aripalo / aws-cdk-github-oidc Goto Github PK

Currently, it is only possible to set one filter per role.

However I believe it is possible to support an array of filters, like so:

      "Condition": {
        "ForAnyValue:StringLike": {
          "token.actions.githubusercontent.com:sub": [
            "repo:myorg/myrepo:ref:refs/heads/test-branch-1",
            "repo:myorg/myrepo:ref:refs/heads/test-branch-2"
          ]
        }

(not actually tested, source)

As stated in issue #24, AWS is now handling the GitHub connection verification via trusted root CA and IAM ignores the provided thumbprints.

So the deprecated thumbprints should be now removed.

Release a new v2 major with CDK v2 support

CDK v1 entered maintenance mode a year ago. There should be no need to support it anymore, so we should deprecate the release branch for v1 compatible construct (as it has not even been updated at all).

It seems that the library does not support other partitions than the different one.
I have an implementation for this and I will open a PR soon.

Fix current vulnerable dependencies:

When making a role like so

    const githubActionsRole = new GithubActionsRole(this, roleName, {
      roleName: roleName,
      provider,
      owner: 'f',
      repo: 'catalog',
      filter: 'ref:refs/heads/main'
    })
    

it makes a policy like this

            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:f/catalog:ref:refs/head/main"
                }
            }

but it will not work with github unless it is this

            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com/jamf:sub": "repo:f/catalog:ref:refs/heads/main",
                    "token.actions.githubusercontent.com/jamf:aud": "sts.amazonaws.com"
                }
            }

behaves similarly with or without the filter defined

GitHub has updated their certificates:
https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/
You can see the thread of challenges for people here:
aws-actions/configure-aws-credentials#357

For temporary workaround:

    (GithubActionsIdentityProvider as any).thumbprints = [
      '1c58a3a8518e8759bf075b76b750d4f2df264fcd', // 2023-06-27
      '6938fd4d98bab03faadb97b34396831e3780aea1',
    ];
    const provider = new GithubActionsIdentityProvider(this, 'GithubProvider');

I cannot make a PR against origin, but essentially here is the fix:
pmoghaddam#1
I extended the code to more natively support overriding going forward.

Hello!

I hope you are doing well!

We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.

Can you enable it, so that we can report it?

Thanks in advance!

PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

I already upgraded to NodeJS v16 locally but forgot to update the NodeJS version in projenrc & nvmrc etc.

You can use https://github.com/mrgrain/jsii-struct-builder to produce your Partial based on RoleProps: https://github.com/aripalo/aws-cdk-github-oidc/blob/main/src/iam-role-props.ts

You can see an example here: https://github.com/blimmer/cdk-static-wordpress/blob/372b42e9c9c3eb1bfde8c61afbded0188ca08d6c/.projenrc.ts#L66-L92

Hi there,

Just wanted to let you know, that you can omit the github certificates thumbprints and cdk/aws will fetch them on its own.

I am referring to this lines:
https://github.com/aripalo/aws-cdk-github-oidc/blob/main/src/provider.ts#L20-L23

See also the docs to the thumbprints parameter in the official docs

Type: string[] (optional, default: If no thumbprints are specified (an empty array or undefined), the thumbprint of the root certificate authority will be obtained from the provider's server as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html)

Its probably easier if you stick with that solution as a Constructs Library Maintainer, in case github change its certificate you dont need to maintain thumbprints at all.

NodeJS v14 LTS has reached its end-of-life. Latest Projen requires active LTS version of NodeJS:

In some ways, this could be a major version release (for this construct), but as fixing current vulnerabilities requires updating Projen as well, using NodeJS v14 results in a build error (for this construct):

So, doing this in non-major version bump isn't optimal (and apologies for anyone this may cause trouble) but requiring NodeJS v16 is reasonable requirement (in my mind at least) because:

• the security patched version (of this construct) should actually work
• NodeJS v14 has been end-of-life since April 2023

On that note, I will be enabling DependaBot security update Pull Requests for this repo (I dunno why I've disabled them at some point - probably accident), to hopefully avoid this kind of mess in the future where a lot of depedency updates are required at one go.

Currently Go deployment fails: https://github.com/aripalo/aws-cdk-github-oidc/actions/runs/5744594271/job/15571212677

Might be an issue with expired token or something. Need to investigate later.

Looks like the custom constructs in this library are not taggable. Therefore tags added on the stack or app level don't propagate to resources created by custom constructs in this library.