From 9039dafb740e7c1846256591eda537f82a37c7f7 Mon Sep 17 00:00:00 2001 From: Markus Bergkvist Date: Tue, 19 Dec 2023 08:45:54 +0100 Subject: [PATCH 1/2] Make existingGitHubActionsProvider aware of AWS partitions --- src/oidc-provider.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/oidc-provider.ts b/src/oidc-provider.ts index fc3c4b5d..c253b20a 100644 --- a/src/oidc-provider.ts +++ b/src/oidc-provider.ts @@ -77,7 +77,7 @@ export interface GitHubActionRoleProps { * You must `cdk deploy` once (with your normal AWS credentials) to have this role created for you. * * You can then make note of the role arn in the stack output and send it into the Github Workflow app via - * the `gitHubActionRoleArn` property. The role arn will be `arn:aws:iam:::role/GithubActionRole`. + * the `gitHubActionRoleArn` property. The role arn will be `arn::iam:::role/GithubActionRole`. * * @see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services */ @@ -91,7 +91,7 @@ export class GitHubActionRole extends Construct { return iam.OpenIdConnectProvider.fromOpenIdConnectProviderArn( scope, 'GitHubActionProvider', - `arn:aws:iam::${Aws.ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com`, + `arn:${Aws.PARTITION}:iam::${Aws.ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com`, ); } @@ -174,4 +174,4 @@ function formatRepos(repos: string[]) { formattedRepos.push(`repo:${repo}:*`); } return formattedRepos; -} \ No newline at end of file +} From d2ed0187a543b75d5a70408e7a71139eb44c10e9 Mon Sep 17 00:00:00 2001 From: Markus Bergkvist Date: Tue, 19 Dec 2023 08:51:16 +0100 Subject: [PATCH 2/2] WIP: temporary hard-code partition and amazon cn top domain Until I can figure out where to change this further down in the stack. --- src/pipeline.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/pipeline.ts b/src/pipeline.ts index ab8138f1..071a3785 100644 --- a/src/pipeline.ts +++ b/src/pipeline.ts @@ -564,7 +564,7 @@ export class GitHubWorkflow extends PipelineBase { return EnvironmentPlaceholders.replace(s, { accountId: account, region: region, - partition: 'aws', + partition: 'aws-cn', }); }; @@ -573,7 +573,8 @@ export class GitHubWorkflow extends PipelineBase { if (this.assetHashMap[hash] === undefined) { throw new Error(`Template asset hash ${hash} not found.`); } - return template.replace(hash, `\${{ needs.${this.assetHashMap[hash]}.outputs.${ASSET_HASH_NAME} }}`); + return template.replace(hash, `\${{ needs.${this.assetHashMap[hash]}.outputs.${ASSET_HASH_NAME} }}`) + .replace('.amazonaws.com', '.amazonaws.com.cn'); }; const params: Record = {