cdk cleanup

hans-m-song · May 5, 2024 · f9b060e · f9b060e
1 parent c548c6c
commit f9b060e
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 28 deletions.
diff --git a/aws/bin/index.ts b/aws/bin/index.ts
@@ -77,27 +77,15 @@ new ECRPublicStack(app, "ECRPublic", {
   repositories: Object.values(ECR),
 });
 
-new GithubActionsOIDCProviderStack(app, "GithubActionsOIDCProvider", {
-  env: { region: Region.Sydney },
-});
-
 new HostedZoneUpdateStack(app, "HostedZoneUpdateStack", {
   env: { region: Region.Sydney },
   hostedZones: Object.values(hostedZones),
 });
 
-new ManagedPolicyStack(app, "ManagedPolicy", {
-  env: { region: Region.Sydney },
-});
-
 new NewRelicIntegrationStack(app, "NewRelicIntegration", {
   env: { region: Region.Sydney },
 });
 
-new TerraformBackendStack(app, "TerraformBackend", {
-  env: { region: Region.Sydney },
-});
-
 for (const child of app.node.children) {
   (child as Stack).tag();
 }
diff --git a/aws/lib/constructs/cloudformation/GithubActionsOIDCProviderStack.ts b/aws/lib/constructs/cloudformation/GithubActionsOIDCProviderStack.ts
@@ -174,9 +174,10 @@ export class GithubActionsOIDCProviderStack extends Stack {
   role(
     id: string,
     claims: GithubActionsSubjectClaims[],
-    parameterName?: string,
+    opts?: { parameterName?: string; roleName?: string },
   ) {
-    const role = new GithubActionsRole(this, id, { claims });
+    const { parameterName, roleName } = opts ?? {};
+    const role = new GithubActionsRole(this, id, { roleName, claims });
 
     this.output(`${id}ARN`, role.roleArn);
 

diff --git a/aws/lib/constructs/iam/GithubActionsRole.ts b/aws/lib/constructs/iam/GithubActionsRole.ts
@@ -20,7 +20,6 @@ export interface GithubActionsSubjectClaims {
     ref?: string;
     pr?: boolean;
   };
-  workflowRef?: string;
   actor?: string;
 }
 
@@ -49,24 +48,22 @@ export class GithubActionsFederatedPrincipal extends FederatedPrincipal {
 
   private static formatClaims(claims: GithubActionsSubjectClaims): string[] {
     const contexts = [];
-    const { env, ref, pr } = claims.context;
+    const repo = `repo:${claims.repo}`;
+    const actor = `actor:${claims.actor ?? "*"}`;
 
-    if (pr) {
-      contexts.push("pull_request");
+    if (claims.context.pr) {
+      contexts.push(`${repo}:pull_request:${actor}`);
     }
 
-    if (ref) {
-      contexts.push(`ref:refs/heads/${ref}`);
+    if (claims.context.ref) {
+      contexts.push(`${repo}:ref:refs/heads/${claims.context.ref}:${actor}`);
     }
 
-    if (env) {
-      contexts.push(`environment:${env}`);
+    if (claims.context.env) {
+      contexts.push(`${repo}:environment:${claims.context.env}:${actor}`);
     }
 
-    const repo = `repo:${claims.repo}`;
-    const actor = `actor:${claims.actor ?? "*"}`;
-
-    return contexts.map((context) => [repo, context, actor].join(":"));
+    return contexts;
   }
 }
 

diff --git a/aws/templates/TerraformInfrastructure.yaml b/aws/templates/TerraformInfrastructure.yaml
@@ -98,6 +98,7 @@ Resources:
   DeployPolicy:
     Type: AWS::IAM::ManagedPolicy
     Properties:
+      ManagedPolicyName: terraform-deploy-policy
       Description: Permissions to access Terraform state resources
       Path: /
       Roles:
@@ -138,7 +139,7 @@ Resources:
               - Fn::GetAtt: StateLockTable.Arn
           - Effect: Allow
             Action:
-              - "*"
+              - '*'
             Resource:
               - Fn::Sub: arn:${AWS::Partition}:acm:*:${AWS::AccountId}:certificate/*
               - Fn::Sub: arn:${AWS::Partition}:iam::${AWS::AccountId}:oidc-provider/*
@@ -158,4 +159,4 @@ Resources:
               - route53:ListTagsForResources
               - ssm:DescribeParameters
             Resource:
-              - "*"
+              - '*'