_Token]

src/examples/deploy-service-update.yml

@@ -2,13 +2,13 @@ description: Update an ECS service.
 usage:
   version: 2.1
   orbs:
-    aws-ecr: circleci/aws-ecr@6.15
-    aws-ecs: circleci/aws-ecs@2.0.0
+    aws-ecr: circleci/aws-ecr@8.1
+    aws-ecs: circleci/aws-ecs@3.2
   workflows:
     build-and-deploy:
       jobs:
         - aws-ecr/build-and-push-image:
-            account-url: AWS_ECR_ACCOUNT_URL
+            registry-id: AWS_ECR_REGISTRY_ID
             repo: '${MY_APP_PREFIX}'
             region: AWS_REGION
             tag: '${CIRCLE_SHA1}'

src/examples/run-task-ec2.yml

@@ -2,11 +2,11 @@ description: Start the run of an ECS task on EC2.
 usage:
   version: 2.1
   orbs:
-    aws-ecs: circleci/aws-ecs@2.0
+    aws-ecs: circleci/aws-ecs@3.2
   jobs:
     run-task:
       docker:
-        - image: cimg/python:3.9.1
+        - image: cimg/python:3.10
       steps:
         - aws-ecs/run-task:
             cluster: cluster1

src/examples/run-task-fargate-spot.yml

@@ -5,11 +5,11 @@ description: >
 usage:
   version: 2.1
   orbs:
-    aws-ecs: circleci/aws-ecs@2.0
+    aws-ecs: circleci/aws-ecs@3.2
   jobs:
     run-task:
       docker:
-        - image: cimg/python:3.9.1
+        - image: cimg/python:3.10
       steps:
         - aws-ecs/run-task:
             cluster: $CLUSTER_NAME

src/examples/run-task-fargate.yml

@@ -2,11 +2,11 @@ description: Start the run of an ECS task on Fargate.
 usage:
   version: 2.1
   orbs:
-    aws-ecs: circleci/aws-ecs@2.0
+    aws-ecs: circleci/aws-ecs@3.2
   jobs:
     run-task:
       docker:
-        - image: cimg/python:3.9.1
+        - image: cimg/python:3.10
       steps:
         - aws-ecs/run-task:
             cluster: cluster1

src/examples/update-service.yml

@@ -4,23 +4,26 @@ description: |
 usage:
   version: 2.1
   orbs:
-    aws-cli: circleci/aws-cli@1.3
-    aws-ecs: circleci/aws-ecs@2.0
+    aws-cli: circleci/aws-cli@3.1
+    aws-ecs: circleci/aws-ecs@3.2
   jobs:
     update-tag:
       docker:
-        - image: cimg/python:3.9.1
+        - image: cimg/python:3.10
       steps:
         - aws-cli/setup:
-            # If these values have not been modified from their default, they do not need to be included.
-            aws-access-key-id: AWS_SECRET_ACCESS_KEY
-            aws-secret-access-key: AWS_DEFAULT_REGION
-            aws-region: AWS_DEFAULT_REGION
+            # This example uses CircleCI's OpenID Connect Token to generate temporary AWS keys
+            role-arn: "arn:aws:iam::123456789012:role/OIDC_ARN"
+            aws-region: AWS_REGION
+            profile-name: "OIDC-PROFILE"
+            session-duration: 3600
+            role-session-name: "example-session-name"
         - aws-ecs/update-service:
             family: '${MY_APP_PREFIX}-service'
             cluster: '${MY_APP_PREFIX}-cluster'
             container-image-name-updates: 'container=${MY_APP_PREFIX}-service,tag=stable'
   workflows:
     deploy:
       jobs:
-        - update-tag
+        - update-tag:
+            context: [CircleCI_OIDC_Token]

src/examples/update-task-definition-from-json.yml

@@ -2,17 +2,24 @@ description: Use the AWS CLI and this orb to create a new ECS task definition ba
 usage:
   version: 2.1
   orbs:
-    aws-cli: circleci/aws-cli@1.3
-    aws-ecs: circleci/aws-ecs@2.0
+    aws-cli: circleci/aws-cli@3.1
+    aws-ecs: circleci/aws-ecs@3.2
   jobs:
     update-tag:
       docker:
-        - image: cimg/python:3.9.1
+        - image: cimg/python:3.10
       steps:
         - aws-cli/setup:
-            # If these values have not been modified from their default, they do not need to be included.
-            aws-access-key-id: AWS_SECRET_ACCESS_KEY
-            aws-secret-access-key: AWS_DEFAULT_REGION
-            aws-region: AWS_DEFAULT_REGION
+            # This example uses CircleCI's OpenID Connect Token to generate temporary AWS keys
+            role-arn: "arn:aws:iam::123456789012:role/OIDC_ARN"
+            aws-region: AWS_REGION
+            profile-name: "OIDC-PROFILE"
+            session-duration: 3600
+            role-session-name: "example-session-name"
         - aws-ecs/update-task-definition-from-json:
             task-definition-json: my-app-definition.json
+  workflows:
+    deploy:
+      jobs:
+        - update-tag:
+            context: [CircleCI_OIDC_Token]

