GitHub OIDC CDK deploy

.github/workflows/deploy.yaml

@@ -0,0 +1,34 @@
+name: Deploy CDK Stack
+on:
+ push:
+ branches:
+ - cdk
+jobs:
+ deploy:
+ runs-on: ubuntu-latest
+ permissions:
+ actions: write
+ contents: read
+ id-token: write
+ steps:
+ - uses: actions/checkout@v4
+ - name: Setup Node.js
+ uses: actions/setup-node@v3
+ with:
+ node-version: '18'
+ cache: 'npm'
+ cache-dependency-path: test-app
+ - name: Install CDK
+ run: npm install -g aws-cdk
+ - name: Install dependencies
+ working-directory: test-app
+ run: npm install
+ - uses: aws-actions/configure-aws-credentials@v4
+ with:
+ aws-region: ap-southeast-2
+ role-to-assume: arn:aws:iam::854640616043:role/GitHubStack-deployroleC69923DD-OA180AXTYB0M
+ role-duration-seconds: 900
+ output-credentials: true
+ - name: Deploy CDK Stack
+ working-directory: test-app
+ run: cdk deploy -r arn:aws:iam::854640616043:role/GitHubStack-cfninvokeroleB16FCF7B-1MHMO65V0XL4N TestAppStack

buildspec.yml

@@ -13,7 +13,7 @@ phases:
  build:
  commands:
  - sam build -t edge.yaml
- - sam deploy --config-env $ENV --s3-bucket $LAMBDA_BUCKET_NAME --s3-prefix $ENV-$STACK_NAME --stack-name $STACK_NAME-edge --capabilities CAPABILITY_IAM --profile account-role --region us-east-1 -t edge.yaml
+ - sam deploy --config-env $ENV --s3-bucket qut-lambda-code-us-east-1-$ENV --s3-prefix $ENV-$STACK_NAME-edge --stack-name $STACK_NAME-edge --capabilities CAPABILITY_IAM --profile account-role --region us-east-1 -t edge.yaml
 
  - (cd api; npm install)
  - (cd api; npm run build)

samconfig.toml

@@ -8,6 +8,7 @@ capabilities = "CAPABILITY_IAM"
 parameter_overrides = [
  "Environment=dev",
 
+ "EdgeStackName=dev-transcription-edge",
  "UserPoolStackName=qut-user-pool",
 
  "LogBucketSuffix=qut-cloudfront-logs",
@@ -34,6 +35,7 @@ capabilities = "CAPABILITY_IAM"
 parameter_overrides = [
  "Environment=qa",
 
+ "EdgeStackName=qa-transcription-edge",
  "UserPoolStackName=qut-user-pool",
 
  "LogBucketSuffix=qut-cloudfront-logs",
@@ -60,6 +62,7 @@ capabilities = "CAPABILITY_IAM"
 parameter_overrides = [
  "Environment=prod",
 
+ "EdgeStackName=prod-transcription-edge",
  "UserPoolStackName=qut-user-pool",
 
  "LogBucketSuffix=qut-cloudfront-logs",

template.yaml

@@ -19,6 +19,9 @@ Parameters:
  Type: String
  Default: Z2FDTNDATAQYW2
  Description: CloudFront resources HostedZoneId
+ EdgeStackName:
+ Type: String
+ Description: Name of the edge stack containing the routing lambda in us-east-1
  UserPoolStackName:
  Type: String
  Description: The user pool stack name
@@ -58,9 +61,6 @@ Parameters:
  SubnetIds:
  Type: List<AWS::EC2::Subnet::Id>
  Description: VPC subnets
- EdgeStackName:
- Type: String
- Description: Name of the edge stack containing the routing lambda in us-east-1
 Conditions:
  CreateARecords: !Not [ !Equals [ !Ref HostedZoneName, "" ] ]
  IsDev: !Equals [ !Ref Environment, "dev" ]
@@ -164,7 +164,7 @@ Resources:
  LambdaFunctionAssociations:
  - EventType: viewer-request
  LambdaFunctionARN:
- Fn::ImportValue: !Sub "EdgeStackName-EdgeLambdaVersion"
+ Fn::ImportValue: !Sub "${EdgeStackName}-EdgeLambdaVersion"
  PriceClass: PriceClass_All
  Logging:
  IncludeCookies: false

test-app/.gitignore

@@ -0,0 +1,8 @@
+*.js
+!jest.config.js
+*.d.ts
+node_modules
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

test-app/.npmignore

@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

test-app/README.md

@@ -0,0 +1,14 @@
+# Welcome to your CDK TypeScript project
+
+This is a blank project for CDK development with TypeScript.
+
+The `cdk.json` file tells the CDK Toolkit how to execute your app.
+
+## Useful commands
+
+* `npm run build` compile typescript to js
+* `npm run watch` watch for changes and compile
+* `npm run test` perform the jest unit tests
+* `cdk deploy` deploy this stack to your default AWS account/region
+* `cdk diff` compare deployed stack with current state
+* `cdk synth` emits the synthesized CloudFormation template

test-app/bin/test-app.ts

@@ -0,0 +1,26 @@
+#!/usr/bin/env node
+import "source-map-support/register";
+import * as cdk from "aws-cdk-lib";
+import { TestAppStack } from "../lib/test-app-stack";
+import { GitHubStack } from "../lib/test-app-github-stack";
+
+const app = new cdk.App();
+new TestAppStack(app, "TestAppStack", {
+ /* If you don't specify 'env', this stack will be environment-agnostic.
+ * Account/Region-dependent features and context lookups will not work,
+ * but a single synthesized template can be deployed anywhere. */
+
+ /* Uncomment the next line to specialize this stack for the AWS Account
+ * and Region that are implied by the current CLI configuration. */
+ // env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION },
+
+ /* Uncomment the next line if you know exactly what Account and Region you
+ * want to deploy the stack to. */
+ // env: { account: '123456789012', region: 'us-east-1' },
+
+ /* For more information, see https://docs.aws.amazon.com/cdk/latest/guide/environments.html */
+});
+new GitHubStack(app, "GitHubStack", {
+ owner: "eresearchqut",
+ repo: "transcription"
+});

