Fix AWS OIDC TS example (#1719)

It's not possible to have a single stack which handles both the use case of creating a new OIDC provider and also adding an audience if none exists. This change removes the conditional creation of an OIDC provider and assumes none exists.
pulumi · Nov 5, 2024 · 0d9c91d · 0d9c91d
2 parents b8e9ac1 + bd32722
commit 0d9c91d
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 31 deletions.
diff --git a/aws-ts-oidc-provider-pulumi-cloud/Pulumi.yaml b/aws-ts-oidc-provider-pulumi-cloud/Pulumi.yaml
@@ -11,3 +11,6 @@ template:
     escProject:
       description: The name of the ESC project in which to place a generated environment.
       default: aws
+    escEnvironmentName:
+      description: The name of the ESC environment to generate.
+      default: aws-oidc-admin
diff --git a/aws-ts-oidc-provider-pulumi-cloud/index.ts b/aws-ts-oidc-provider-pulumi-cloud/index.ts
@@ -1,20 +1,19 @@
 // Copyright 2024, Pulumi Corporation.  All rights reserved.
-
 import * as aws from "@pulumi/aws";
-import * as command from "@pulumi/command";
 import * as pulumi from "@pulumi/pulumi";
 import * as pulumiservice from "@pulumi/pulumiservice";
 import * as tls from "@pulumi/tls";
 
 const config = new pulumi.Config();
 const escProject = config.require("escProject");
+const escEnvName = config.require("escEnvironmentName");
 
 const pulumiOrg = pulumi.getOrganization();
 
 // NOTE: At the time of writing, if you are still using the legacy "default"
 // organization, the format for the audience OIDC claim is different. Best
 // practice is to avoid using the legacy default project.
-const oidcAudience = escProject == "default" ? pulumiOrg : `aws:${pulumiOrg}`;
+const oidcAudience = escProject === "default" ? pulumiOrg : `aws:${pulumiOrg}`;
 
 const oidcIdpUrl: string = "https://api.pulumi.com/oidc";
 
@@ -24,32 +23,13 @@ const certs = tls.getCertificateOutput({
 
 const thumbprint = certs.certificates[0].sha1Fingerprint;
 
-function getProviderArn() {
-    const existingProvider = aws.iam.getOpenIdConnectProviderOutput({
-        url: oidcIdpUrl,
-    });
-
-    if (existingProvider) {
-        console.log("OIDC Provider already exists. Adding current Pulumi org as an audience to the existing provider.");
-
-        new command.local.Command("oidc-client-id", {
-            create: pulumi.interpolate`aws iam add-client-id-to-open-id-connect-provider --open-id-connect-provider-arn ${existingProvider.arn} --client-id ${oidcAudience}`,
-            delete: pulumi.interpolate`aws iam remove-client-id-from-open-id-connect-provider --open-id-connect-provider-arn ${existingProvider.arn} --client-id ${oidcAudience}`,
-        });
-        return existingProvider.arn;
-    } else {
-        const provider = new aws.iam.OpenIdConnectProvider("oidcProvider", {
-            clientIdLists: [pulumiOrg],
-            url: oidcIdpUrl,
-            thumbprintLists: [thumbprint],
-        });
-        return provider.arn;
-    }
-}
-
-export const arn: pulumi.Output<string> = getProviderArn();
+const provider = new aws.iam.OpenIdConnectProvider("oidcProvider", {
+    clientIdLists: [oidcAudience],
+    url: oidcIdpUrl,
+    thumbprintLists: [thumbprint],
+});
 
-const policyDocument = arn.apply(arn => aws.iam.getPolicyDocument({
+const policyDocument = provider.arn.apply(arn => aws.iam.getPolicyDocument({
     version: "2012-10-17",
     statements: [{
         effect: "Allow",
@@ -70,12 +50,13 @@ const role = new aws.iam.Role("pulumi-cloud-admin", {
     assumeRolePolicy: policyDocument.json,
 });
 
+// tslint:disable-next-line:no-unused-expression
 new aws.iam.RolePolicyAttachment("policy", {
     policyArn: "arn:aws:iam::aws:policy/AdministratorAccess",
     role: role.name,
 });
 
-export const envYaml = pulumi.interpolate`
+const envYaml = pulumi.interpolate`
 values:
   aws:
     login:
@@ -90,9 +71,12 @@ values:
     AWS_SESSION_TOKEN: \${aws.login.sessionToken}
 `;
 
-new pulumiservice.Environment("aws-oidc-admin", {
+// tslint:disable-next-line:no-unused-expression
+new pulumiservice.Environment("aws-esc-oidc-env", {
     organization: pulumiOrg,
     project: escProject,
-    name: "aws-oidc-admin",
+    name: escEnvName,
     yaml: envYaml.apply(yaml => new pulumi.asset.StringAsset(yaml)),
 });
+
+export const escEnvironment = pulumi.interpolate`${escProject}/${escEnvName}`;