Feat/sam pipeline OIDC #4270
Feat/sam pipeline OIDC #4270
Conversation
* support for GitHub Actions OIDC * GitHub Actions oidc support * Unit tests for GitHub Actions OIDC support * Add tests for GitHub Actions OIDC support * Add comments for new methods and fix formatting * use choice for identity provider instead of flag * Create pipeline oidc provider class * Remove unused methods * Add defaults for OIDC URL and ClientID * Get subject claim from object and use Session to get Client * Mock Session during test * Create method to share common logic * Add AllowedValues to CreateNewOidcProvider * Remove duplicate calls to samconfig * Add text to prompt * fix formatting * Add links to technical methods comments
* Support GitLab OIDC for pipeline bootstrap * Fix incorrect variable mappings * use constants instead of strings
* Support Bitbucket OIDC in pipeline bootstrap * Add documentation * Make capitlization consistent * Add comments to method * Re-use permissions provider answer for init * Make help text shorter * add constant inside constructor * Fix comments * move variables into class * change saved iam parameter * change help message * use dataclass
| @@ -121,6 +121,7 @@ def run_interactive_flows(self, context: Optional[Dict] = None) -> Dict: | |||
| """ | |||
| try: | |||
| context = context if context else {} | |||
| context["shared_values"] = "default" | |||
There was a problem hiding this comment.
Can you explain why this is needed? And can you also confirm that it won't break sam init flow?
There was a problem hiding this comment.
No it won't break the sam init flow. This value is used in sam pipeline init templates to utilize previous answer to skip some questions.
|
|
||
| from samcli.commands.pipeline.bootstrap.pipeline_oidc_provider import PipelineOidcProvider | ||
| from samcli.lib.config.samconfig import SamConfig | ||
| from samcli.lib.pipeline.bootstrap.stage import Stage | ||
|
|
||
| from samcli.commands.pipeline.bootstrap.oidc_config import ( | ||
| BitbucketOidcConfig, | ||
| GitHubOidcConfig, | ||
| OidcConfig, | ||
| GitLabOidcConfig, | ||
| ) | ||
|
|
There was a problem hiding this comment.
Apologies for been picky, but these imports can be moved down as well.
There was a problem hiding this comment.
These imports are also used in another function as input, so I think they need to be at the top. Correct me if I'm wrong.
There was a problem hiding this comment.
looks like they are used in other functions only for type indication. We can wrap them by quotes instead, e.g.
def my_function(arg: "MyClass"):
pass
There was a problem hiding this comment.
Good suggestion! Make it work. Thanks!
| required=False, | ||
| ) | ||
| @click.option( | ||
| "--gitlab-group", |
There was a problem hiding this comment.
Some of these options don't play well with each other I'm assuming. There needs to be appropriate error messaging if they are specified together.
There was a problem hiding this comment.
Currently it takes all options then decides which option to use based on what oidc-provider is. I see your point is helpful. I'm thinking we can leave it to another PR for improvements which includes some refactoring.
There was a problem hiding this comment.
I learned from @xazhao that these new options, if not applicable, will just be ignored. I think it makes sense to handle them for now, as at least these different groups (GH Action, Gitlab and Bitbucket) won't conflict each other. But IMO there's a room to improve in terms of UX, to give customers clearer messages about what options they really need to supply.
| { | ||
| "Effect": "Allow", | ||
| "Principal": { | ||
| "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/${Url}" |
There was a problem hiding this comment.
use AWS::Partition instead of :aws: , other places need to be cross checked as well.
There was a problem hiding this comment.
Good catch! Will update it.
| click.echo("\t1 - IAM (default)") | ||
| click.echo("\t2 - OpenID Connect (OIDC)") | ||
| user_provider = click.prompt("Choice", type=click.Choice((["1", "2"])), show_default=False, default="1") | ||
| self.permissions_provider = OPEN_ID_CONNECT if user_provider == "2" else "iam" |
There was a problem hiding this comment.
nit: why not also use a constant for "iam"?
There was a problem hiding this comment.
Good catch. Updating it to a constant.
|
|
||
| from samcli.commands.pipeline.bootstrap.pipeline_oidc_provider import PipelineOidcProvider | ||
| from samcli.lib.config.samconfig import SamConfig | ||
| from samcli.lib.pipeline.bootstrap.stage import Stage | ||
|
|
||
| from samcli.commands.pipeline.bootstrap.oidc_config import ( | ||
| BitbucketOidcConfig, | ||
| GitHubOidcConfig, | ||
| OidcConfig, | ||
| GitLabOidcConfig, | ||
| ) | ||
|
|
There was a problem hiding this comment.
looks like they are used in other functions only for type indication. We can wrap them by quotes instead, e.g.
def my_function(arg: "MyClass"):
pass
There was a problem hiding this comment.
Conditionally approving this based on following follow-on improvements.
- Improved error messaging when conflicting options are chosen.
- Improved handling on changing the entities referenced within the configuration file through
parameters - Showcase in the help text which options are related and go together, there are a lot of options for this command at present.
- Lazy imports within cli() instead of top level imports, this causes the help text loading to slow down.
hawflau
dismissed
mndeveci’s stale review
dismissing as two approvals are obtained
Which issue(s) does this change fix?
Adding OIDC support to SAM Pipeline.
Why is this change necessary?
How does it address the issue?
What side effects does this change have?
Mandatory Checklist
PRs will only be reviewed after checklist is complete
make prpassesmake update-reproducible-reqsif dependencies were changedBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.