@devramps/cli 0.1.12 → 0.1.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +46 -30
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -1510,7 +1510,8 @@ function createBaseTemplate(description) {
|
|
|
1510
1510
|
function sanitizeResourceId(name) {
|
|
1511
1511
|
return name.replace(/[^a-zA-Z0-9]/g, "").substring(0, 64);
|
|
1512
1512
|
}
|
|
1513
|
-
function addOidcProviderResource(template, conditional = true) {
|
|
1513
|
+
function addOidcProviderResource(template, conditional = true, oidcProviderUrl) {
|
|
1514
|
+
const providerUrl = oidcProviderUrl || OIDC_PROVIDER_URL;
|
|
1514
1515
|
if (conditional) {
|
|
1515
1516
|
template.Parameters.OIDCProviderExists = {
|
|
1516
1517
|
Type: "String",
|
|
@@ -1526,27 +1527,28 @@ function addOidcProviderResource(template, conditional = true) {
|
|
|
1526
1527
|
Type: "AWS::IAM::OIDCProvider",
|
|
1527
1528
|
...conditional ? { Condition: "CreateOIDCProvider" } : {},
|
|
1528
1529
|
Properties: {
|
|
1529
|
-
Url: `https://${
|
|
1530
|
-
ClientIdList: [
|
|
1530
|
+
Url: `https://${providerUrl}`,
|
|
1531
|
+
ClientIdList: [providerUrl],
|
|
1531
1532
|
ThumbprintList: [getOidcThumbprint()],
|
|
1532
1533
|
Tags: STANDARD_TAGS
|
|
1533
1534
|
}
|
|
1534
1535
|
};
|
|
1535
1536
|
}
|
|
1536
|
-
function buildOidcTrustPolicy(accountId, subject) {
|
|
1537
|
+
function buildOidcTrustPolicy(accountId, subject, oidcProviderUrl) {
|
|
1538
|
+
const providerUrl = oidcProviderUrl || OIDC_PROVIDER_URL;
|
|
1537
1539
|
return {
|
|
1538
1540
|
Version: "2012-10-17",
|
|
1539
1541
|
Statement: [
|
|
1540
1542
|
{
|
|
1541
1543
|
Effect: "Allow",
|
|
1542
1544
|
Principal: {
|
|
1543
|
-
Federated: `arn:aws:iam::${accountId}:oidc-provider/${
|
|
1545
|
+
Federated: `arn:aws:iam::${accountId}:oidc-provider/${providerUrl}`
|
|
1544
1546
|
},
|
|
1545
1547
|
Action: "sts:AssumeRoleWithWebIdentity",
|
|
1546
1548
|
Condition: {
|
|
1547
1549
|
StringEquals: {
|
|
1548
|
-
[`${
|
|
1549
|
-
[`${
|
|
1550
|
+
[`${providerUrl}:sub`]: subject,
|
|
1551
|
+
[`${providerUrl}:aud`]: providerUrl
|
|
1550
1552
|
}
|
|
1551
1553
|
}
|
|
1552
1554
|
}
|
|
@@ -1908,7 +1910,7 @@ function createTerraformStateBucketPolicy(bucketName, cicdAccountId, allowedAcco
|
|
|
1908
1910
|
|
|
1909
1911
|
// src/templates/org-stack.ts
|
|
1910
1912
|
function generateOrgStackTemplate(options) {
|
|
1911
|
-
const { orgSlug, cicdAccountId, targetAccountIds } = options;
|
|
1913
|
+
const { orgSlug, cicdAccountId, targetAccountIds, oidcProviderUrl } = options;
|
|
1912
1914
|
const template = createBaseTemplate(`DevRamps Org Stack for ${orgSlug}`);
|
|
1913
1915
|
const kmsKeyPolicy = buildKmsKeyPolicy(cicdAccountId, targetAccountIds);
|
|
1914
1916
|
template.Resources.DevRampsKMSKey = createKmsKeyResource(
|
|
@@ -1938,7 +1940,7 @@ function generateOrgStackTemplate(options) {
|
|
|
1938
1940
|
PolicyDocument: bucketPolicy
|
|
1939
1941
|
}
|
|
1940
1942
|
};
|
|
1941
|
-
const trustPolicy = buildOidcTrustPolicy(cicdAccountId, `org:${orgSlug}
|
|
1943
|
+
const trustPolicy = buildOidcTrustPolicy(cicdAccountId, `org:${orgSlug}/cicd`, oidcProviderUrl);
|
|
1942
1944
|
const orgRolePolicies = buildOrgRolePolicies(orgSlug);
|
|
1943
1945
|
