(aws-iam): (Simplify OpenIdConnectProvider by using CloudFormation resource instead of custom resource lambda)

[Gtofig]

Describe the feature

OpenIdConnectProvider construct currently creates custom resource lambda and associated resources to create OIDC provider.

However, CloudFormation now supports it out of the box: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html

The construct can be significantly simplified by moving to use direct CloudFormation resource.

Use Case

Custom resource lambdas are more complex, harder to understand, and reduce visibility into what's being created. Using CloudFormation resource directly would reduce complexity.

Proposed Solution

Switch to AWS::IAM::OIDCProvider CloudFormation resource

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.32.1

Environment details (OS name and version, etc.)

Ubuntu 18

[kadrach]

Related: #20460 and #8607

[PeterBaker0]

We received a notification that NodeJS 12 runtime is no longer being supported. This custom Lambda resource uses this runtime so could become an issue in coming months.

"AWS Lambda end of support for Node.js 12"

Is this relevant in prioritising this issue?

Cheers.

[diranged]

So I came across this issue after learning that the AWS-CDK's OpenIdConnectProvider construct is actually a custom construct and not leveraging the CfnOIDCProvider resource. I was surprised to find that this construct had a pretty old bug that we ran into years ago on our own custom code to do the same thing.

I have a solution here that has worked for us for a while now, and I've just ported it into a CDK-based deploy. I'd be happy to see this code baked into the CDK:

assets/thumbprint-layer/Dockerfile

FROM public.ecr.aws/sam/build-python3.7
COPY requirements.txt ./
RUN python -m pip install -r requirements.txt -t /opt/python
WORKDIR /
ENTRYPOINT [ "/bin/bash" ]

assets/thumbprint-layer/requirements.txt

boto3
pyOpenSSL
awsretry
certifi
cfn_resource_provider

assets/thumbprint-layer/thumprint.py

import certifi, sys, json, logging, os, urllib, ssl, socket, requests, traceback
from OpenSSL import crypto, SSL
from uuid import uuid4
from cfn_resource_provider import ResourceProvider

logging.basicConfig()
logger = logging.getLogger()
logger.setLevel(os.getenv('LOG_LEVEL', 'DEBUG'))

request_schema = {
  '$schema': 'http://json-schema.org/draft-04/schema#',
  'type': 'object',
  'required': ['URL'],
  'properties': {
    'URL': {'type': 'string', 'Description': 'The URL to hit'},
  }
}


class Thumbprint(ResourceProvider):
  def __init__(self):
    super(Thumbprint, self).__init__()
    self.request_schema = request_schema

  @property
  def url(self):
    return self.get('URL')

  @property
  def openid_config(self):
    return requests.get(self.url + '/.well-known/openid-configuration').json()

  @property
  def jwks_tuple(self):
    url = urllib.parse.urlparse(self.openid_config['jwks_uri'])
    return (url.hostname, 443)

  @property
  def root_cert(self):
    host, port = self.jwks_tuple
    context = SSL.Context(method=SSL.TLSv1_2_METHOD)
    context.load_verify_locations(cafile=certifi.where())
    conn = SSL.Connection(context, socket=socket.socket(socket.AF_INET, socket.SOCK_STREAM))
    conn.settimeout(5)
    conn.connect((host, port))
    conn.setblocking(1)
    conn.do_handshake()
    conn.set_tlsext_host_name(host.encode())
    return conn.get_peer_cert_chain()[-1]

  @property
  def thumbprint(self):
    return self.root_cert.digest('sha1').decode('utf-8').replace(':','')

  def create(self):
    try:
      self.physical_resource_id = self.thumbprint
    except Exception as e:
      traceback.print_exc()
      self.physical_resource_id = 'could-not-execute'
      self.fail('Failed to execute: %s' % e)

  def update(self):
    # Updates are not possible. Must delete and re-create. :(
    self.delete()
    self.create()

  def delete(self):
    self.success('no-op')

# This is the lambda handler call... but when we operate locally, see the
# __main__ below.
def handler(request, context):
  return Thumbprint().handle(request, context)

