generated from hamadsuniverse/codecatalyst-sst-app
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathOIDCForGitHubCI.ts
71 lines (66 loc) · 2.57 KB
/
OIDCForGitHubCI.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
import { Duration } from 'aws-cdk-lib';
import * as iam from 'aws-cdk-lib/aws-iam';
import { StackContext } from 'sst/constructs';
export function OIDCForGitHubCI({stack }: StackContext) {
const provider = new iam.OpenIdConnectProvider(stack, 'GitHub', {
url: 'https://token.actions.githubusercontent.com',
clientIds: ['sts.amazonaws.com'],
});
const organization = 'bahrain-bp'; // Use your GitHub organization
const repository = 'bqa-genai-challenge'; // Use your GitHub repository
new iam.Role(stack, 'GitHubActionsRole', {
assumedBy: new iam.OpenIdConnectPrincipal(provider).withConditions({
StringLike: {
'token.actions.githubusercontent.com:sub': `repo:${organization}/${repository}:*`,
},
}),
description: 'Role assumed for deploying from GitHub CI using AWS CDK',
roleName: 'GitHub', // Change this to match the role name in the GitHub workflow file
maxSessionDuration: Duration.hours(1),
inlinePolicies: { // You could attach AdministratorAccess here or constrain it even more, but this uses more granular permissions used by SST
SSTDeploymentPolicy: new iam.PolicyDocument({
assignSids: true,
statements: [
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'cloudformation:DeleteStack',
'cloudformation:DescribeStackEvents',
'cloudformation:DescribeStackResources',
'cloudformation:DescribeStacks',
'cloudformation:GetTemplate',
'cloudformation:ListImports',
'ecr:CreateRepository',
'iam:PassRole',
'iot:Connect',
'iot:DescribeEndpoint',
'iot:Publish',
'iot:Receive',
'iot:Subscribe',
'lambda:GetFunction',
'lambda:GetFunctionConfiguration',
'lambda:UpdateFunctionConfiguration',
's3:ListBucket',
's3:PutObjectAcl',
's3:GetObject',
's3:PutObject',
's3:DeleteObject',
's3:ListObjectsV2',
's3:CreateBucket',
's3:PutBucketPolicy',
'ssm:DeleteParameter',
'ssm:GetParameter',
'ssm:GetParameters',
'ssm:GetParametersByPath',
'ssm:PutParameter',
'sts:AssumeRole',
],
resources: [
'*',
],
}),
],
}),
},
});
}