Updating for Single Secrets set

awslabs · Dec 12, 2023 · 4277064 · 4277064
1 parent 59fa49d
commit 4277064
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 10 deletions.
diff --git a/cicd/staging/build/buildspec.yml b/cicd/staging/build/buildspec.yml
@@ -52,31 +52,31 @@ phases:
       # Update params with the values for this run for a developer account
       - |
         jq -n \
-        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GroupMatch\": \"name:AWS*\"}" \
+        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GoogleAdminEmailArn\": \"$SecretGoogleAdminEmail\", \"GoogleCredentialsArn\": \"$SecretGoogleCredentials\", \"SCIMEndpointUrlArn\": \"$SecretSCIMEndpoint\", \"SCIMAccessTokenArn\": \"SecretSCIMAccessToken\", \"RegionArn\": \"$SecretRegion\", \"IdentityStoreIdArn\": \"$SecretIdentityStoreID\", \"GroupMatch\": \"name:AWS*\"}" \
         --argjson StackPolicy "{\"Statement\":[{\"Effect\": \"Allow\", \"NotAction\": \"Update:Delete\", \"Principal\": \"*\", \"Resource\": \"*\"}]}" \
         '$ARGS.named' > ./deploy/developer.json
       - cat ./deploy/developer.json
 
       # Update params with the values for this run for the management account
       - |
         jq -n \
-        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GroupMatch\": \"name:Man*\"}" \
+        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GoogleAdminEmailArn\": \"$SecretGoogleAdminEmail\", \"GoogleCredentialsArn\": \"$SecretGoogleCredentials\", \"SCIMEndpointUrlArn\": \"$SecretSCIMEndpoint\", \"SCIMAccessTokenArn\": \"SecretSCIMAccessToken\", \"RegionArn\": \"$SecretRegion\", \"IdentityStoreIdArn\": \"$SecretIdentityStoreID\", \"GroupMatch\": \"name:Man*\"}" \
         --argjson StackPolicy "{\"Statement\":[{\"Effect\": \"Allow\", \"NotAction\": \"Update:Delete\", \"Principal\": \"*\", \"Resource\": \"*\"}]}" \
         '$ARGS.named' > ./deploy/management.json
       - cat ./deploy/management.json
 
       # Update params with the values for this run for the delegated account
       - |
         jq -n \
-        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GroupMatch\": \"name:Del*\"}" \
+        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\",  \"GoogleAdminEmailArn\": \"$SecretGoogleAdminEmail\", \"GoogleCredentialsArn\": \"$SecretGoogleCredentials\", \"SCIMEndpointUrlArn\": \"$SecretSCIMEndpoint\", \"SCIMAccessTokenArn\": \"SecretSCIMAccessToken\", \"RegionArn\": \"$SecretRegion\", \"IdentityStoreIdArn\": \"$SecretIdentityStoreID\", \"GroupMatch\": \"name:Del*\"}" \
         --argjson StackPolicy "{\"Statement\":[{\"Effect\": \"Allow\", \"NotAction\": \"Update:Delete\", \"Principal\": \"*\", \"Resource\": \"*\"}]}" \
         '$ARGS.named' > ./deploy/delegated.json
       - cat ./deploy/delegated.json
 
       # Update params with the values for this run for non-delegated account
       - |
         jq -n \
-        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GroupMatch\": \"name:Non*\"}" \
+        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GoogleAdminEmailArn\": \"$SecretGoogleAdminEmail\", \"GoogleCredentialsArn\": \"$SecretGoogleCredentials\", \"SCIMEndpointUrlArn\": \"$SecretSCIMEndpoint\", \"SCIMAccessTokenArn\": \"SecretSCIMAccessToken\", \"RegionArn\": \"$SecretRegion\", \"IdentityStoreIdArn\": \"$SecretIdentityStoreID\", \"GroupMatch\": \"name:Non*\"}" \
         --argjson StackPolicy "{\"Statement\":[{\"Effect\": \"Allow\", \"NotAction\": \"Update:Delete\", \"Principal\": \"*\", \"Resource\": \"*\"}]}" \
         '$ARGS.named' > ./deploy/nondelegated.json
       - cat ./deploy/nondelegated.json

diff --git a/cicd/staging/build/stack.yml b/cicd/staging/build/stack.yml
@@ -15,6 +15,18 @@ Parameters:
     Description: The version of this build in SAR
     Default: 'v1.0.0-rc.10'
     Type: String
+  GoogleAdminEmailArn:
+    Type: String
+  GoogleCredentialsArn:
+    Type: String
+  SCIMEndpointUrlArn:
+    Type: String
+  SCIMAccessTokenArn:
+    Type: String
+  RegionArn:
+    Type: String
+  IdentityStoreIdArn:
+    Type: String
   GroupMatch:
     Description: The search string to match Groups in Google Workspace
     Default: 'name:AWS*'
@@ -29,12 +41,12 @@ Resources:
         SemanticVersion: !Ref AppVersion
       Parameters:
         FunctionName: SSOSyncFunction
-        GoogleAdminEmail: '{{resolve:secretsmanager:TestGoogleAdminEmail}}'
-        GoogleCredentials: '{{resolve:secretsmanager:TestGoogleCredentials}}'
-        SCIMEndpointUrl: '{{resolve:secretsmanager:TestSCIMEndpointUrl}}'
-        SCIMEndpointAccessToken: '{{resolve:secretsmanager:TestSCIMAccessToken}}'
-        Region: '{{resolve:secretsmanager:TestRegion}}'
-        IdentityStoreID: '{{resolve:secretsmanager:TestIdentityStoreId}}'
+        GoogleAdminEmail: !Sub '{{resolve:secretsmanager:${GoogleAdminEmailArn}}}'
+        GoogleCredentials: '{{resolve:secretsmanager:${GoogleCredentials}}}'
+        SCIMEndpointUrl: '{{resolve:secretsmanager:$SCIMEndpointUrlArn}}}'
+        SCIMEndpointAccessToken: '{{resolve:secretsmanager:${SCIMAccessTokenArn}}}'
+        Region: '{{resolve:secretsmanager:${RegioArn}n}}'
+        IdentityStoreID: '{{resolve:secretsmanager:${IdentityStoreIdArn}}}'
         SyncMethod: groups
         GoogleGroupMatch: !Ref GroupMatch
         LogLevel: warn