# When testing locally we just gather some data, but make no changes. The point
# of this test (right now) is to verify that we can hit the SSL endpoint, get
# the root certificate information and return it.
if __name__ == '__main__':
  print('Beginning test...  validating command-line usage first...')
  url = sys.argv[1]
  if not url:
      print(f'Usage: {sys.argv[0]} <EKS Cluster OIDC URL>')
      sys.exit(1)

  print(f'Will run test against {url} cluster...')
  request = {
    "RequestType": 'CREATE',
    "ResponseURL": "https://httpbin.org/put",
    "StackId": "arn:aws:cloudformation:us-west-2:EXAMPLE/stack-name/guid",
    "RequestId": "request-%s" % uuid4(),
    "ResourceType": "Custom::Resource",
    "LogicalResourceId": "MyCustomResource",
    "ResourceProperties": {
        "URL": url
    }
  }

  print('Creating Thumbprint() object...')
  thumbprint = Thumbprint()
  thumbprint.set_request(request, {})
  print(f'TEST: root_cert thumbprint = {thumbprint.thumbprint}')

AWS-CDK Resources

    const codeDirectory = Code.fromAsset('assets/thumbprint-layer');
    const thumbprintLayer: LayerVersion = new LayerVersion(this, 'ThumbprintLayer', {
      removalPolicy: RemovalPolicy.DESTROY,
      layerVersionName: scope.stackName,
      code: Code.fromDockerBuild(codeDirectory.path, {
        file: 'Dockerfile',
        platform: Architecture.X86_64.dockerPlatform,
        imagePath: '/opt'
      }),
      compatibleArchitectures: [Architecture.X86_64]
    });
    const handler = new Function(this, 'ThumbprintHandler', {
      runtime: Runtime.PYTHON_3_7,
      code: codeDirectory,
      layers: [thumbprintLayer],
      handler: 'thumbprint.handler'
    });
    handler.node.addDependency(thumbprintLayer);
    const thumbprint = new CustomResource(this, 'Thumbprint', {
      removalPolicy: RemovalPolicy.RETAIN,
      resourceType: 'Custom::Thumbprint',
      serviceToken: handler.functionArn,
      properties: {
        URL: props.cluster.clusterOpenIdConnectIssuerUrl
      }
    });
    thumbprint.node.addDependency(handler);
    new CfnOIDCProvider(this, 'OidcProvider', {
      thumbprintList: [thumbprint.ref],
      clientIdList: ['sts.amazonaws.com'],
      url: props.cluster.clusterOpenIdConnectIssuerUrl
    });

[ramesh82]

So I came across this issue after learning that the AWS-CDK's OpenIdConnectProvider construct is actually a custom construct and not leveraging the CfnOIDCProvider resource. I was surprised to find that this construct had a pretty old bug that we ran into years ago on our own custom code to do the same thing.

I have a solution here that has worked for us for a while now, and I've just ported it into a CDK-based deploy. I'd be happy to see this code baked into the CDK:

assets/thumbprint-layer/Dockerfile

FROM public.ecr.aws/sam/build-python3.7
COPY requirements.txt ./
RUN python -m pip install -r requirements.txt -t /opt/python
WORKDIR /
ENTRYPOINT [ "/bin/bash" ]

assets/thumbprint-layer/requirements.txt

boto3
pyOpenSSL
awsretry
certifi
cfn_resource_provider

assets/thumbprint-layer/thumprint.py

import certifi, sys, json, logging, os, urllib, ssl, socket, requests, traceback
from OpenSSL import crypto, SSL
from uuid import uuid4
from cfn_resource_provider import ResourceProvider

logging.basicConfig()
logger = logging.getLogger()
logger.setLevel(os.getenv('LOG_LEVEL', 'DEBUG'))

request_schema = {
  '$schema': 'http://json-schema.org/draft-04/schema#',
  'type': 'object',
  'required': ['URL'],
  'properties': {
    'URL': {'type': 'string', 'Description': 'The URL to hit'},
  }
}


class Thumbprint(ResourceProvider):
  def __init__(self):
    super(Thumbprint, self).__init__()
    self.request_schema = request_schema