template.Resources.DevRampsCICDDeploymentRole = createIamRoleResource(
|
|
1944
1946
|
getOrgRoleName(),
|
|
@@ -2146,11 +2148,11 @@ function generatePipelineStackTemplate(options) {
|
|
|
2146
2148
|
}
|
|
2147
2149
|
|
|
2148
2150
|
// src/templates/account-stack.ts
|
|
2149
|
-
function generateAccountStackTemplate() {
|
|
2151
|
+
function generateAccountStackTemplate(options) {
|
|
2150
2152
|
const template = createBaseTemplate(
|
|
2151
2153
|
"DevRamps Account Bootstrap Stack - Creates OIDC provider for the account"
|
|
2152
2154
|
);
|
|
2153
|
-
addOidcProviderResource(template, false);
|
|
2155
|
+
addOidcProviderResource(template, false, options?.oidcProviderUrl);
|
|
2154
2156
|
template.Outputs = {
|
|
2155
2157
|
OIDCProviderArn: {
|
|
2156
2158
|
Description: "ARN of the OIDC provider",
|
|
@@ -2342,13 +2344,14 @@ function generateStageStackTemplate(options) {
|
|
|
2342
2344
|
steps,
|
|
2343
2345
|
additionalPolicies,
|
|
2344
2346
|
dockerArtifacts,
|
|
2345
|
-
bundleArtifacts
|
|
2347
|
+
bundleArtifacts,
|
|
2348
|
+
oidcProviderUrl
|
|
2346
2349
|
} = options;
|
|
2347
2350
|
const template = createBaseTemplate(
|
|
2348
2351
|
`DevRamps Stage Stack for ${pipelineSlug}/${stageName}`
|
|
2349
2352
|
);
|
|
2350
2353
|
const roleName = generateStageRoleName(pipelineSlug, stageName);
|
|
2351
|
-
const trustPolicy = buildStageTrustPolicy(accountId, orgSlug, pipelineSlug,
|
|
2354
|
+
const trustPolicy = buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl);
|
|
2352
2355
|
const policies = buildStagePolicies(steps, additionalPolicies);
|
|
2353
2356
|
template.Resources.StageDeploymentRole = createIamRoleResource(
|
|
2354
2357
|
roleName,
|
|
@@ -2392,7 +2395,8 @@ function generateStageStackTemplate(options) {
|
|
|
2392
2395
|
);
|
|
2393
2396
|
s3Outputs[artifact.name] = { resourceId };
|
|
2394
2397
|
}
|
|
2395
|
-
const
|
|
2398
|
+
const providerUrl = oidcProviderUrl || OIDC_PROVIDER_URL;
|
|
2399
|
+
const oidcProviderArn = `arn:aws:iam::${accountId}:oidc-provider/${providerUrl}`;
|
|
2396
2400
|
template.Outputs = {
|
|
2397
2401
|
StageRoleArn: {
|
|
2398
2402
|
Description: "ARN of the stage deployment role",
|
|
@@ -2432,9 +2436,9 @@ function generateStageStackTemplate(options) {
|
|
|
2432
2436
|
}
|
|
2433
2437
|
return template;
|
|
2434
2438
|
}
|
|
2435
|
-
function buildStageTrustPolicy(accountId, orgSlug, pipelineSlug,
|
|
2436
|
-
const subject = `org:${orgSlug}/pipeline:${pipelineSlug}
|
|
2437
|
-
return buildOidcTrustPolicy(accountId, subject);
|
|
2439
|
+
function buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl) {
|
|
2440
|
+
const subject = `org:${orgSlug}/pipeline:${pipelineSlug}`;
|
|
2441
|
+
return buildOidcTrustPolicy(accountId, subject, oidcProviderUrl);
|
|
2438
2442
|
}
|
|
2439
2443
|
function buildStagePolicies(steps, additionalPolicies) {
|
|
2440
2444
|
const policies = [];
|
|
@@ -2540,6 +2544,15 @@ async function confirmDeployment(plan) {
|
|
|
2540
2544
|
}
|
|
2541
2545
|
|
|
2542
2546
|
// src/commands/bootstrap.ts
|
|
2547
|
+
function getOidcProviderUrlFromEndpoint(endpointOverride) {
|
|
2548
|
+
if (!endpointOverride) return void 0;
|
|
2549
|
+
try {
|
|
2550
|
+
const url = new URL(endpointOverride);
