Prepare for OIdC role custom resource

vlesierse · vlesierse · commit f4059d76d13f · 2020-03-12T09:39:33.000+01:00
diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts
@@ -74,4 +74,6 @@ export interface EksClient {
   createOpenIDConnectProvider(request: aws.IAM.CreateOpenIDConnectProviderRequest): Promise<aws.IAM.CreateOpenIDConnectProviderResponse>;
   deleteOpenIDConnectProvider(request: aws.IAM.DeleteOpenIDConnectProviderRequest): Promise<{ $response: aws.Response<{}, aws.AWSError>; }>;
   getOpenIDConnectProvider(request: aws.IAM.GetOpenIDConnectProviderRequest): Promise<aws.IAM.GetOpenIDConnectProviderResponse>;
+  getRole(request: aws.IAM.GetRoleRequest): Promise<aws.IAM.GetRoleResponse>;
+  updateRole(request: aws.IAM.UpdateRoleRequest): Promise<aws.IAM.UpdateRoleResponse>;
 }
diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/consts.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/consts.ts
@@ -1,3 +1,4 @@
 export const CLUSTER_RESOURCE_TYPE = 'Custom::AWSCDK-EKS-Cluster';
 export const FARGATE_PROFILE_RESOURCE_TYPE = 'Custom::AWSCDK-EKS-FargateProfile';
+export const OPENIDCONNECT_ROLE_RESOURCE_TYPE = 'Custom::AWSCDK-EKS-OpenIDConnectRole';
 export const OPENIDCONNECT_PROVIDER_RESOURCE_TYPE = 'Custom::AWSCDK-EKS-OpenIDConnectProvider';
diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/index.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/index.ts
@@ -7,7 +7,8 @@ import { ClusterResourceHandler } from './cluster';
 import { EksClient } from './common';
 import * as consts from './consts';
 import { FargateProfileResourceHandler } from './fargate';
-import { OpenIDConnectResourceHandler } from './oidc';
+import { OpenIDConnectProviderResourceHandler } from './oidcprovider';
+import { OpenIDConnectRoleResourceHandler } from './oidcrole';
 
 aws.config.logger = console;
 
@@ -26,6 +27,8 @@ const defaultEksClient: EksClient = {
   createOpenIDConnectProvider: req => getIamClient().createOpenIDConnectProvider(req).promise(),
   deleteOpenIDConnectProvider: req => getIamClient().deleteOpenIDConnectProvider(req).promise(),
   getOpenIDConnectProvider: req => getIamClient().getOpenIDConnectProvider(req).promise(),
+  getRole: req => getIamClient().getRole(req).promise(),
+  updateRole: req => getIamClient().updateRole(req).promise(),
   configureAssumeRole: req => {
     console.log(JSON.stringify({ assumeRole: req }, undefined, 2));
     const creds = new aws.ChainableTemporaryCredentials({
@@ -67,7 +70,8 @@ function createResourceHandler(event: AWSLambda.CloudFormationCustomResourceEven
   switch (event.ResourceType) {
     case consts.CLUSTER_RESOURCE_TYPE: return new ClusterResourceHandler(defaultEksClient, event);
     case consts.FARGATE_PROFILE_RESOURCE_TYPE: return new FargateProfileResourceHandler(defaultEksClient, event);
-    case consts.OPENIDCONNECT_PROVIDER_RESOURCE_TYPE: return new OpenIDConnectResourceHandler(defaultEksClient, event);
+    case consts.OPENIDCONNECT_PROVIDER_RESOURCE_TYPE: return new OpenIDConnectProviderResourceHandler(defaultEksClient, event);
+    case consts.OPENIDCONNECT_ROLE_RESOURCE_TYPE: return new OpenIDConnectRoleResourceHandler(defaultEksClient, event);
     default:
       throw new Error(`Unsupported resource type "${event.ResourceType}`);
   }
diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/oidcprovider.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/oidcprovider.ts
@@ -4,7 +4,7 @@ import { ResourceHandler } from "./common";
 import * as aws from "aws-sdk";
 import * as https from "https";
 