  @property
  def url(self):
    return self.get('URL')

  @property
  def openid_config(self):
    return requests.get(self.url + '/.well-known/openid-configuration').json()

  @property
  def jwks_tuple(self):
    url = urllib.parse.urlparse(self.openid_config['jwks_uri'])
    return (url.hostname, 443)

  @property
  def root_cert(self):
    host, port = self.jwks_tuple
    context = SSL.Context(method=SSL.TLSv1_2_METHOD)
    context.load_verify_locations(cafile=certifi.where())
    conn = SSL.Connection(context, socket=socket.socket(socket.AF_INET, socket.SOCK_STREAM))
    conn.settimeout(5)
    conn.connect((host, port))
    conn.setblocking(1)
    conn.do_handshake()
    conn.set_tlsext_host_name(host.encode())
    return conn.get_peer_cert_chain()[-1]

  @property
  def thumbprint(self):
    return self.root_cert.digest('sha1').decode('utf-8').replace(':','')

  def create(self):
    try:
      self.physical_resource_id = self.thumbprint
    except Exception as e:
      traceback.print_exc()
      self.physical_resource_id = 'could-not-execute'
      self.fail('Failed to execute: %s' % e)

  def update(self):
    # Updates are not possible. Must delete and re-create. :(
    self.delete()
    self.create()

  def delete(self):
    self.success('no-op')

# This is the lambda handler call... but when we operate locally, see the
# __main__ below.
def handler(request, context):
  return Thumbprint().handle(request, context)

# When testing locally we just gather some data, but make no changes. The point
# of this test (right now) is to verify that we can hit the SSL endpoint, get
# the root certificate information and return it.
if __name__ == '__main__':
  print('Beginning test...  validating command-line usage first...')
  url = sys.argv[1]
  if not url:
      print(f'Usage: {sys.argv[0]} <EKS Cluster OIDC URL>')
      sys.exit(1)

  print(f'Will run test against {url} cluster...')
  request = {
    "RequestType": 'CREATE',
    "ResponseURL": "https://httpbin.org/put",
    "StackId": "arn:aws:cloudformation:us-west-2:EXAMPLE/stack-name/guid",
    "RequestId": "request-%s" % uuid4(),
    "ResourceType": "Custom::Resource",
    "LogicalResourceId": "MyCustomResource",
    "ResourceProperties": {
        "URL": url
    }
  }

  print('Creating Thumbprint() object...')
  thumbprint = Thumbprint()
  thumbprint.set_request(request, {})
  print(f'TEST: root_cert thumbprint = {thumbprint.thumbprint}')

AWS-CDK Resources

    const codeDirectory = Code.fromAsset('assets/thumbprint-layer');
    const thumbprintLayer: LayerVersion = new LayerVersion(this, 'ThumbprintLayer', {
      removalPolicy: RemovalPolicy.DESTROY,
      layerVersionName: scope.stackName,
      code: Code.fromDockerBuild(codeDirectory.path, {
        file: 'Dockerfile',
        platform: Architecture.X86_64.dockerPlatform,
        imagePath: '/opt'
      }),
      compatibleArchitectures: [Architecture.X86_64]
    });
    const handler = new Function(this, 'ThumbprintHandler', {
      runtime: Runtime.PYTHON_3_7,
      code: codeDirectory,
      layers: [thumbprintLayer],
      handler: 'thumbprint.handler'
    });
    handler.node.addDependency(thumbprintLayer);
    const thumbprint = new CustomResource(this, 'Thumbprint', {
      removalPolicy: RemovalPolicy.RETAIN,
      resourceType: 'Custom::Thumbprint',
      serviceToken: handler.functionArn,
      properties: {
        URL: props.cluster.clusterOpenIdConnectIssuerUrl
      }
    });
    thumbprint.node.addDependency(handler);
    new CfnOIDCProvider(this, 'OidcProvider', {
      thumbprintList: [thumbprint.ref],
      clientIdList: ['sts.amazonaws.com'],
      url: props.cluster.clusterOpenIdConnectIssuerUrl
    });

How do you import an existing provider arn using this approach?