-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathensureGitHubOIDCProvider.ts
73 lines (66 loc) · 2.12 KB
/
ensureGitHubOIDCProvider.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
import {
CreateOpenIDConnectProviderCommand,
GetOpenIDConnectProviderCommand,
IAMClient,
ListOpenIDConnectProvidersCommand,
} from '@aws-sdk/client-iam'
import chalk from 'chalk'
/**
* Returns the ARN of the OpenID Connect provider for GitHub of the account.
*/
export const ensureGitHubOIDCProvider = async ({
iam,
}: {
iam: IAMClient
}): Promise<string> => {
const { OpenIDConnectProviderList } = await iam.send(
new ListOpenIDConnectProvidersCommand({}),
)
const maybeGithubProvider = (
await Promise.all(
OpenIDConnectProviderList?.map(async ({ Arn }) =>
iam
.send(
new GetOpenIDConnectProviderCommand({
OpenIDConnectProviderArn: Arn,
}),
)
.then((provider) => ({ Arn, provider })),
) ?? [],
)
).find(
({ provider: { Url } }) => Url === 'token.actions.githubusercontent.com',
)
if (maybeGithubProvider?.Arn !== undefined) {
console.debug(
chalk.green(
`OIDC provider for GitHub exists: ${maybeGithubProvider.Arn}`,
),
)
return maybeGithubProvider.Arn
}
console.log(
chalk.yellow(`OIDC provider for GitHub does not exist. Creating ...`),
)
const provider = await iam.send(
new CreateOpenIDConnectProviderCommand({
Url: `https://token.actions.githubusercontent.com`,
ClientIDList: ['sts.amazonaws.com'],
/**
* Starting July 6, 2023, AWS began securing communication with
* GitHub’s OIDC identity provider (IdP) using our library of
* trusted root Certificate Authorities instead of using a
* certificate thumbprint to verify the IdP’s server certificate.
* This approach ensures that your GitHub OIDC configuration behaves
* correctly without disruption during future certificate rotations
* and changes. With this new validation approach in place, your
* legacy thumbprint(s) will remain in your configuration but will
* no longer be needed for validation purposes.
*/
ThumbprintList: ['6938fd4d98bab03faadb97b34396831e3780aea1'],
}),
)
if (provider.OpenIDConnectProviderArn === undefined)
throw new Error(`Failed to create OpenID Connect Provider for GitHub!`)
return provider.OpenIDConnectProviderArn
}