Support GitLab OIDC for pipeline bootstrap #4037
Conversation
github-actions
bot
added
pr/external
stage/needs-triage
| elif oidc_provider == GITLAB: | ||
| gitlab_oidc_params: dict = { | ||
| "gitlab-project": gitlab_project, | ||
| "gitlab-group": gitlab_group, | ||
| "deployment-branch": deployment_branch, | ||
| } |
There was a problem hiding this comment.
Thinking if we could re-use the logic here. The deployment_branch is the same. github-org seems match to gitlab-group and github_repo seems match to gitlab-project. Maybe we could use general parameters name for all?
There was a problem hiding this comment.
GitHub and GitLab are close enough to each other in information that we need that it would probably be fine for those two, but with Bitbucket we will need only a single new parameter, instead of the three that GitHub and GitLab need, the repository UUID which is a bitbucket specific value so I don't think it would be possible to generalize the parameters once we add Bitbucket and if in the future we decide to add any other providers. I think keeping them all separate helps reinforce that to anybody whos reading the code for the first time and is unfamiliar with the concepts
| @@ -159,7 +159,7 @@ Resources: | |||
| }, | |||
| "Action": "sts:AssumeRoleWithWebIdentity", | |||
| "Condition": { | |||
| "ForAllValues:StringEquals": { | |||
| "ForAllValues:StringLike": { | |||
There was a problem hiding this comment.
Its not really needed for GitHub or GitLab because its pretty easy to build the entire sub claim in the OIDC token, but for Bitbucket the claim changes weather or not a step is assigned to a deployment environment (our templates dont do this) and it also contains a UUID for the pipeline step which I couldn't find a way to get so using StringLike becomes necessary for that.
| @@ -292,6 +320,13 @@ def do_cli( | |||
| "deployment-branch": deployment_branch, | |||
| } | |||
| pipeline_oidc_provider = GitHubOidcProvider(github_oidc_params, common_oidc_params, GITHUB_ACTIONS) | |||
| elif oidc_provider == GITLAB: | |||
| gitlab_oidc_params: dict = { | |||
There was a problem hiding this comment.
I wish there was stronger typing here, it's quite easy to mistype or spend time figuring out the correct names. Can't probably use TypedDict since it's 3.8+, but should be able to use the constants from GitLabOidcProvider and friends directly.
* Add OIDC support (#3995) * support for GitHub Actions OIDC * GitHub Actions oidc support * Unit tests for GitHub Actions OIDC support * Add tests for GitHub Actions OIDC support * Add comments for new methods and fix formatting * use choice for identity provider instead of flag * Create pipeline oidc provider class * Remove unused methods * Add defaults for OIDC URL and ClientID * Get subject claim from object and use Session to get Client * Mock Session during test * Create method to share common logic * Add AllowedValues to CreateNewOidcProvider * Remove duplicate calls to samconfig * Add text to prompt * fix formatting * Add links to technical methods comments * Support GitLab OIDC for pipeline bootstrap (#4037) * Support GitLab OIDC for pipeline bootstrap * Fix incorrect variable mappings * use constants instead of strings * Support Bitbucket OIDC in pipeline bootstrap (#4041) * Support Bitbucket OIDC in pipeline bootstrap * Add documentation * Make capitlization consistent * Add comments to method * Re-use permissions provider answer for init * Make help text shorter * add constant inside constructor * Fix comments * move variables into class * change saved iam parameter * change help message * use dataclass * Optimize interactive flow and fix bugs * Support bootstrap stack update * fix duplicate bootstrap bug * bug fix * Update UX and fix unit tests * Improve UX and add more tests * recover the link * Address comments * Re-organize imports * Use AWS Partition instead of hardcoding aws * Address some comments * Recover imports Co-authored-by: sidhujus <[email protected]>
Which issue(s) does this change fix?
Supports GitLab for OIDC provider during bootstrap flow
Why is this change necessary?
Currently only the GitHub Actions OIDC provider is implemented and because configuring the assume role policy differs slightly for each OIDC provider they need to be supported individually
How does it address the issue?
adds click prompts/options to get the necessary information from the user before configuring the assume role policy for the pipeline execution role correctly
What side effects does this change have?
Mandatory Checklist
PRs will only be reviewed after checklist is complete
make prpassesmake update-reproducible-reqsif dependencies were changedBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.