-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathGitHubRole.ts
50 lines (49 loc) · 1.27 KB
/
GitHubRole.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import { Duration, aws_iam as IAM, Stack } from 'aws-cdk-lib'
import { PolicyDocument } from 'aws-cdk-lib/aws-iam'
import { Construct } from 'constructs'
export class GitHubRole extends Construct {
public readonly role: IAM.IRole
constructor(
parent: Construct,
id: string,
{
repository: r,
roleName,
gitHubOIDC,
}: {
roleName: string
repository: {
owner: string
repo: string
}
gitHubOIDC: IAM.IOpenIdConnectProvider
},
) {
super(parent, id)
this.role = new IAM.Role(this, 'role', {
roleName,
assumedBy: new IAM.WebIdentityPrincipal(
gitHubOIDC.openIdConnectProviderArn,
{
StringEquals: {
[`token.actions.githubusercontent.com:sub`]: `repo:${r.owner}/${r.repo}:environment:production`,
[`token.actions.githubusercontent.com:aud`]: 'sts.amazonaws.com',
},
},
),
description: `This role is used by GitHub Actions to deploy the website of ${Stack.of(this).stackName}`,
maxSessionDuration: Duration.hours(1),
inlinePolicies: {
describeStack: new PolicyDocument({
statements: [
// Allow to describe this stack (to see outputs)
new IAM.PolicyStatement({
actions: ['cloudformation:DescribeStacks'],
resources: [Stack.of(this).stackId],
}),
],
}),
},
})
}
}