Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(iam): move OpenIdConnectProvider to native Cfn resource #16014

Closed
wants to merge 1 commit into from
Closed

feat(iam): move OpenIdConnectProvider to native Cfn resource #16014

wants to merge 1 commit into from

Conversation

CaerusKaru
Copy link
Contributor

@CaerusKaru CaerusKaru commented Aug 12, 2021
edited
Loading

An L1 construct is now available for OpenID IAM identity providers.
This moves the previous L2 construct to use the L1 instead of the
existing custom resource, relieving the user of both the resource
overhead and the permissioning implications of the attached role.

BREAKING CHANGE: OpenIdConnectProvider::fromOpenIdConnectProviderArn -> OpenIdConnectProvider::fromOidcProviderArn

  • iam: OpenIdConnectProvider.openIdConnectProviderArn -> OpenIdConnectProvider::oidcProviderArn
  • iam: OpenIdConnectProviderProps.thumbprints now requires at least one entry
  • iam: The custom resource behind OpenIdConnectProvider has been removed and is no longer available

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Aug 12, 2021

@CaerusKaru CaerusKaru force-pushed the master branch 3 times, most recently from 281f850 to d86938f Compare August 12, 2021 06:33
feat(iam): move OpenIdConnectProvider to native Cfn resource
dfd0d34 
An L1 construct is now available for OpenID IAM identity providers.
This moves the previous L2 construct to use the L1 instead of the
existing custom resource, relieving the user of both the resource
overhead and the permissioning implications of the attached role.

BREAKING CHANGE: `OpenIdConnectProvider::fromOpenIdConnectProviderArn` -> `OpenIdConnectProvider::fromOidcProviderArn`
* **iam:** `OpenIdConnectProvider.openIdConnectProviderArn` -> `OpenIdConnectProvider::oidcProviderArn`
* **iam:** `OpenIdConnectProviderProps.thumbprints` now requires at least one entry
* **iam:** The custom resource behind `OpenIdConnectProvider` has been removed and is no longer available
@CaerusKaru
Copy link
Contributor Author

Yes, I know this is a breaking change for IAM, and yes I know IAM is stable. But custom resource to stable CloudFormation resource seems like the right move to me in general. Happy to target this to a new branch or anything else.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: dfd0d34
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@rix0rrr
Copy link
Contributor

rix0rrr commented Aug 12, 2021
edited
Loading

I don't disagree that this is better, but we have to think about the implications for already-deployed stacks. Can I make the following suggestion:

  • Rename current OpenIdConnectProvider to OpenIdConnectProviderCustomResource (or OpenIdConnectProviderLegacy)
  • Add the new provider as OpenIdConnectProviderNative

And then feature-flag the implementation of OpenIdConnectProvider to look like this:

class OpenIdConnectProvider extends Resource {
  constructor(...props) {
    
    if (FeatureFlags.of(this).isEnabled(IAM_NATIVE_OPENID_CONNECT_PROVIDER)) {
      new OpenIdConnectProviderNative(this, 'Default', props);
    } else {
      new OpenIdConnectCustomResource(this, 'Default', props);
    }
  }
}

And then document the shit out of it... @eladb what do you think?

BTW this needs to be a flag that does NOT go away in V2, because we want people to be able to upgrade to V2 without having to force a recreation of this resource. @nija-at as the person with the most state on Feature Flags, what would that look like?

@nija-at
Copy link
Contributor

nija-at commented Aug 12, 2021

BTW this needs to be a flag that does NOT go away in V2, because we want people to be able to upgrade to V2 without having to force a recreation of this resource. @nija-at as the person with the most state on Feature Flags, what would that look like?

Just adding the feature flag and not doing anything extra for v2 will just work here.
If we need the default for the flag to be changed to 'true' (not the one in cdk.json init template), then we change that in the v2 branch -

aws-cdk/packages/@aws-cdk/cx-api/lib/features.ts

Line 214 in 2f92e63

const FUTURE_FLAGS_DEFAULTS: { [key: string]: boolean } = {

@nija-at nija-at removed their assignment Aug 12, 2021
@nija-at nija-at added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Aug 12, 2021
@eladb eladb removed their assignment Aug 17, 2021
@TheRealAmazonKendra
Copy link
Contributor

This PR has been deemed to be abandoned, and will be closed. Please create a new PR for these changes if you think this decision has been made in error.

@douglasnaphas douglasnaphas mentioned this pull request May 28, 2023
Open
2 tasks
@paulhcsun paulhcsun mentioned this pull request Feb 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@CaerusKaru @aws-cdk-automation @rix0rrr @nija-at @TheRealAmazonKendra @eladb