Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(eks): Integ Test for OIDCP Certificate Retrieval #22608

Merged
merged 48 commits into from Nov 3, 2022
Merged

chore(eks): Integ Test for OIDCP Certificate Retrieval #22608

Show file tree
Hide file tree
Changes from 22 commits
Commits
Show all changes
48 commits
Select commit Hold shift + click to select a range
7248763
oidc integ test additions
comcalvi Oct 11, 2022
ae5e58c
moved integ test in
comcalvi Oct 18, 2022
c7aad55
tmp
comcalvi Oct 18, 2022
5e1bb36
temp
comcalvi Oct 21, 2022
abe5cb1
add missing js
comcalvi Oct 21, 2022
287bf0b
WORKING integ test
comcalvi Oct 21, 2022
15bf70a
integ test finalized
comcalvi Oct 21, 2022
3e61a81
finalized integ test
comcalvi Oct 21, 2022
8407f56
remove unneeded api member
comcalvi Oct 21, 2022
90ae922
uneeded change
comcalvi Oct 21, 2022
6548d0b
merge from main + rerun integ test
comcalvi Oct 22, 2022
45f82c2
missing src file
comcalvi Oct 24, 2022
7d629d4
extra newline
comcalvi Oct 24, 2022
33bca74
clean
comcalvi Oct 24, 2022
98f3b2d
successful integ test run
comcalvi Oct 25, 2022
5cdf790
removed extra dependency
comcalvi Oct 25, 2022
d47a079
package-lock
comcalvi Oct 27, 2022
8e2e250
private fork testing
comcalvi Oct 28, 2022
2aa30b7
update workflow
comcalvi Oct 28, 2022
d2ff167
syntax error
comcalvi Oct 28, 2022
b832ca8
final run
comcalvi Oct 30, 2022
f821343
Merge branch 'main' into eksIntegTest
iliapolo Nov 1, 2022
1ba03ae
rename
comcalvi Nov 2, 2022
0a28522
oidc integ test additions
comcalvi Oct 11, 2022
6e7c8d8
moved integ test in
comcalvi Oct 18, 2022
261edc2
tmp
comcalvi Oct 18, 2022
a6b9ec8
temp
comcalvi Oct 21, 2022
e2e02f1
add missing js
comcalvi Oct 21, 2022
a34e87c
WORKING integ test
comcalvi Oct 21, 2022
0b48d60
integ test finalized
comcalvi Oct 21, 2022
bdad7a0
finalized integ test
comcalvi Oct 21, 2022
38b020c
remove unneeded api member
comcalvi Oct 21, 2022
4d10558
uneeded change
comcalvi Oct 21, 2022
2866f5a
merge from main + rerun integ test
comcalvi Oct 22, 2022
babb7b9
missing src file
comcalvi Oct 24, 2022
aa04ae8
extra newline
comcalvi Oct 24, 2022
9f05f74
clean
comcalvi Oct 24, 2022
ceda1a7
successful integ test run
comcalvi Oct 25, 2022
3a56b37
removed extra dependency
comcalvi Oct 25, 2022
5f7b948
package-lock
comcalvi Oct 27, 2022
272a9e8
private fork testing
comcalvi Oct 28, 2022
5a52e7c
update workflow
comcalvi Oct 28, 2022
cd41774
syntax error
comcalvi Oct 28, 2022
c847384
final run
comcalvi Oct 30, 2022
f9498b4
rename
comcalvi Nov 2, 2022
af88f83
Merge branch 'eksMergeMain' into eksIntegTest
comcalvi Nov 2, 2022
0bb1b30
hopefully we're up to date with the new integ test form now
comcalvi Nov 2, 2022
595017a
Merge branch 'main' into eksIntegTest
mergify[bot] Nov 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/yarn-upgrade.yml
View file
Open in desktop
Expand Up @@ -38,8 +38,6 @@ jobs:
- name: Install Tools
run: |-
npm -g install lerna npm-check-updates@^9.0.0
- name: Build CLI
run: cd packages/aws-cdk && ../../scripts/buildup
iliapolo marked this conversation as resolved.
Show resolved Hide resolved
- name: Build Integ Runner
run: cd packages/@aws-cdk/integ-runner && ../../../scripts/buildup
- name: List Mono-Repo Packages
Expand Down Expand Up @@ -69,6 +67,8 @@ jobs:
for pj in $(find packages/aws-cdk/lib/init-templates -name package.json); do
(cd $(dirname $pj) && ncu --upgrade --reject='@types/jest,@types/node,@types/prettier,@types/fs-extra,constructs,typescript,aws-sdk,aws-sdk-mock,ts-jest,jest,${{ steps.list-packages.outputs.list }}')
done
# Upgrade dependencies at an aws-eks integ test docker image
cd packages/@aws-cdk/aws-eks/test/sdk-call-integ-test-docker-app/app/ && ncu --upgrade --reject='@types/jest,@types/node,@types/prettier,@types/fs-extra,constructs,typescript,aws-sdk,aws-sdk-mock,ts-jest,jest,${{ steps.list-packages.outputs.list }}'

