@scloud/cdk-patterns
Version:
Serverless CDK patterns for common infrastructure needs
89 lines (88 loc) • 4.37 kB
TypeScript
import { CfnAccessKey, ManagedPolicy, OpenIdConnectProvider, Role, User } from 'aws-cdk-lib/aws-iam';
import { IRepository } from 'aws-cdk-lib/aws-ecr';
import { IFunction } from 'aws-cdk-lib/aws-lambda';
import { IFargateService } from 'aws-cdk-lib/aws-ecs';
import { IBucket } from 'aws-cdk-lib/aws-s3';
import { IDistribution } from 'aws-cdk-lib/aws-cloudfront';
import { Construct } from 'constructs';
import { ITable } from 'aws-cdk-lib/aws-dynamodb';
/**
* To use this construct, call the githubActions() function to get a singleton instance.
*
* You'l want to call one of these two methods:
* - ghaOidcRole: If you'd like to use keyless access to AWS resources from GitHub Actions.
* NB you'll need an OIDC provider set up in the accout.
* You can create one by calling ghaOidcProvider() or by creating one manually.
* - ghaUser If you'd like to use an IAM user with an access key to access AWS resources from GitHub Actions.
* The access key and secret access key will be output so you can add them GitHub Actions Secrets.
*
* A Construct that helps integrate GitHub Actions for deploying to AWS
*/
declare class GithubActions extends Construct {
scope: Construct;
stackName: string;
account: string;
policy: ManagedPolicy;
ghaInfo: {
resources: {
repositories: IRepository[];
buckets: IBucket[];
lambdas: IFunction[];
services: IFargateService[];
distributions: IDistribution[];
tables: {
table: ITable;
writeAccess?: boolean;
}[];
};
secrets: string[];
variables: string[];
};
constructor(scope: Construct, id?: string);
addGhaSecret(name: string, value: string): void;
addGhaVariable(name: string, type: string, value: string): void;
addGhaLambda(name: string, lambda: IFunction): void;
addGhaBucket(name: string, bucket: IBucket): void;
addGhaDistribution(name: string, distribution: IDistribution): void;
addGhaRepository(name: string, repository: IRepository): void;
addGhaTable(name: string, table: ITable, writeAccess?: boolean): void;
ghaPolicy(): ManagedPolicy;
addToPolicy(name: string, resources: string[], actions: string[]): void;
/**
* Create an account-wide OIDC connection fo Guthub Actions.
*
* NB only one OIDC provider for GitHub can be created per AWS account (because the provider URL must be unique).
*
* To provide access to resources, you can create multiple roles that trust the provider so you'll probably want to call ghaOidcRole() instead.
* See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
* @param repo What to grant access to. This is a minimum of a GitHub owner (user or org), optionally a repository name, and you can also specify a filter to limit access to e.g. a branch.
*/
ghaOidcProvider(): OpenIdConnectProvider;
/**
* Add permissions to the GitHub OIDC role that allow workflows to access the AWS resources in this stack that need to be updated at build time.
* See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
* @param repo The repository to grant access to (owner and name). You can also specify a filter to limit access e.g. to a branch.
*/
ghaOidcRole(repo: {
owner: string;
repo?: string;
filter?: string;
}, openIdConnectProvider?: OpenIdConnectProvider): Role;
/**
* @deprecated: use githubActions().ghaOidcRole() instead.
* A user for Gihud Actions CI/CD.
*/
ghaUser(username?: string): {
user: User;
accessKey: CfnAccessKey | undefined;
};
saveGhaValues(): void;
}
/**
* Returns a singleton instance of the GithubActions construct by default.
* For most use cases, only one OIDC role is needed in GitHub Actions.
* If you need different roles with different permissions, you can create multiple instances of this construct by passing a different id.
* @param id Optional: by default the id will be 'GithubActions', which gives you a singleton instance.
*/
export declare function githubActions(scope: Construct, id?: string): GithubActions;
export {};