feat(iam): introduce OIDCProvider construct utilizing the native CloudFormation resource

[WarFox]

IAM is stable in CDK, so we should not introduce breaking changes. This PR introduces a new version of OIDC provider without introducing breaking changes.

Older iam.OpenIdConnectProvider, which uses custom resources with lambda, is marked as deprecated.

The newly introduced OpenIdConnectProvider2 uses the native CloudFormation resource AWS::IAM::OIDCProvider

ThumbprintList

ThumbprintList must not be empty when using AWS::IAM::OIDCProvider
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html
https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html

Closes #21197

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[WarFox]

The integration test is failing with the following error now

Thumbprint list must contain at least one entry

 ❌ Deployment failed: Error: The stack named oidc-provider2-integ-test failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Thumbprint list must contain at least one entry. (Service: Iam, Status Code: 400, Request ID: 117aab55-6bd3-4521-b478-c065f144c48f)" (RequestToken: 618dd5f3-0cc7-a4f0-d899-f2d793dc5f4b, HandlerErrorCode: InvalidRequest), Resource handler returned message: "Thumbprint list must contain at least one entry. (Service: Iam, Status Code: 400, Request ID: b9dbef07-5151-480e-8e74-8e15fe414db6)" (RequestToken: 35d9515c-d891-edd8-123d-73a69ffbd4af, HandlerErrorCode: InvalidRequest)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[WarFox]

Clarification Request

What do you think of renaming iam.OpenIdConnectProvider2 to iam.OidcProvider?

I chose OpenIdConnectProvider2, just to make sure not to introduce a breaking change to OpenIdConnectProvider that uses a custom resource and follows the same naming pattern.

OidcProvider will be better suited to match with the AWS::IAM::OIDCProvider resource in CloudFormation.

I suggest the following name changes:

IOpenIdConnectProvider2 - IOidcProvider
OpenIdConnectProvider2Props  -> OidcProviderProps
OpenIdConnectProvider2 -> OidcProvider

and filename change to

aws-iam/lib/oidc-provider2.ts -> aws-iam/lib/oidc-provider-cfn.ts

[paulhcsun]

The implementation for the original OpenIdConnectProvider passed in a CodeHash from the provider so that CFN invokes the UPDATE handler when there are code change but the properties of the resource haven't changed.

Is this problem is fixed by using CfnOIDCProvider?

For more context: https://github.com/aws/aws-cdk/pull/22802/files#r1018838729

[WarFox]

thank you for the comment. I shall look into this

[paulhcsun]

Hi @WarFox, I agree that using the name OidcProvider makes sense because it better aligns with the AWS::IAM::OIDCProvider that is being used but I feel like it may create too much confusion with the old resource, at least not without a lot more documentation.

After discussing with the team I believe the best option here is to use a feature flag and add changes to the existing OpenIdConnectProvider as suggested here: #16014 (comment) with the following caveats:

• The feature flag should toggle between the two constructs, OpenIdConnectProvider, and OpenIdConnectProvider2 in the constructor of OpenidConnectProvider.
• Rename OpenIdConnectProvider2 to OpenIdConnectProviderNative. But don't export it, only allow it to be used via OpenIdConnectProvider + feature flag

[WarFox]

thanks for pointing out to #16014 (comment) @paulhcsun. I shall look into how a feature flag is helpful for this, it is interesting.

What do you think of naming it OidcProvider instead of OpenIdConnectProviderNative? When I come from using a CloudFormation resource to a CDK resource, I usually expect name parity. It will also be helpful from a search point of view i.e. someone searching for OidcProvider will find the correct resource too.

Just to confirm, is the consensus in your team NOT to deprecate OpenIdConnectProvider?

[paulhcsun]

Hey @WarFox,

While I agree that it would be good to have name parity with OidcProvider, I don't think the name is clear how it's different from OpenIdConnectProvider. Having Native in the name makes it explicit what the difference is. Or at the very least something like OIDCProviderNative if we want to have the resource show up when users search for "oidc".

My opinion is to go with OpenIdConnectProviderNative as it's meant to replace OpenIdConnectProvider so users switching over would expect to search for the same name when looking for this resource.

As for deprecation, we would NOT deprecate OpenIdConnectProvider as it would still be used to return the new OpenIdConnectProviderNative through its constructor when the feature flag is enabled. However we should still document somewhere that the old version which uses custom resources is deprecated. One place could be here, and then explain the new feature flag and how it would return the new version of OpenIdConnectProviderNative.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 491b6d3
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[paulhcsun]

Hi @WarFox, thank you for your patience and continued effort on this! I've just left 2 final comments and then I am happy to approve once they have been addressed.

[paulhcsun]

Since the old OpenIdConnectProvider is still being used in EKS, I don't think we can deprecate this just yet. Apologies for the churn but I did not realize this when making the original suggestion. For the time being we will have to just support both of these. On this note as well, because the old OpenIdConnectProvider will not be deprecated we should probably rename the new OidcProvider to be OidcProviderNative so that there will be a distinction at least. Then in CDK v3 we will be able to remove the old OpenIdConnectProvider and then we can remove the Native from OidcProviderNative.

[paulhcsun]

I think we don't actually need a new interface here since this is identical to the old IOpenIdConnectProvider

aws-cdk/packages/aws-cdk-lib/aws-iam/lib/oidc-provider.ts

Lines 13 to 27 in d1b3c81

	/**
	* Represents an IAM OpenID Connect provider.
	*
	*/
	export interface IOpenIdConnectProvider extends IResource {
	/**
	* The Amazon Resource Name (ARN) of the IAM OpenID Connect provider.
	*/
	readonly openIdConnectProviderArn: string;
	/**
	* The issuer for OIDC Provider
	*/
	readonly openIdConnectProviderIssuer: string;
	}

Let's just implement that one instead of creating a new duplicate.

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[aws-cdk-automation]

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Features must contain a change to a README file.

PRs must pass status checks before we can provide a meaningful review.

If you would like to request an exemption from the status checks or clarification on feedback, please leave a comment on this PR containing Exemption Request and/or Clarification Request.