-export class OpenIDConnectResourceHandler extends ResourceHandler {
+export class OpenIDConnectProviderResourceHandler extends ResourceHandler {
   protected async onCreate() {
     const clusterName = this.event.ResourceProperties.Config.clusterName;
 
diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/oidcrole.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/oidcrole.ts
@@ -0,0 +1,94 @@
+import { ResourceHandler } from "./common";
+
+// eslint-disable-next-line import/no-extraneous-dependencies
+import * as aws from "aws-sdk";
+
+export class OpenIDConnectRoleResourceHandler extends ResourceHandler {
+  protected async onCreate() {
+    const { roleName } = this.event.ResourceProperties.Config;
+
+    const role = await this.eks.getRole({ RoleName: roleName});
+    if (!role) {
+      throw new Error(`no role found with name ${roleName}`);
+    }
+
+    return {
+      PhysicalResourceId: roleName
+    };
+  }
+
+  protected async onDelete() {
+    if (!this.physicalResourceId) {
+      throw new Error(
+        `Cannot delete a profile without a physical id`
+      );
+    }
+
+    const deleteOpenIDConnectProvider: aws.IAM.DeleteOpenIDConnectProviderRequest = {
+      OpenIDConnectProviderArn: this.physicalResourceId
+    };
+
+    this.log({ deleteOpenIDConnectProvider });
+    const deleteOpenIDConnectProviderResponse = await this.eks.deleteOpenIDConnectProvider(
+      deleteOpenIDConnectProvider
+    );
+    this.log({ deleteOpenIDConnectProviderResponse });
+
+    return;
+  }
+
+  protected async onUpdate() {
+    // all updates require a replacement. as long as name is generated, we are
+    // good. if name is explicit, update will fail, which is common when trying
+    // to replace cfn resources with explicit physical names
+    return this.onCreate();
+  }
+
+  protected async isCreateComplete() {
+    return this.isUpdateComplete();
+  }
+
+  protected async isUpdateComplete() {
+    return {
+      IsComplete: await this.checkResource()
+    };
+  }
+
+  protected async isDeleteComplete() {
+    await this.checkResource();
+    return {
+      IsComplete: !(await this.checkResource())
+    };
+  }
+
+  private async checkResource(): Promise<boolean> {
+    if (!this.physicalResourceId) {
+      throw new Error(
+        `Cannot get a profile without a physical id`
+      );
+    }
+
+    const getOpenIDConnectProvider: aws.IAM.GetOpenIDConnectProviderRequest = {
+      OpenIDConnectProviderArn: this.physicalResourceId
+    };
+
+    try {
+      this.log({ getOpenIDConnectProvider });
+      const getOpenIDConnectProviderResponse = await this.eks.getOpenIDConnectProvider(
+        getOpenIDConnectProvider
+      );
+      this.log({ getOpenIDConnectProviderResponse });
+      return true;
+    } catch (getOpenIDConnectProviderError) {
+      if (getOpenIDConnectProviderError.code === "NoSuchEntity") {
+        this.log(
+          "received NoSuchEntityFoundException, this means the profile has been deleted (or never existed)"
+        );
+        return false;
+      }
+
+      this.log({ getOpenIDConnectProviderError });
+      throw getOpenIDConnectProviderError;
+    }
+  }
+}
diff --git a/packages/@aws-cdk/aws-eks/lib/service-account.ts b/packages/@aws-cdk/aws-eks/lib/service-account.ts
@@ -1,27 +1,51 @@
 import { CustomResource } from "@aws-cdk/aws-cloudformation";
 import { FederatedPrincipal, PolicyStatement, Role } from "@aws-cdk/aws-iam";
-import { Construct, Lazy } from "@aws-cdk/core";
+import { Construct } from "@aws-cdk/core";
 import { Cluster } from "./cluster";
 import { OPENIDCONNECT_PROVIDER_RESOURCE_TYPE } from "./cluster-resource-handler/consts";
 import { ClusterResourceProvider } from "./cluster-resource-provider";
 
+/**
+ * Service Account
+ */
 export interface ServiceAccountOptions {
+  /**
+   * The cluster to apply the patch to.
+   */
   readonly name: string;
+  /**
+   * The cluster to apply the patch to.
+   */
   readonly namespace: string;
+  /**
+   * The cluster to apply the patch to.
+   * @default No additional policies are applied
+   */
   readonly policyStatements?: PolicyStatement[];
 }
 
+/**
+ * Service Account
+ */
 export interface ServiceAccountProps extends ServiceAccountOptions {
+  /**
+   * The cluster to apply the patch to.
+   * [disable-awslint:ref-via-interface]
+   */
   readonly cluster: Cluster;
 }
 
+/**
+ * Service Account
+ */
 export class ServiceAccount extends Construct {
-
+  /**
+   * The cluster to apply the patch to.
+   */
   public readonly serviceAccountName: string;
 
   private readonly role: Role;
 