test-app/cdk.json

@@ -0,0 +1,60 @@
+{
+ "app": "npx ts-node --prefer-ts-exts bin/test-app.ts",
+ "watch": {
+ "include": [
+ "**"
+ ],
+ "exclude": [
+ "README.md",
+ "cdk*.json",
+ "**/*.d.ts",
+ "**/*.js",
+ "tsconfig.json",
+ "package*.json",
+ "yarn.lock",
+ "node_modules",
+ "test"
+ ]
+ },
+ "context": {
+ "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+ "@aws-cdk/core:checkSecretUsage": true,
+ "@aws-cdk/core:target-partitions": [
+ "aws",
+ "aws-cn"
+ ],
+ "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+ "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+ "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+ "@aws-cdk/aws-iam:minimizePolicies": true,
+ "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+ "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+ "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+ "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+ "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+ "@aws-cdk/core:enablePartitionLiterals": true,
+ "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+ "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+ "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+ "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+ "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+ "@aws-cdk/aws-route53-patters:useCertificate": true,
+ "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+ "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+ "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+ "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+ "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+ "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+ "@aws-cdk/aws-redshift:columnId": true,
+ "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+ "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+ "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+ "@aws-cdk/aws-kms:aliasNameRef": true,
+ "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+ "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+ "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+ "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+ "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+ "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true
+ }
+}

test-app/jest.config.js

@@ -0,0 +1,8 @@
+module.exports = {
+ testEnvironment: 'node',
+ roots: ['<rootDir>/test'],
+ testMatch: ['**/*.test.ts'],
+ transform: {
+ '^.+\\.tsx?$': 'ts-jest'
+ }
+};

test-app/lib/test-app-github-stack.ts

@@ -0,0 +1,74 @@
+import * as cdk from "aws-cdk-lib";
+import * as iam from "aws-cdk-lib/aws-iam";
+import { Construct } from "constructs";
+
+
+export interface GitHubStackProps extends cdk.StackProps {
+ readonly owner: string;
+ readonly repo: string;
+ readonly filters?: string[];
+}
+
+export class GitHubStack extends cdk.Stack {
+ constructor(scope: Construct, id: string, props: GitHubStackProps) {
+ super(scope, id, props);
+ const filters = props.filters ?? ["*"];
+
+ const provider = new iam.OpenIdConnectProvider(this, "oidc-provider-github", {
+ url: `https://token.actions.githubusercontent.com`,
+ clientIds: ["sts.amazonaws.com"]
+ });
+
+ const principal = new iam.WebIdentityPrincipal(provider.openIdConnectProviderArn, {
+ StringLike: {
+ [`token.actions.githubusercontent.com:sub`]: filters.map(filter => `repo:${props.owner}/${props.repo}:${filter}`)
+ }
+ });
+
+ const oidcPolicyStatement = new iam.PolicyStatement({
+ effect: iam.Effect.ALLOW,
+ actions: ['sts:AssumeRole'],
+ resources: ['*'],
+ conditions: {
+ 'ForAnyValue:StringEquals': {
+ 'iam:ResourceTag/aws-cdk:bootstrap-role': [
+ 'deploy',
+ 'lookup',
+ 'file-publishing',
+ 'image-publishing',
+ ],
+ },
+ },
+ });
+
+ const ecrPolicyStatement = new iam.PolicyStatement({
+ effect: iam.Effect.ALLOW,
+ actions: ['ecr:GetAuthorizationToken'],
+ resources: ['*'],
+ });
+
+ new iam.Role(this, "deploy-role", {
+ assumedBy: principal,
+ inlinePolicies: {
+ "GitHubActions": new iam.PolicyDocument({
+ statements: [oidcPolicyStatement, ecrPolicyStatement],
+ }),
+ },
+ description: "This role is used via GitHub Actions to deploy with AWS CDK on the target AWS account",
+ maxSessionDuration: cdk.Duration.hours(1)
+ });
+
+ new iam.Role(this, "cfn-invoke-role", {
+ assumedBy: principal,
+ managedPolicies: [
+ iam.ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess")
+ ],
+ inlinePolicies: {
+ "GitHubActions": new iam.PolicyDocument({
+ statements: [oidcPolicyStatement],
+ }),
+ },
+ maxSessionDuration: cdk.Duration.hours(1)
+ });
+ }
+}

test-app/lib/test-app-stack.ts

@@ -0,0 +1,21 @@
+import * as cdk from "aws-cdk-lib";
+import * as s3 from "aws-cdk-lib/aws-s3";
+import * as ddb from "aws-cdk-lib/aws-dynamodb";
+
+// import * as sqs from 'aws-cdk-lib/aws-sqs';
+
+export class TestAppStack extends cdk.Stack {
+ constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
+ super(scope, id, props);
+
+ new s3.Bucket(this, "MyFirstBucket", {
+ versioned: true
+ });
+
+ new ddb.Table(this, "MyFirstTable", {
+ partitionKey: { name: "pk", type: ddb.AttributeType.STRING },
+ sortKey: { name: "sk", type: ddb.AttributeType.STRING },
+ billingMode: ddb.BillingMode.PAY_PER_REQUEST
+ });
+ }
+}