src/examples/verify-revision-deplopyment.yml

@@ -2,18 +2,20 @@ description: Verify the deployment of an ECS revision.
 usage:
   version: 2.1
   orbs:
-    aws-cli: circleci/aws-cli@1.3
-    aws-ecs: circleci/aws-ecs@2.0
+    aws-cli: circleci/aws-cli@3.1
+    aws-ecs: circleci/aws-ecs@3.2
   jobs:
     verify-deployment:
       docker:
-        - image: cimg/python:3.9.1
+        - image: cimg/python:3.10
       steps:
         - aws-cli/setup:
-             # If they are included, they configure the "default" profile, which is specified below.
-            aws-access-key-id: AWS_SECRET_ACCESS_KEY
-            aws-secret-access-key: AWS_DEFAULT_REGION
-            aws-region: AWS_DEFAULT_REGION
+            # This example uses CircleCI's OpenID Connect Token to generate temporary AWS keys
+            role-arn: "arn:aws:iam::123456789012:role/OIDC_ARN"
+            aws-region: AWS_REGION
+            profile-name: "OIDC-PROFILE"
+            session-duration: 3600
+            role-session-name: "example-session-name"
         - run:
             name: Get last task definition
             command: >
@@ -31,4 +33,5 @@ usage:
   workflows:
     test-workflow:
       jobs:
-        - verify-deployment
+        - verify-deployment:
+            context: [CircleCI_OIDC_Token]

src/jobs/deploy-service-update.yml

@@ -21,11 +21,25 @@ parameters:
   aws-region:
     description: AWS region to operate in. Set this to the name of the environment variable you will use to hold this value, i.e. AWS_DEFAULT_REGION.
     type: env_var_name
-    default: AWS_DEFAULT_REGION
+    default: AWS_REGION
   profile-name:
     description: AWS profile name to be configured.
     type: string
     default: ''
+  role-arn:
+    description: |
+      The Amazon Resource Name (ARN) of the role that the caller is assuming.
+      Role ARN must be configured for web identity.
+    type: string
+    default: ""
+  role-session-name:
+    description: An identifier for the assumed role session. Environment varaibles will be evaluated.
+    type: string
+    default: ${CIRCLE_JOB}
+  session-duration:
+    description: The duration of the session in seconds
+    type: string
+    default: "3600"
   family:
     description: Name of the task definition's family.
     type: string
@@ -235,11 +249,23 @@ parameters:
     default: ''
 
 steps:
-  - aws-cli/setup:
-      aws-access-key-id: << parameters.aws-access-key-id >>
-      aws-secret-access-key: << parameters.aws-secret-access-key >>
-      aws-region: << parameters.aws-region >>
-      profile-name: << parameters.profile-name >>
+  - when:
+      condition: <<parameters.role-arn>>
+      steps:
+        - aws-cli/setup:
+            role-arn: <<parameters.role-arn>>
+            profile-name: <<parameters.profile-name>>
+            session-duration: <<parameters.session-duration>>
+            aws-region: <<parameters.aws-region>>
+            role-session-name: <<parameters.role-session-name>>
+  - unless:
+      condition: <<parameters.role-arn>>
+      steps:
+        - aws-cli/setup:
+            aws-access-key-id: << parameters.aws-access-key-id >>
+            aws-secret-access-key: << parameters.aws-secret-access-key >>
+            aws-region: << parameters.aws-region >>
+            profile-name: << parameters.profile-name >>
   - update-service:
       family: << parameters.family >>
       cluster: << parameters.cluster >>

src/jobs/run-task.yml

@@ -21,11 +21,25 @@ parameters:
   aws-region:
     description: AWS region to operate in. Set this to the name of the environment variable you will use to hold this value, i.e. AWS_DEFAULT_REGION.
     type: env_var_name
-    default: AWS_DEFAULT_REGION
+    default: AWS_REGION
   profile-name:
     description: AWS profile name to be configured.
     type: string
     default: ''
+  role-arn:
+    description: |
+      The Amazon Resource Name (ARN) of the role that the caller is assuming.
+      Role ARN must be configured for web identity.
+    type: string
+    default: ""
+  role-session-name:
+    description: An identifier for the assumed role session
+    type: string
+    default: ${CIRCLE_JOB}
+  session-duration:
+    description: The duration of the session in seconds
+    type: string
+    default: "3600"
   cluster:
     description: The name or ARN of the cluster on which to run the task.
     type: string
@@ -155,11 +169,23 @@ parameters:
     type: string
     default: ''
 steps:
-  - aws-cli/setup:
-      aws-access-key-id: << parameters.aws-access-key-id >>
-      aws-secret-access-key: << parameters.aws-secret-access-key >>
-      aws-region: << parameters.aws-region >>
-      profile-name: << parameters.profile-name >>
+  - when:
+      condition: <<parameters.role-arn>>
+      steps:
+        - aws-cli/setup:
+            role-arn: <<parameters.role-arn>>
+            profile-name: <<parameters.profile-name>>
+            session-duration: <<parameters.session-duration>>
+            aws-region: <<parameters.aws-region>>
+            role-session-name: <<parameters.role-session-name>>
+  - unless:
+      condition: <<parameters.role-arn>>
+      steps:
+        - aws-cli/setup:
+            aws-access-key-id: << parameters.aws-access-key-id >>
+            aws-secret-access-key: << parameters.aws-secret-access-key >>
+            aws-region: << parameters.aws-region >>
+            profile-name: << parameters.profile-name >>
   - run-task:
       cluster: << parameters.cluster >>
       task-definition: << parameters.task-definition >>