Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_iam: CfnOIDCProviderProps property thumbprintList should be optional, instead required #31050

Open
williwlwilliwll opened this issue Aug 7, 2024 · 6 comments
Open

aws_iam: CfnOIDCProviderProps property thumbprintList should be optional, instead required #31050

williwlwilliwll opened this issue Aug 7, 2024 · 6 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/medium Medium work item – several days of effort needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p2

Comments

@williwlwilliwll
Copy link

williwlwilliwll commented Aug 7, 2024
edited
Loading

Describe the bug

When trying to create a CfnOIDCProvider the CfnOIDCProviderProps interface is insisting that the object have a thumbprintList property despite it being described as optional in the documentation and the source code comments.

Expected Behavior

The thumbprintList property should either be optional or the documentation should be changed

Current Behavior

If you attempt to not include the property then you get the following error:

TSError: ⨯ Unable to compile TypeScript:
src/eks-stack.ts:152:81 - error TS2345: Argument of type 'XXX' is not assignable to parameter of type 'CfnOIDCProviderProps'.
  Property 'thumbprintList' is missing in type XXX but required in type 'CfnOIDCProviderProps'.

If you add the property and assign an empty array as its value then you get the following error during stack deployment:

k8clustertest-eks: creating CloudFormation changeset...
11:07:06 AM | CREATE_FAILED        | AWS::IAM::OIDCProvider  | k8ClusterTestia
moidcProvider
Resource handler returned message: "Thumbprint list must contain at least one
entry. (Service: Iam, Status Code: 400, Request ID: 6b1f1768-5936-41f0-b5ae-86-
)" (RequestToken: 82cbfe67-0e29-b496-d036-, HandlerError
Code: InvalidRequest)

Reproduction Steps

        new iam.CfnOIDCProvider(this, 'oidcProvider', {
            url: kubernetes.attrOpenIdConnectIssuerUrl
        })

Possible Solution

Change the CfnOIDCProviderProps interface as follows:

export interface CfnOIDCProviderProps {
    readonly thumbprintList?: Array<string>;
    // ....
}

Additional Information/Context

No response

CDK CLI Version

2.151

Framework Version

No response

Node.js Version

22.5.1

OS

MacOS Sonoma 14.6

Language

TypeScript

Language Version

No response

Other information

No response
@williwlwilliwll williwlwilliwll added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 7, 2024
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Aug 7, 2024
@ashishdhingra ashishdhingra self-assigned this Aug 7, 2024
@ashishdhingra ashishdhingra added p2 investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Aug 7, 2024
@ashishdhingra
Copy link
Contributor

The referenced iam.generated defines the CfnOIDCProviderProps as shown below:

export interface CfnOIDCProviderProps {
    /**
     * A list of client IDs (also known as audiences) that are associated with the specified IAM OIDC provider resource object.
     *
     * For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .
     *
     * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-clientidlist
     */
    readonly clientIdList?: Array<string>;
    /**
     * A list of tags that are attached to the specified IAM OIDC provider.
     *
     * The returned list of tags is sorted by tag key. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .
     *
     * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-tags
     */
    readonly tags?: Array<cdk.CfnTag>;
    /**
     * A list of certificate thumbprints that are associated with the specified IAM OIDC provider resource object.
     *
     * For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .
     *
     * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-thumbprintlist
     */
    readonly thumbprintList: Array<string>;
    /**
     * The URL that the IAM OIDC provider resource object is associated with.
     *
     * For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .
     *
     * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-url
     */
    readonly url?: string;
}

Notice that the clientIdList is declared as optional, but thumbprintList is not. the L1 constructs are generated from CloudFormation specification. The IAM OIDC Provider schema aws-iam-oidcprovider.json does not indicate whether the property is required or not.

{
  "typeName" : "AWS::IAM::OIDCProvider",
  "description" : "Resource Type definition for AWS::IAM::OIDCProvider",
  "additionalProperties" : false,
  "properties" : {
    "ClientIdList" : {
      "type" : "array",
      "insertionOrder" : false,
      "items" : {
        "minLength" : 1,
        "maxLength" : 255,
        "type" : "string"
      }
    },
    ...
    "ThumbprintList" : {
      "type" : "array",
      "insertionOrder" : false,
      "items" : {
        "minLength" : 40,
        "maxLength" : 40,
        "pattern" : "[0-9A-Fa-f]{40}",
        "type" : "string"
      },
      "maxItems" : 5
    },
    ...
  },

Unsure why ClientIdList is generated as optional whereas it is different for ThumbprintList.

@williwlwilliwll Thanks for reporting the issue. Are you able to workaround this issue by setting thumbprintList to an empty array as shown below:

new iam.CfnOIDCProvider(this, 'TestOIDCCfn', {
  url: 'http://localhost.com', // set the URL
  thumbprintList: []
});

Also curious on why you are not using L2 construct OpenIdConnectProvider (kindly note that this uses custom resource based implementation, not the L1 construct, as per code here):

new iam.OpenIdConnectProvider(this, 'TestOidc', {
  url: 'http://localhost.com'
});

Thanks,
Ashish

@ashishdhingra ashishdhingra added effort/medium Medium work item – several days of effort and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Aug 7, 2024
@ashishdhingra ashishdhingra removed their assignment Aug 7, 2024
@williwlwilliwll
Copy link
Author

@ashishdhingra

Thanks for your reply. If you give thumbprintList a value of empty array then the following error is thrown during stack deployment:

k8clustertest-eks: creating CloudFormation changeset...
11:07:06 AM | CREATE_FAILED        | AWS::IAM::OIDCProvider  | k8ClusterTestiamoidcProvider
Resource handler returned message: "Thumbprint list must contain at least one entry. 
(Service: Iam, Status Code: 400, Request ID: 6b1f1768-5936-41f0-b5ae-86-)" 
(RequestToken: 82cbfe67-0e29-b496-d036-, HandlerError Code: InvalidRequest)

I will try using the L2 constuct and let you know :).

Regarding why I was using the L1 construct - I have found that I prefer them because they are not opinionated so I have greater control over them.

Best,
Will

@imduchy
Copy link

imduchy commented Aug 8, 2024

Hello 👋🏼 The same issue here; while the CloudFormation documentation states that the attribute is optional, CDK throws an error. In my case, I'm defining the OIDC provider in a CloudFormation template (YAML) and deploying it with the help of the CfnImport module. But the problem is still the same.

@ashishdhingra
Copy link
Contributor

Just FYI, Application Composer UI displays the error about missing ThumprintList:
Screenshot 2024-08-08 at 10 13 50 AM
However, proceeding to deploy the below CloudFormation template works:

Resources:
  TestOIDCCfn:
    Type: AWS::IAM::OIDCProvider
    Properties:
      Url: https://token.actions.githubusercontent.com
    Metadata:
      aws:cdk:path: CdktestStack/TestOIDCCfn

So most likely a CFN schema issue, rather than CDK issue. Need to open the issue with the CloudFormation team.

Thanks,
Ashish

@ashishdhingra ashishdhingra added the needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. label Aug 8, 2024
@ashishdhingra
Copy link
Contributor

Internal ticket for CloudFormation team: P147139122

@github-actions github-actions bot mentioned this issue Aug 12, 2024
Closed
@github-actions github-actions bot mentioned this issue Sep 1, 2024
Open
@nicornk
Copy link

nicornk commented Sep 2, 2024

any update here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/medium Medium work item – several days of effort needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nicornk @imduchy @ashishdhingra @williwlwilliwll