Fix wrong update of externalId for pivotRole (#591)

### Feature or Bugfix - Bugfix ### Detail Fixes #589 by: - using CDK constructs to check the existence of an externalID in Secrets Manager - using boto3 calls using the CDK look up role in the deployment accounts to find an externalID in the Systems Manager Parameter Store ### Relates - #589 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: Noah Paige <[email protected]>
data-dot-all · Jul 25, 2023 · f3baf14 · f3baf14
1 parent 84c555e
commit f3baf14
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 4 deletions.
diff --git a/deploy/stacks/param_store_stack.py b/deploy/stacks/param_store_stack.py
@@ -4,6 +4,7 @@
 import boto3
 from aws_cdk import (
     aws_ssm,
+    SecretValue
 )
 
 from .pyNestedStack import pyNestedClass
@@ -102,7 +103,7 @@ def __init__(
             description=f"Stores dataall pivot role name for environment {envname}",
         )
 
-        existing_external_id = _get_external_id_value(envname=envname, region=self.region)
+        existing_external_id = _get_external_id_value(envname=envname, account_id=self.account, region=self.region)
         external_id_value = existing_external_id if existing_external_id else _generate_external_id()
 
         aws_ssm.StringParameter(
@@ -113,12 +114,29 @@ def __init__(
             description=f"Stores dataall external id for environment {envname}",
         )
 
-def _get_external_id_value(envname, region):
+def _get_external_id_value(envname, account_id, region):
     """For first deployments it returns False,
     for existing deployments it returns the ssm parameter value generated in the first deployment
     for prior to V1.5.1 upgrades it returns the secret from secrets manager
     """
-    session = boto3.Session()
+    cdk_look_up_role = 'arn:aws:iam::{}:role/cdk-hnb659fds-lookup-role-{}-{}'.format(account_id, account_id, region)
+    base_session = boto3.Session()
+    assume_role_dict = dict(
+        RoleArn=cdk_look_up_role,
+        RoleSessionName=cdk_look_up_role.split('/')[1],
+    )
+    sts = base_session.client(
+        'sts',
+        region_name=region,
+        endpoint_url=f"https://sts.{region}.amazonaws.com"
+    )
+    response = sts.assume_role(**assume_role_dict)
+    session = boto3.Session(
+        aws_access_key_id=response['Credentials']['AccessKeyId'],
+        aws_secret_access_key=response['Credentials']['SecretAccessKey'],
+        aws_session_token=response['Credentials']['SessionToken'],
+    )
+
     secret_id = f"dataall-externalId-{envname}"
     parameter_path = f"/dataall/{envname}/pivotRole/externalId"
     try:
@@ -128,7 +146,10 @@ def _get_external_id_value(envname, region):
     except:
         try:
             secrets_client = session.client('secretsmanager', region_name=region)
-            secret_value = secrets_client.get_secret_value(SecretId=secret_id)['SecretString']
+            if secrets_client.describe_secret(SecretId=secret_id):
+                secret_value = SecretValue.secrets_manager(secret_id).unsafe_unwrap()
+            else:
+                raise Exception
             return secret_value
         except:
             return False

diff --git a/deploy/stacks/pipeline.py b/deploy/stacks/pipeline.py
@@ -231,6 +231,14 @@ def set_codebuild_iam_roles(self):
             policy_name=f'{self.resource_prefix}-{self.git_branch}-baseline-codebuild-policy',
             roles=[self.baseline_codebuild_role, self.expanded_codebuild_role],
             statements= [
+                iam.PolicyStatement(
+                    actions=[
+                        'sts:AssumeRole',
+                    ],
+                    resources=[
+                        'arn:aws:iam::*:role/cdk-hnb659fds-lookup-role*'
+                    ],
+                ),
                 iam.PolicyStatement(
                     actions=[
                         'sts:GetServiceBearerToken',