# This will ensure the current lockfile is up-to-date with the dependency specifications (necessary for "yarn update" to run)
- name: Run "yarn install"
Expand Down
4 changes: 3 additions & 1 deletion packages/@aws-cdk/aws-eks/package.json
View file
Open in desktop
Expand Up @@ -102,6 +102,7 @@
"dependencies": {
"@aws-cdk/aws-autoscaling": "0.0.0",
"@aws-cdk/aws-ec2": "0.0.0",
"@aws-cdk/aws-ecr-assets": "0.0.0",
"@aws-cdk/aws-s3-assets": "0.0.0",
"@aws-cdk/aws-iam": "0.0.0",
"@aws-cdk/aws-kms": "0.0.0",
Expand Down Expand Up @@ -134,7 +135,8 @@
"@aws-cdk/lambda-layer-awscli": "0.0.0",
"@aws-cdk/lambda-layer-kubectl": "0.0.0",
"@aws-cdk/lambda-layer-node-proxy-agent": "0.0.0",
"constructs": "^10.0.0"
"constructs": "^10.0.0",
"@aws-cdk/aws-ecr-assets": "0.0.0"
},
"engines": {
"node": ">= 14.15.0"
Expand Down
51 changes: 51 additions & 0 deletions packages/@aws-cdk/aws-eks/test/bucket-pinger/bucket-pinger.ts
View file
Open in desktop
@@ -0,0 +1,51 @@
import * as ec2 from '@aws-cdk/aws-ec2';
import * as iam from '@aws-cdk/aws-iam';
import * as lambda from '@aws-cdk/aws-lambda';
import { CustomResource, Token, Duration } from '@aws-cdk/core';
import * as cr from '@aws-cdk/custom-resources';
import { Construct } from 'constructs';

export interface PingerProps {
readonly securityGroup?: ec2.SecurityGroup;
readonly vpc?: ec2.IVpc;
readonly subnets?: ec2.ISubnet[];
}
export class BucketPinger extends Construct {

private _resource: CustomResource;

constructor(scope: Construct, id: string, props: PingerProps) {
super(scope, id);

const func = new lambda.Function(this, 'Function', {
code: lambda.Code.fromAsset(`${__dirname}/function`),
handler: 'index.handler',
runtime: lambda.Runtime.PYTHON_3_9,
vpc: props.vpc,
vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined,
securityGroups: props.securityGroup ? [props.securityGroup] : undefined,
timeout: Duration.minutes(1),
});

if (!func.role) {
throw new Error('pinger lambda has no execution role!');
}

func.role.addToPrincipalPolicy(new iam.PolicyStatement({
actions: ['s3:DeleteBucket', 's3:ListBucket'],
resources: ['arn:aws:s3:::*'],
}));

const provider = new cr.Provider(this, 'Provider', {
onEventHandler: func,
});

this._resource = new CustomResource(this, 'Resource', {
serviceToken: provider.serviceToken,
});
}

public get response() {
return Token.asString(this._resource.getAtt('Value'));
}
}
34 changes: 34 additions & 0 deletions packages/@aws-cdk/aws-eks/test/bucket-pinger/function/index.py
View file
Open in desktop
@@ -0,0 +1,34 @@
import json
import logging
import boto3

logger = logging.getLogger()
logger.setLevel(logging.INFO)

def handler(event, context):
print(json.dumps(event))

request_type = event['RequestType']
props = event['ResourceProperties']

s3_bucket_name = 'amazingly-made-sdk-call-created-eks-bucket'
s3 = boto3.client('s3')

if request_type in ['Create', 'Update']:
logger.info(f'making sdk call to check if bucket with name {s3_bucket_name} exists')

try:
s3.head_bucket(Bucket=s3_bucket_name)
except Exception as error:
raise RuntimeError(f'failed to head bucket with error: {str(error)}')
return {'Data': {'Value': f'confirmed that bucket with name {s3_bucket_name} exists' }}

elif request_type == 'Delete':
logger.info(f'making sdk call to delete bucket with name {s3_bucket_name}')

try:
s3.delete_bucket(Bucket=s3_bucket_name)
comcalvi marked this conversation as resolved.
Show resolved Hide resolved
except Exception as error:
# If the bucket does not exist, then this error will be thrown
raise RuntimeError(f'failed to delete bucket: {str(error)}')
return {'Data': {'Value': f'bucket with name {s3_bucket_name} has been deleted' }}
Binary file added ...integ.snapshot/asset.4288ebb3652acdf2d828b7db7ca44a7162a401ace50ebb4026e84b18a02a06ee.zip
View file
Open in desktop
Binary file not shown.
144 changes: 144 additions & 0 deletions .../asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174/__entrypoint__.js
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 4 additions & 0 deletions ...snapshot/asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174/diff.d.ts
View file
Open in desktop
@@ -0,0 +1,4 @@
export declare function arrayDiff(oldValues: string[], newValues: string[]): {
adds: string[];
deletes: string[];
};
21 changes: 21 additions & 0 deletions ...g.snapshot/asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174/diff.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 17 additions & 0 deletions ...g.snapshot/asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174/diff.ts
View file
Open in desktop
@@ -0,0 +1,17 @@
export function arrayDiff(oldValues: string[], newValues: string[]) {
const deletes = new Set(oldValues);
const adds = new Set<string>();

