Create Pulumi to AWS OIDC Configuration Example #1507
Conversation
| from pulumi_aws import iam | ||
| import requests | ||
| import subprocess | ||
| import OpenSSL |
There was a problem hiding this comment.
You can use the TLS provider to generate certs: https://www.pulumi.com/registry/packages/tls/
There was a problem hiding this comment.
The steps that use OpenSSL are obtaining Pulumi's OIDC IdP certificate chain and using that to produce its thumbprint (it's not creating a new one). It wasn't clear to me how pulumi_tls would recreate this process, so happy to pair with you on this!
aws-py-oidc-provider/__main__.py
Outdated
| import OpenSSL | ||
| import json | ||
|
|
||
| audience = "" # Provide the name of your Pulumi Organization |
There was a problem hiding this comment.
Use config.require(): https://www.pulumi.com/docs/reference/pkg/python/pulumi/#pulumi.Config.require
There was a problem hiding this comment.
Is there a built-in way to retrieve the org associated with the stack? Or do users have to explicitly configure that?
There was a problem hiding this comment.
There's a built-in way to retrieve the organization, project, and stack name. I've done this in Go many times, but in Python I think you need to use pulumi.get_organization. I'll try to find a link.
| base_url = 'api.pulumi.com/oidc' | ||
|
|
||
| # Obtain the OIDC IdP URL and form the configuration document URL | ||
| print("Forming configuration document URL...") |
There was a problem hiding this comment.
You probably don't want print statements because they will print even if you run the program a second time and nothing changes.
There was a problem hiding this comment.
Is there a Pulumi-specific way of doing this to where it doesn't print if there's been no changes? I tried with pulumi.log.info() and it still does it. I don't want to remove the statements because I think the indicators are helpful for users.
| configuration_url = f'{oidc_idp_url}/.well-known/openid-configuration' | ||
|
|
||
| # Locate "jwks_uri" and extract the domain name | ||
| print("Extracting domain name from jwks_uri...") |
There was a problem hiding this comment.
This should probably be modeled as a resource using the Command provider: https://www.pulumi.com/registry/packages/command/api-docs/local/command/
There was a problem hiding this comment.
I don't really understand the ask here. Can we sync on this and the TLS comment?
|
Suggest using "Pulumi Cloud" in the docs and |
This example will create an automated way to deploy the OIDC configuration between Pulumi and AWS.
Will resolve #3481