delete assume role which might cause leak of the role arn

asvreddy · Aug 28, 2020 · 9ff1a36 · 9ff1a36
1 parent d72950d
commit 9ff1a36
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 194 deletions.
diff --git a/aws-ts-netlify-cms-and-oauth/cms-oauth/.github/workflows/build-and-deploy.yml b/aws-ts-netlify-cms-and-oauth/cms-oauth/.github/workflows/build-and-deploy.yml
@@ -20,19 +20,6 @@ jobs:
 
  - name: Install pulumi deps
  run: yarn install --cwd infrastructure
-
- - name: Assume Role
- env:
- AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
- AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- IAM_ROLE_ARN: ${{ secrets.IAM_ROLE_ARN }}
- EXTERNAL_ID: ${{ secrets.EXTERNAL_ID }}
- run: |
- unset AWS_SESSION_TOKEN
- source ./scripts/assume-role.sh; assume_iam_role "${{secrets.IAM_ROLE_ARN}}" "cmsOAuthSession" "${{secrets.EXTERNAL_ID}}"
- echo '::set-env name=AWS_ACCESS_KEY_ID::'$AWS_ACCESS_KEY_ID
- echo '::set-env name=AWS_SECRET_ACCESS_KEY::'$AWS_SECRET_ACCESS_KEY
- echo '::set-env name=AWS_SESSION_TOKEN::'$AWS_SESSION_TOKEN
 
  - name: Preview infrastructure
  if: ${{ github.event_name == 'pull_request' }}

diff --git a/aws-ts-netlify-cms-and-oauth/cms-oauth/README.md b/aws-ts-netlify-cms-and-oauth/cms-oauth/README.md
@@ -1,6 +1,8 @@
 # About the Project
 This OAuth Server Project is connected with CMS project which deploy on AWS S3 rather than on Netlify. In this way, it requires us to create a OAuth Client Server for Netlify CMS. Netlify use the Netlify Identity Service which provides OAuth provider server. Based on [Netlify's instruction](https://www.netlifycms.org/docs/external-oauth-clients/) of customize this step we need to provide our own OAuth client.
 
+In this example, we are using [Netlify CMS's Github backends](https://www.netlifycms.org/docs/github-backend/) for CMS, but the OAuth Provider code enabled more types of backends Bitbucket and Gitlab. If you are using these [backends](https://www.netlifycms.org/docs/backends-overview/), simply update the callback url you are register Github OAuth Applicationc (See step 1 in the Getting Started section) to be https://{{the domain of your OAuth App}}/bitbucket/callback or https://{{the domain of your OAuth App}}/gitlab/callback
+
 ## References
 The provider's content code is referencing to the [External OAuth Client example from Netlify CMS](https://www.netlifycms.org/docs/external-oauth-clients/). 
 Here are some reference:
@@ -18,11 +20,13 @@ Here are some reference:
 - ./main.go the code for the provider itself and it's front end
  - It is fetching the access token sent from Github API using Github's goth library. 
 - .github/workflow contain code for the workflow
-- scripts/assume-role.sh the script for assume role into the AWS admin account with IAM user role
 
-## Deployment to AWS
+## Infrastructure
 The OAuth Client Server was deployed on AWS using Pulumi. The Pulumi code use AWS Certificate Manager to create certificate and validate it. It is using AWS ECS Fargate to read docker image and establish a Fargate Service. Then it is also creating Alias Record on Route53 for the OAuth Server.
 
+### Assume Role (Optional)
+If you are working with an organization, it is better to ask for the AWS token for IAM user role that you could use to assume the admin role of your AWS account. In this way it is more secure. You could refer to the [aws-ts-assume-role example](https://github.com/pulumi/examples/tree/master/aws-ts-assume-role) for more information. There is also assume role example of different language in [our example repostiory](https://github.com/pulumi/examples)
+
 # Getting Start (Replace content in {{}} with correct informations)
 These steps are now automated using the Github Workflow. If you push to the master or merge a pull request, the OAuth Client Server would be automatically deployed. Open a new branch and push to the branch would only do a pulumi preview where the logs could be check on Github Actions. 
 