-  private openIDConnectSubject: string | undefined;
   private openIdConnectProviderArn: string | undefined;
 
   constructor(scope: Construct, id: string, props: ServiceAccountProps) {
@@ -31,11 +55,9 @@ export class ServiceAccount extends Construct {
     // Ensure OpenIDConnect association
     this.enableOpenIDConnectIAMProvider(cluster);
     // Create IAM Role
-    const condition: { [id: string]: any; } = {};
-    condition[Lazy.stringValue({ produce: () => this.openIDConnectSubject})] = `system:serviceaccount:${namespace}:${name}`;
     this.role = new Role(this, "Role", {
       assumedBy: new FederatedPrincipal(
-        this.openIdConnectProviderArn!, { StringEquals: condition }, "sts:AssumeRoleWithWebIdentity"
+        this.openIdConnectProviderArn!, { }, "sts:AssumeRoleWithWebIdentity"
       )
     });
     policyStatements?.forEach(this.role.addToPolicy);
@@ -58,6 +80,9 @@ export class ServiceAccount extends Construct {
     this.serviceAccountName = name;
   }
 
+  /**
+   * The cluster to apply the patch to.
+   */
   public addToPolicy(statements: PolicyStatement) {
     this.role.addToPolicy(statements);
   }
@@ -79,7 +104,7 @@ export class ServiceAccount extends Construct {
         }
       });
     }
-    this.openIDConnectSubject = resource.getAtt("openIDConnectSubject").toString();
+    // this.openIDConnectSubject = resource.getAtt("openIDConnectSubject").toString();
     this.openIdConnectProviderArn = resource.ref;
   }
 }
diff --git a/packages/@aws-cdk/aws-eks/test/cluster-resource-handler-mocks.ts b/packages/@aws-cdk/aws-eks/test/cluster-resource-handler-mocks.ts
@@ -1,6 +1,5 @@
 import * as sdk from 'aws-sdk';
 import { EksClient } from '../lib/cluster-resource-handler/common';
-import { Response } from 'aws-sdk';
 
 /**
  * Request objects will be assigned when a request of the relevant type will be
@@ -19,6 +18,8 @@ export let actualRequest: {
   createOpenIDConnectProvider?: sdk.IAM.CreateOpenIDConnectProviderRequest;
   deleteOpenIDConnectProvider?: sdk.IAM.DeleteOpenIDConnectProviderRequest;
   getOpenIDConnectProvider?: sdk.IAM.GetOpenIDConnectProviderRequest;
+  getRole?: sdk.IAM.GetRoleRequest;
+  updateRole?: sdk.IAM.UpdateRoleRequest;
 } = { };
 
 /**
@@ -130,6 +131,16 @@ export const client: EksClient = {
     actualRequest.getOpenIDConnectProvider = req;
     return { };
   },
+  getRole: async req => {
+    actualRequest.getRole = req;
+    return {
+      Role: { Path: '/', RoleName: 'Role', RoleId: 'role', Arn: 'arn:role', CreateDate: new Date() }
+    };
+  },
+  updateRole: async req => {
+    actualRequest.updateRole = req;
+    return { };
+  },
 };
 
 export const MOCK_PROPS = {
diff --git a/packages/@aws-cdk/aws-eks/test/test.fargate-resource-provider.ts b/packages/@aws-cdk/aws-eks/test/test.fargate-resource-provider.ts
@@ -300,6 +300,8 @@ function newEksClientMock() {
     describeFargateProfile: sinon.fake.throws('not implemented'),
     createOpenIDConnectProvider: sinon.fake(),
     deleteOpenIDConnectProvider: sinon.fake(),
-    getOpenIDConnectProvider: sinon.fake()
+    getOpenIDConnectProvider: sinon.fake(),
+    getRole: sinon.fake(),
+    updateRole: sinon.fake()
   };
 }

Original file line number	Diff line number	Diff line change
`@@ -74,4 +74,6 @@ export interface EksClient {`
`74`	`74`	`createOpenIDConnectProvider(request: aws.IAM.CreateOpenIDConnectProviderRequest): Promise<aws.IAM.CreateOpenIDConnectProviderResponse>;`
`75`	`75`	`deleteOpenIDConnectProvider(request: aws.IAM.DeleteOpenIDConnectProviderRequest): Promise<{ $response: aws.Response<{}, aws.AWSError>; }>;`
`76`	`76`	`getOpenIDConnectProvider(request: aws.IAM.GetOpenIDConnectProviderRequest): Promise<aws.IAM.GetOpenIDConnectProviderResponse>;`
	`77`	`+ getRole(request: aws.IAM.GetRoleRequest): Promise<aws.IAM.GetRoleResponse>;`
	`78`	`+ updateRole(request: aws.IAM.UpdateRoleRequest): Promise<aws.IAM.UpdateRoleResponse>;`
`77`	`79`	`}`