fix: simplify OpenIdConnectProvider using CfnOIDCProvider

closes aws#21197 OpenIdConnectProvider is implemented as Custom Resource using Lambda. This is not recommended anymore because we have CloudFormation resource that can be used directly. "AWS::IAM::OIDCProvider" resource is available as "CfnOIDCProvider"
WarFox · Jan 5, 2024 · 8741c31 · 8741c31
1 parent c4aec95
commit 8741c31
Showing 1 changed file with 31 additions and 49 deletions.
diff --git a/packages/aws-cdk-lib/aws-iam/lib/oidc-provider.ts b/packages/aws-cdk-lib/aws-iam/lib/oidc-provider.ts
@@ -1,14 +1,6 @@
-import { Construct } from 'constructs';
-import {
-  Arn,
-  CustomResource,
-  IResource,
-  Resource,
-  Token,
-} from '../../core';
-import { OidcProvider } from '../../custom-resource-handlers/dist/aws-iam/oidc-provider.generated';
-
-const RESOURCE_TYPE = 'Custom::AWSCDKOpenIdConnectProvider';
+import { Construct } from "constructs";
+import { Arn, IResource, Resource, Token } from "../../core";
+import { CfnOIDCProvider } from "./iam.generated";
 
 /**
  * Represents an IAM OpenID Connect provider.
@@ -99,15 +91,24 @@ export interface OpenIdConnectProviderProps {
  *
  * @resource AWS::CloudFormation::CustomResource
  */
-export class OpenIdConnectProvider extends Resource implements IOpenIdConnectProvider {
+export class OpenIdConnectProvider
+  extends Resource
+  implements IOpenIdConnectProvider {
   /**
    * Imports an Open ID connect provider from an ARN.
    * @param scope The definition scope
    * @param id ID of the construct
    * @param openIdConnectProviderArn the ARN to import
    */
-  public static fromOpenIdConnectProviderArn(scope: Construct, id: string, openIdConnectProviderArn: string): IOpenIdConnectProvider {
-    const resourceName = Arn.extractResourceName(openIdConnectProviderArn, 'oidc-provider');
+  public static fromOpenIdConnectProviderArn(
+    scope: Construct,
+    id: string,
+    openIdConnectProviderArn: string
+  ): IOpenIdConnectProvider {
+    const resourceName = Arn.extractResourceName(
+      openIdConnectProviderArn,
+      "oidc-provider"
+    );
 
     class Import extends Resource implements IOpenIdConnectProvider {
       public readonly openIdConnectProviderArn = openIdConnectProviderArn;
@@ -135,45 +136,26 @@ export class OpenIdConnectProvider extends Resource implements IOpenIdConnectPro
    * @param id Construct ID
    * @param props Initialization properties
    */
-  public constructor(scope: Construct, id: string, props: OpenIdConnectProviderProps) {
+  public constructor(
+    scope: Construct,
+    id: string,
+    props: OpenIdConnectProviderProps
+  ) {
     super(scope, id);
 
-    const provider = this.getOrCreateProvider();
-    const resource = new CustomResource(this, 'Resource', {
-      resourceType: RESOURCE_TYPE,
-      serviceToken: provider.serviceToken,
-      properties: {
-        ClientIDList: props.clientIds,
-        ThumbprintList: props.thumbprints,
-        Url: props.url,
-
-        // code changes can cause thumbprint changes in case they weren't explicitly provided.
-        // add the code hash as a property so that CFN invokes the UPDATE handler in these cases,
-        // thus updating the thumbprint if necessary.
-        CodeHash: provider.codeHash,
-      },
+    const resource = new CfnOIDCProvider(this, "Resource", {
+      url: props.url,
+      clientIdList: props.clientIds,
+      thumbprintList: props.thumbprints,
     });
 
     this.openIdConnectProviderArn = Token.asString(resource.ref);
-    this.openIdConnectProviderIssuer = Arn.extractResourceName(this.openIdConnectProviderArn, 'oidc-provider');
-    this.openIdConnectProviderthumbprints = Token.asString(resource.getAtt('Thumbprints'));
-  }
-
-  private getOrCreateProvider() {
-    return OidcProvider.getOrCreateProvider(this, RESOURCE_TYPE, {
-      policyStatements: [
-        {
-          Effect: 'Allow',
-          Resource: '*',
-          Action: [
-            'iam:CreateOpenIDConnectProvider',
-            'iam:DeleteOpenIDConnectProvider',
-            'iam:UpdateOpenIDConnectProviderThumbprint',
-            'iam:AddClientIDToOpenIDConnectProvider',
-            'iam:RemoveClientIDFromOpenIDConnectProvider',
-          ],
-        },
-      ],
-    });
+    this.openIdConnectProviderIssuer = Arn.extractResourceName(
+      this.openIdConnectProviderArn,
+      "oidc-provider"
+    );
+    this.openIdConnectProviderthumbprints = Token.asString(
+      resource.getAtt("Thumbprints")
+    );
   }
 }