@@ -69,16 +73,6 @@ $ pulumi config get netlify-cms-oauth-provider-infrastructure:githubKey
 $ pulumi config get netlify-cms-oauth-provider-infrastructure:githubSecret
 ```
 
-
-6. Don't forget to update AWS token before next step!!!!
-If you are working with an organization and assume role is needed:
- - you should ask your organization for creating new IAM user and providing credential for the user. Then after set credential as environment variable, assume the role of admin to your companies' production account use this:
-
- ```bash
- $ source ./scripts/assume-role.sh; assume_iam_role "{{IAM_ROLE_ARN}}" "cmsSession" "{{EXTERNAL_ID}}"
- ```
-IAM_ROLE_ARN and EXTERNAL_ID is the information provided by iam role we should assume. The script file in ./scripts/assume-role.sh contain assume_iam_role function
-
 ### Step 3. Running Infrastructure
 ```bash
 $ pulumi up

diff --git a/aws-ts-netlify-cms-and-oauth/cms-oauth/scripts/assume-role.sh b/aws-ts-netlify-cms-and-oauth/cms-oauth/scripts/assume-role.sh
diff --git a/aws-ts-netlify-cms-and-oauth/cms/README.md b/aws-ts-netlify-cms-and-oauth/cms/README.md
@@ -26,10 +26,6 @@ Special thanks to the template provided by [@talves](https://github.com/ADARTA/n
  - index.html the html for the web app to check
 - cms/Readme-Screenshots
  - The screen shots for this README file
-- cms/scripts
- - Only useful if you are working with an organization and need to do AWS assume role
- - The script code to use IAM User role to assume into the admin role of AWS account
- - Use source ./scripts/assume-role.sh; assume_iam_role "${{secrets.IAM_ROLE_ARN}}" "cmsSession" "${{secrets.EXTERNAL_ID}}" and relace the IAM_ROLE_ARN and EXTERNAL_ID with infomation of the role you want to assume.
 - cms/src
  - React content for this web app
 
@@ -50,7 +46,10 @@ The infrastructure takes three argument: pathToWebsiteContents,targetDomain, cer
  - This is optional.
  - If you have already had a certificate inside the AWS's Certificate Manager for this CMS app, then put it's arn as the value for this variable
 
-### Substitution for Netlify Identity Service: OAuth Client Server
+### Assume Role (Optional)
+If you are working with an organization, it is better to ask for the AWS token for IAM user role that you could use to assume the admin role of your AWS account. In this way it is more secure. You could refer to the [aws-ts-assume-role example](https://github.com/pulumi/examples/tree/master/aws-ts-assume-role) for more information. There is also assume role example of different language in [our example repostiory](https://github.com/pulumi/examples)
+
+## Substitution for Netlify Identity Service: OAuth Client Server
 Deploying the CMS app on AWS but not Netlify cause we could not use the Netlify Identity Service with the Netlify console. Thus, we created a new OAuth Client Server follow [instruction of Netlify CMS](https://www.netlifycms.org/docs/external-oauth-clients/). In short it fetch access token from Github API to grant people access to use the CMS. The resource of the OAuth Server is inside the ./cms-oauth folder in the root directory.
 
 After deploying the cms-oauth web app, we should also put the domain of the oauth-server we build in the cms/public/config.yml's base_url configuration
@@ -79,8 +78,6 @@ Open a new branch and commit to the new branch would only do a pulumi preview un
  site_domain is the domain name for the CMS web application
  base_url is the domain name for the oauth server that we specify in cms-oauth folder
 
-
-
 1. To check if config.yml works and do a simple local deployment
 
 ```bash
@@ -110,13 +107,6 @@ $ pulumi config set pulumi-website-cms:targetDomain https://some-cms-domain.pulu
 
 - target domain is the domain for the App now it is as subdomain under pulumi-demos.net
 
-3. Only if you are working with an organization you should ask organization for creating new IAM user and provding credential for the user. Then after set credential as environment variable, assume the role of admin to the pulumi-corp account use this:
-```bash
-source ./scripts/assume-role.sh; assume_iam_role "${{IAM_ROLE_ARN}}" "cmsSession" "${{EXTERNAL_ID}}"
-```
-IAM_ROLE_ARN and EXTERNAL_ID is the information provided by iam role we should assume.
-The script file in ./scripts/assume-role.sh contain assume_iam_role function
-
 4. Run pulumi up
 ```bash
 $ pulumi up

diff --git a/aws-ts-netlify-cms-and-oauth/cms/public/config.yml b/aws-ts-netlify-cms-and-oauth/cms/public/config.yml
@@ -5,8 +5,8 @@ backend:
  # This site_domain and base_url are sudo domains
  # Replace site_domain with targetDomain pulumi stack configuration inside cms/infrastructure folder
  # Replace base_url with targetDomain pulumi stack configuration inside cms-oauth/infrastructure folder
- site_domain: https://some-cms-domain.pulumi-demos.com 
- base_url: https://some-oauth-domain.pulumi-demos.com 
+ site_domain: https://some-cms-domain.com
+ base_url: https://some-oauth-domain.com
 
 publish_mode: editorial_workflow
 

diff --git a/aws-ts-netlify-cms-and-oauth/cms/scripts/assume-role.sh b/aws-ts-netlify-cms-and-oauth/cms/scripts/assume-role.sh