From 427706464f52f4a9e5599d793d4be614e5ffcd3e Mon Sep 17 00:00:00 2001 From: Chris Pates Date: Tue, 12 Dec 2023 17:39:24 +0000 Subject: [PATCH] Updating for Single Secrets set --- cicd/staging/build/buildspec.yml | 8 ++++---- cicd/staging/build/stack.yml | 24 ++++++++++++++++++------ 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/cicd/staging/build/buildspec.yml b/cicd/staging/build/buildspec.yml index f06836e8..9296ef18 100644 --- a/cicd/staging/build/buildspec.yml +++ b/cicd/staging/build/buildspec.yml @@ -52,7 +52,7 @@ phases: # Update params with the values for this run for a developer account - | jq -n \ - --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GroupMatch\": \"name:AWS*\"}" \ + --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GoogleAdminEmailArn\": \"$SecretGoogleAdminEmail\", \"GoogleCredentialsArn\": \"$SecretGoogleCredentials\", \"SCIMEndpointUrlArn\": \"$SecretSCIMEndpoint\", \"SCIMAccessTokenArn\": \"SecretSCIMAccessToken\", \"RegionArn\": \"$SecretRegion\", \"IdentityStoreIdArn\": \"$SecretIdentityStoreID\", \"GroupMatch\": \"name:AWS*\"}" \ --argjson StackPolicy "{\"Statement\":[{\"Effect\": \"Allow\", \"NotAction\": \"Update:Delete\", \"Principal\": \"*\", \"Resource\": \"*\"}]}" \ '$ARGS.named' > ./deploy/developer.json - cat ./deploy/developer.json @@ -60,7 +60,7 @@ phases: # Update params with the values for this run for the management account - | jq -n \ - --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GroupMatch\": \"name:Man*\"}" \ + --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GoogleAdminEmailArn\": \"$SecretGoogleAdminEmail\", \"GoogleCredentialsArn\": \"$SecretGoogleCredentials\", \"SCIMEndpointUrlArn\": \"$SecretSCIMEndpoint\", \"SCIMAccessTokenArn\": \"SecretSCIMAccessToken\", \"RegionArn\": \"$SecretRegion\", \"IdentityStoreIdArn\": \"$SecretIdentityStoreID\", \"GroupMatch\": \"name:Man*\"}" \ --argjson StackPolicy "{\"Statement\":[{\"Effect\": \"Allow\", \"NotAction\": \"Update:Delete\", \"Principal\": \"*\", \"Resource\": \"*\"}]}" \ '$ARGS.named' > ./deploy/management.json - cat ./deploy/management.json @@ -68,7 +68,7 @@ phases: # Update params with the values for this run for the delegated account - | jq -n \ - --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GroupMatch\": \"name:Del*\"}" \ + --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GoogleAdminEmailArn\": \"$SecretGoogleAdminEmail\", \"GoogleCredentialsArn\": \"$SecretGoogleCredentials\", \"SCIMEndpointUrlArn\": \"$SecretSCIMEndpoint\", \"SCIMAccessTokenArn\": \"SecretSCIMAccessToken\", \"RegionArn\": \"$SecretRegion\", \"IdentityStoreIdArn\": \"$SecretIdentityStoreID\", \"GroupMatch\": \"name:Del*\"}" \ --argjson StackPolicy "{\"Statement\":[{\"Effect\": \"Allow\", \"NotAction\": \"Update:Delete\", \"Principal\": \"*\", \"Resource\": \"*\"}]}" \ '$ARGS.named' > ./deploy/delegated.json - cat ./deploy/delegated.json @@ -76,7 +76,7 @@ phases: # Update params with the values for this run for non-delegated account - | jq -n \ - --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GroupMatch\": \"name:Non*\"}" \ + --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GoogleAdminEmailArn\": \"$SecretGoogleAdminEmail\", \"GoogleCredentialsArn\": \"$SecretGoogleCredentials\", \"SCIMEndpointUrlArn\": \"$SecretSCIMEndpoint\", \"SCIMAccessTokenArn\": \"SecretSCIMAccessToken\", \"RegionArn\": \"$SecretRegion\", \"IdentityStoreIdArn\": \"$SecretIdentityStoreID\", \"GroupMatch\": \"name:Non*\"}" \ --argjson StackPolicy "{\"Statement\":[{\"Effect\": \"Allow\", \"NotAction\": \"Update:Delete\", \"Principal\": \"*\", \"Resource\": \"*\"}]}" \ '$ARGS.named' > ./deploy/nondelegated.json - cat ./deploy/nondelegated.json diff --git a/cicd/staging/build/stack.yml b/cicd/staging/build/stack.yml index 3b5f3a3c..be6dca98 100644 --- a/cicd/staging/build/stack.yml +++ b/cicd/staging/build/stack.yml @@ -15,6 +15,18 @@ Parameters: Description: The version of this build in SAR Default: 'v1.0.0-rc.10' Type: String + GoogleAdminEmailArn: + Type: String + GoogleCredentialsArn: + Type: String + SCIMEndpointUrlArn: + Type: String + SCIMAccessTokenArn: + Type: String + RegionArn: + Type: String + IdentityStoreIdArn: + Type: String GroupMatch: Description: The search string to match Groups in Google Workspace Default: 'name:AWS*' @@ -29,12 +41,12 @@ Resources: SemanticVersion: !Ref AppVersion Parameters: FunctionName: SSOSyncFunction - GoogleAdminEmail: '{{resolve:secretsmanager:TestGoogleAdminEmail}}' - GoogleCredentials: '{{resolve:secretsmanager:TestGoogleCredentials}}' - SCIMEndpointUrl: '{{resolve:secretsmanager:TestSCIMEndpointUrl}}' - SCIMEndpointAccessToken: '{{resolve:secretsmanager:TestSCIMAccessToken}}' - Region: '{{resolve:secretsmanager:TestRegion}}' - IdentityStoreID: '{{resolve:secretsmanager:TestIdentityStoreId}}' + GoogleAdminEmail: !Sub '{{resolve:secretsmanager:${GoogleAdminEmailArn}}}' + GoogleCredentials: '{{resolve:secretsmanager:${GoogleCredentials}}}' + SCIMEndpointUrl: '{{resolve:secretsmanager:$SCIMEndpointUrlArn}}}' + SCIMEndpointAccessToken: '{{resolve:secretsmanager:${SCIMAccessTokenArn}}}' + Region: '{{resolve:secretsmanager:${RegioArn}n}}' + IdentityStoreID: '{{resolve:secretsmanager:${IdentityStoreIdArn}}}' SyncMethod: groups GoogleGroupMatch: !Ref GroupMatch LogLevel: warn