for (const v of new Set(newValues)) {
if (deletes.has(v)) {
deletes.delete(v);
} else {
adds.add(v);
}
}

return {
adds: Array.from(adds),
deletes: Array.from(deletes),
};
}
24 changes: 24 additions & 0 deletions ...shot/asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174/external.d.ts
View file
Open in desktop
@@ -0,0 +1,24 @@
import * as aws from 'aws-sdk';
declare function defaultLogger(fmt: string, ...args: any[]): void;
/**
* Downloads the CA thumbprint from the issuer URL
*/
declare function downloadThumbprint(issuerUrl: string): Promise<string>;
export declare const external: {
downloadThumbprint: typeof downloadThumbprint;
log: typeof defaultLogger;
createOpenIDConnectProvider: (req: aws.IAM.CreateOpenIDConnectProviderRequest) => Promise<import("aws-sdk/lib/request").PromiseResult<aws.IAM.CreateOpenIDConnectProviderResponse, aws.AWSError>>;
deleteOpenIDConnectProvider: (req: aws.IAM.DeleteOpenIDConnectProviderRequest) => Promise<{
$response: aws.Response<{}, aws.AWSError>;
}>;
updateOpenIDConnectProviderThumbprint: (req: aws.IAM.UpdateOpenIDConnectProviderThumbprintRequest) => Promise<{
$response: aws.Response<{}, aws.AWSError>;
}>;
addClientIDToOpenIDConnectProvider: (req: aws.IAM.AddClientIDToOpenIDConnectProviderRequest) => Promise<{
$response: aws.Response<{}, aws.AWSError>;
}>;
removeClientIDFromOpenIDConnectProvider: (req: aws.IAM.RemoveClientIDFromOpenIDConnectProviderRequest) => Promise<{
$response: aws.Response<{}, aws.AWSError>;
}>;
};
export {};
53 changes: 53 additions & 0 deletions ...apshot/asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174/external.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

53 changes: 53 additions & 0 deletions ...apshot/asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174/external.ts
View file
Open in desktop
@@ -0,0 +1,53 @@
/* istanbul ignore file */

import * as tls from 'tls';
import * as url from 'url';
// eslint-disable-next-line import/no-extraneous-dependencies
import * as aws from 'aws-sdk';

let client: aws.IAM;

function iam() {
if (!client) { client = new aws.IAM(); }
return client;
}

function defaultLogger(fmt: string, ...args: any[]) {
// eslint-disable-next-line no-console
console.log(fmt, ...args);
}

/**
* Downloads the CA thumbprint from the issuer URL
*/
async function downloadThumbprint(issuerUrl: string) {
external.log(`downloading certificate authority thumbprint for ${issuerUrl}`);
return new Promise<string>((ok, ko) => {
const purl = url.parse(issuerUrl);
const port = purl.port ? parseInt(purl.port, 10) : 443;
if (!purl.host) {
return ko(new Error(`unable to determine host from issuer url ${issuerUrl}`));
}
const socket = tls.connect(port, purl.host, { rejectUnauthorized: false, servername: purl.host });
socket.once('error', ko);
socket.once('secureConnect', () => {
const cert = socket.getPeerCertificate();
socket.end();
const thumbprint = cert.fingerprint.split(':').join('');
external.log(`certificate authority thumbprint for ${issuerUrl} is ${thumbprint}`);
ok(thumbprint);
});
});
}

// allows unit test to replace with mocks
/* eslint-disable max-len */
export const external = {
downloadThumbprint,
log: defaultLogger,
createOpenIDConnectProvider: (req: aws.IAM.CreateOpenIDConnectProviderRequest) => iam().createOpenIDConnectProvider(req).promise(),
deleteOpenIDConnectProvider: (req: aws.IAM.DeleteOpenIDConnectProviderRequest) => iam().deleteOpenIDConnectProvider(req).promise(),
updateOpenIDConnectProviderThumbprint: (req: aws.IAM.UpdateOpenIDConnectProviderThumbprintRequest) => iam().updateOpenIDConnectProviderThumbprint(req).promise(),
addClientIDToOpenIDConnectProvider: (req: aws.IAM.AddClientIDToOpenIDConnectProviderRequest) => iam().addClientIDToOpenIDConnectProvider(req).promise(),
removeClientIDFromOpenIDConnectProvider: (req: aws.IAM.RemoveClientIDFromOpenIDConnectProviderRequest) => iam().removeClientIDFromOpenIDConnectProvider(req).promise(),
};
3 changes: 3 additions & 0 deletions ...napshot/asset.42973d1d89f4a393a64981f78d088964ba13e63a3aab4478cd74109c77cf9174/index.d.ts
View file
Open in desktop
@@ -0,0 +1,3 @@
export declare function handler(event: AWSLambda.CloudFormationCustomResourceEvent): Promise<void | {
PhysicalResourceId: string | undefined;
}>;