|
|
2551
|
+
return url.hostname;
|
|
2552
|
+
} catch {
|
|
2553
|
+
return void 0;
|
|
2554
|
+
}
|
|
2555
|
+
}
|
|
2543
2556
|
async function bootstrapCommand(options) {
|
|
2544
2557
|
try {
|
|
2545
2558
|
if (options.verbose) {
|
|
@@ -2582,14 +2595,15 @@ async function bootstrapCommand(options) {
|
|
|
2582
2595
|
spinner.succeed("Deployment plan ready");
|
|
2583
2596
|
if (options.dryRun) {
|
|
2584
2597
|
await showDryRunPlan(plan);
|
|
2585
|
-
|
|
2598
|
+
process.exit(0);
|
|
2586
2599
|
}
|
|
2587
2600
|
const confirmed = await confirmDeploymentPlan(plan);
|
|
2588
2601
|
if (!confirmed) {
|
|
2589
2602
|
info("Deployment cancelled by user.");
|
|
2590
|
-
|
|
2603
|
+
process.exit(0);
|
|
2591
2604
|
}
|
|
2592
|
-
|
|
2605
|
+
const oidcProviderUrl = getOidcProviderUrlFromEndpoint(options.endpointOverride);
|
|
2606
|
+
await executeDeployment(plan, pipelines, pipelineArtifacts, authData, identity.accountId, options, oidcProviderUrl);
|
|
2593
2607
|
} catch (error2) {
|
|
2594
2608
|
if (error2 instanceof DevRampsError) {
|
|
2595
2609
|
error(error2.message);
|
|
@@ -2802,7 +2816,7 @@ async function confirmDeploymentPlan(plan) {
|
|
|
2802
2816
|
]
|
|
2803
2817
|
});
|
|
2804
2818
|
}
|
|
2805
|
-
async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, currentAccountId, options) {
|
|
2819
|
+
async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, currentAccountId, options, oidcProviderUrl) {
|
|
2806
2820
|
const results = { success: 0, failed: 0 };
|
|
2807
2821
|
const totalStacks = 1 + plan.pipelineStacks.length + plan.accountStacks.length + plan.stageStacks.length;
|
|
2808
2822
|
const remainingStacks = 1 + plan.pipelineStacks.length + plan.stageStacks.length;
|
|
@@ -2818,7 +2832,7 @@ async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, c
|
|
|
2818
2832
|
const accountResults = await Promise.all(
|
|
2819
2833
|
plan.accountStacks.map(async (stack) => {
|
|
2820
2834
|
try {
|
|
2821
|
-
await deployAccountStack(stack, currentAccountId, options);
|
|
2835
|
+
await deployAccountStack(stack, currentAccountId, options, oidcProviderUrl);
|
|
2822
2836
|
return { stack: `${stack.stackName} (${stack.accountId})`, success: true };
|
|
2823
2837
|
} catch (error2) {
|
|
2824
2838
|
return {
|
|
@@ -2863,7 +2877,7 @@ async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, c
|
|
|
2863
2877
|
mainProgress.start();
|
|
2864
2878
|
const orgPromise = (async () => {
|
|
2865
2879
|
try {
|
|
2866
|
-
await deployOrgStack(plan, pipelines, authData, currentAccountId, options);
|
|
2880
|
+
await deployOrgStack(plan, pipelines, authData, currentAccountId, options, oidcProviderUrl);
|
|
2867
2881
|
return { stack: plan.orgStack.stackName, success: true };
|
|
2868
2882
|
} catch (error2) {
|
|
2869
2883
|
return {
|
|
@@ -2887,7 +2901,7 @@ async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, c
|
|
|
2887
2901
|
});
|
|
2888
2902
|
const stagePromises = plan.stageStacks.map(async (stack) => {
|
|
2889
2903
|
try {
|
|
2890
|
-
await deployStageStack(stack, authData, currentAccountId, options);
|
|
2904
|
+
await deployStageStack(stack, authData, currentAccountId, options, oidcProviderUrl);
|
|
2891
2905
