@bifravst/ci
Version:
Sets up the permissions in our CI account for all repositories in this account to be able to use it for CI runs.
38 lines (37 loc) • 2.16 kB
JavaScript
import { CreateOpenIDConnectProviderCommand, GetOpenIDConnectProviderCommand, ListOpenIDConnectProvidersCommand, } from '@aws-sdk/client-iam';
import chalk from 'chalk';
/**
* Returns the ARN of the OpenID Connect provider for GitHub of the account.
*/
export const ensureGitHubOIDCProvider = async ({ iam, }) => {
const { OpenIDConnectProviderList } = await iam.send(new ListOpenIDConnectProvidersCommand({}));
const maybeGithubProvider = (await Promise.all(OpenIDConnectProviderList?.map(async ({ Arn }) => iam
.send(new GetOpenIDConnectProviderCommand({
OpenIDConnectProviderArn: Arn,
}))
.then((provider) => ({ Arn, provider }))) ?? [])).find(({ provider: { Url } }) => Url === 'token.actions.githubusercontent.com');
if (maybeGithubProvider?.Arn !== undefined) {
console.debug(chalk.green(`OIDC provider for GitHub exists: ${maybeGithubProvider.Arn}`));
return maybeGithubProvider.Arn;
}
console.log(chalk.yellow(`OIDC provider for GitHub does not exist. Creating ...`));
const provider = await iam.send(new CreateOpenIDConnectProviderCommand({
Url: `https://token.actions.githubusercontent.com`,
ClientIDList: ['sts.amazonaws.com'],
/**
* Starting July 6, 2023, AWS began securing communication with
* GitHub’s OIDC identity provider (IdP) using our library of
* trusted root Certificate Authorities instead of using a
* certificate thumbprint to verify the IdP’s server certificate.
* This approach ensures that your GitHub OIDC configuration behaves
* correctly without disruption during future certificate rotations
* and changes. With this new validation approach in place, your
* legacy thumbprint(s) will remain in your configuration but will
* no longer be needed for validation purposes.
*/
ThumbprintList: ['6938fd4d98bab03faadb97b34396831e3780aea1'],
}));
if (provider.OpenIDConnectProviderArn === undefined)
throw new Error(`Failed to create OpenID Connect Provider for GitHub!`);
return provider.OpenIDConnectProviderArn;
};