aws-lambda-api-tools 0.1.5 → 0.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +12 -0
- package/bin/bootstrap-iam.js +3 -0
- package/bin/bootstrap-iam.ts +56 -0
- package/package.json +9 -5
package/README.md
CHANGED
|
@@ -231,3 +231,15 @@ Contributions are welcome! Please feel free to submit a Pull Request.
|
|
|
231
231
|
## License
|
|
232
232
|
|
|
233
233
|
MIT
|
|
234
|
+
|
|
235
|
+
## GitHub Actions IAM Setup
|
|
236
|
+
|
|
237
|
+
This package includes a utility to set up IAM OIDC authentication for GitHub Actions so that you can deploy to AWS from your GitHub Actions:
|
|
238
|
+
|
|
239
|
+
```bash
|
|
240
|
+
npx gh-oidc-iam --repo=owner/repo-name [--policy=PolicyName]
|
|
241
|
+
```
|
|
242
|
+
|
|
243
|
+
Options:
|
|
244
|
+
- `--repo`: (Required) Your GitHub repository in the format `owner/repo-name`
|
|
245
|
+
- `--policy`: (Optional) AWS managed policy name to attach to the role. Defaults to 'AdministratorAccess'
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
#!/usr/bin/env ts-node
|
|
2
|
+
import * as cdk from 'aws-cdk-lib';
|
|
3
|
+
import * as iam from 'aws-cdk-lib/aws-iam';
|
|
4
|
+
|
|
5
|
+
// Parse command line arguments
|
|
6
|
+
const args = process.argv.slice(2);
|
|
7
|
+
const repoArg = args.find(arg => arg.startsWith('--repo='));
|
|
8
|
+
const policyArg = args.find(arg => arg.startsWith('--policy='));
|
|
9
|
+
|
|
10
|
+
if (!repoArg) {
|
|
11
|
+
console.error('Error: --repo argument is required');
|
|
12
|
+
console.error('Usage: gh-oidc-iam --repo=owner/repo-name [--policy=PolicyName]');
|
|
13
|
+
console.error('Example: gh-oidc-iam --repo=myorg/my-repo --policy=AdministratorAccess');
|
|
14
|
+
process.exit(1);
|
|
15
|
+
}
|
|
16
|
+
|
|
17
|
+
const repoName = repoArg.split('=')[1];
|
|
18
|
+
const policyName = policyArg ? policyArg.split('=')[1] : 'AdministratorAccess';
|
|
19
|
+
|
|
20
|
+
const app = new cdk.App();
|
|
21
|
+
|
|
22
|
+
class GithubActionsIamStack extends cdk.Stack {
|
|
23
|
+
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
|
|
24
|
+
super(scope, id, props);
|
|
25
|
+
|
|
26
|
+
const githubOidcProvider = new iam.OpenIdConnectProvider(this, 'GithubOidcProvider', {
|
|
27
|
+
url: 'https://token.actions.githubusercontent.com',
|
|
28
|
+
clientIds: ['sts.amazonaws.com'],
|
|
29
|
+
});
|
|
30
|
+
|
|
31
|
+
const deploymentRole = new iam.Role(this, 'GithubActionsRole', {
|
|
32
|
+
assumedBy: new iam.WebIdentityPrincipal(
|
|
33
|
+
githubOidcProvider.openIdConnectProviderArn,
|
|
34
|
+
{
|
|
35
|
+
StringEquals: {
|
|
36
|
+
'token.actions.githubusercontent.com:aud': 'sts.amazonaws.com',
|
|
37
|
+
},
|
|
38
|
+
StringLike: {
|
|
39
|
+
'token.actions.githubusercontent.com:sub': `repo:${repoName}:*`,
|
|
40
|
+
},
|
|
41
|
+
}
|
|
42
|
+
),
|
|
43
|
+
managedPolicies: [
|
|
44
|
+
iam.ManagedPolicy.fromAwsManagedPolicyName(policyName),
|
|
45
|
+
],
|
|
46
|
+
});
|
|
47
|
+
|
|
48
|
+
new cdk.CfnOutput(this, 'RoleArn', {
|
|
49
|
+
value: deploymentRole.roleArn,
|
|
50
|
+
description: 'ARN of role to use in GitHub Actions',
|
|
51
|
+
});
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
|
|
55
|
+
new GithubActionsIamStack(app, 'GithubActionsIam');
|
|
56
|
+
app.synth();
|
package/package.json
CHANGED
|
@@ -1,17 +1,20 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "aws-lambda-api-tools",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.6",
|
|
4
4
|
"description": "",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"bin": {
|
|
7
|
-
"generate-oas": "./bin/generate-swagger.js"
|
|
7
|
+
"generate-oas": "./bin/generate-swagger.js",
|
|
8
|
+
"gh-oidc-iam": "./bin/bootstrap-iam.js"
|
|
8
9
|
},
|
|
9
10
|
"types": "dist/index.d.ts",
|
|
10
11
|
"scripts": {
|
|
11
12
|
"build": "tsc",
|
|
12
13
|
"bump-version": "npm run build && npm version patch -m 'Updated version to %s [skip ci]'",
|
|
13
14
|
"test": "jest",
|
|
14
|
-
"generate-swagger": "node -r ts-node/register bin/generate-swagger.js"
|
|
15
|
+
"generate-swagger": "node -r ts-node/register bin/generate-swagger.js",
|
|
16
|
+
"---Github Actions Setup---": "",
|
|
17
|
+
"gh-oidc-iam": "cdk --app 'ts-node scripts/bootstrap-iam.ts' deploy GithubActionsIam --require-approval never"
|
|
15
18
|
},
|
|
16
19
|
"repository": {
|
|
17
20
|
"type": "git",
|
|
@@ -33,7 +36,6 @@
|
|
|
33
36
|
"nodemon": "^2.0.22",
|
|
34
37
|
"prettier": "^2.8.8",
|
|
35
38
|
"ts-jest": "^26.5.6",
|
|
36
|
-
"ts-node": "^9.1.1",
|
|
37
39
|
"typescript": "^4.9.5"
|
|
38
40
|
},
|
|
39
41
|
"dependencies": {
|
|
@@ -46,13 +48,15 @@
|
|
|
46
48
|
"@types/minimist": "^1.2.2",
|
|
47
49
|
"@types/node-fetch": "^2.5.12",
|
|
48
50
|
"atob": "^2.1.2",
|
|
51
|
+
"aws-cdk-lib": "^2.178.2",
|
|
49
52
|
"axios": "^1.6.3",
|
|
50
53
|
"joi": "^17.12.3",
|
|
51
54
|
"joi-to-swagger": "6.2.0",
|
|
52
55
|
"joi-to-typescript": "^4.11.0",
|
|
53
56
|
"js-yaml": "^4.1.0",
|
|
54
57
|
"lodash": "^4.17.21",
|
|
55
|
-
"minimist": "^1.2.6"
|
|
58
|
+
"minimist": "^1.2.6",
|
|
59
|
+
"ts-node": "^9.1.1"
|
|
56
60
|
},
|
|
57
61
|
"files": [
|
|
58
62
|
"bin",
|