|
return { stack: stack.stackName, success: true };
|
|
2892
2906
|
} catch (error2) {
|
|
2893
2907
|
return {
|
|
@@ -2923,7 +2937,7 @@ async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, c
|
|
|
2923
2937
|
process.exit(1);
|
|
2924
2938
|
}
|
|
2925
2939
|
}
|
|
2926
|
-
async function deployOrgStack(plan, pipelines, authData, currentAccountId, options) {
|
|
2940
|
+
async function deployOrgStack(plan, pipelines, authData, currentAccountId, options, oidcProviderUrl) {
|
|
2927
2941
|
const { orgSlug, cicdAccountId, cicdRegion } = authData;
|
|
2928
2942
|
const credentials = cicdAccountId !== currentAccountId ? (await assumeRoleForAccount({
|
|
2929
2943
|
targetAccountId: cicdAccountId,
|
|
@@ -2953,7 +2967,8 @@ async function deployOrgStack(plan, pipelines, authData, currentAccountId, optio
|
|
|
2953
2967
|
const template = generateOrgStackTemplate({
|
|
2954
2968
|
orgSlug,
|
|
2955
2969
|
cicdAccountId,
|
|
2956
|
-
targetAccountIds
|
|
2970
|
+
targetAccountIds,
|
|
2971
|
+
oidcProviderUrl
|
|
2957
2972
|
});
|
|
2958
2973
|
const deployOptions = {
|
|
2959
2974
|
stackName: plan.orgStack.stackName,
|
|
@@ -2988,13 +3003,13 @@ async function deployPipelineStack(stack, authData, currentAccountId, options) {
|
|
|
2988
3003
|
await previewStackChanges(deployOptions);
|
|
2989
3004
|
await deployStack(deployOptions);
|
|
2990
3005
|
}
|
|
2991
|
-
async function deployAccountStack(stack, currentAccountId, options) {
|
|
3006
|
+
async function deployAccountStack(stack, currentAccountId, options, oidcProviderUrl) {
|
|
2992
3007
|
const credentials = stack.accountId !== currentAccountId ? (await assumeRoleForAccount({
|
|
2993
3008
|
targetAccountId: stack.accountId,
|
|
2994
3009
|
currentAccountId,
|
|
2995
3010
|
targetRoleName: options.targetAccountRoleName
|
|
2996
3011
|
}))?.credentials : void 0;
|
|
2997
|
-
const template = generateAccountStackTemplate();
|
|
3012
|
+
const template = generateAccountStackTemplate({ oidcProviderUrl });
|
|
2998
3013
|
const deployOptions = {
|
|
2999
3014
|
stackName: stack.stackName,
|
|
3000
3015
|
template,
|
|
@@ -3005,7 +3020,7 @@ async function deployAccountStack(stack, currentAccountId, options) {
|
|
|
3005
3020
|
await previewStackChanges(deployOptions);
|
|
3006
3021
|
await deployStack(deployOptions);
|
|
3007
3022
|
}
|
|
3008
|
-
async function deployStageStack(stack, authData, currentAccountId, options) {
|
|
3023
|
+
async function deployStageStack(stack, authData, currentAccountId, options, oidcProviderUrl) {
|
|
3009
3024
|
const credentials = stack.accountId !== currentAccountId ? (await assumeRoleForAccount({
|
|
3010
3025
|
targetAccountId: stack.accountId,
|
|
3011
3026
|
currentAccountId,
|
|
@@ -3019,7 +3034,8 @@ async function deployStageStack(stack, authData, currentAccountId, options) {
|
|
|
3019
3034
|
steps: stack.steps,
|
|
3020
3035
|
additionalPolicies: stack.additionalPolicies,
|
|
3021
3036
|
dockerArtifacts: stack.dockerArtifacts,
|
|
3022
|
-
bundleArtifacts: stack.bundleArtifacts
|
|
3037
|
+
bundleArtifacts: stack.bundleArtifacts,
|
|
3038
|
+
oidcProviderUrl
|
|
3023
3039
|
});
|
|
3024
3040
|
const deployOptions = {
|
|
3025
3041
|
stackName: stack.stackName,
|