Skip to content

fix(iam)!: deprecate OpenIdConnectProvider public API #35312

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

fix(iam)!: deprecate OpenIdConnectProvider public API #35312

wants to merge 2 commits into from

Conversation

@iankhou
Copy link
Contributor

@iankhou iankhou commented Aug 22, 2025
edited
Loading

Issue

Closes #20460.

Reason for this change

OpenIdConnectProvider, which uses CustomResource, should no longer be used. However, we still use it in EKS. It is superseded by OIDCProviderNative, which provides the same functionality by using the native CloudFormation resource, with less infrastructure complexity.

Description of changes

Introduced internal construct OpenIdConnectProviderInternal, which is a drop-in replacement for OpenIdConnectProvider, and changed EKS to use that. The change is breaking because we are changing the type that EKS is extending in its own implementation of OpenIdConnectProvider from OpenIdConnectProvider to OpenIdConnectProviderInternal.

Extend OpenIdConnectProviderInternal with OpenIdConnectProvider, but deprecate it.

Describe any new or updated permissions being added

None.

Description of how you validated changes

Ran unit and integration tests. No feature changes.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the p2 label Aug 22, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team August 22, 2025 15:59
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Aug 22, 2025
@iankhou iankhou self-assigned this Aug 22, 2025
@iankhou iankhou changed the title chore: deprecate OpenIdConnectProvider public API chore!(iam): deprecate OpenIdConnectProvider public API Aug 22, 2025
aws-cdk-automation
aws-cdk-automation previously requested changes Aug 22, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@iankhou iankhou changed the title chore!(iam): deprecate OpenIdConnectProvider public API chore(iam): deprecate OpenIdConnectProvider public API Aug 22, 2025
@aws-cdk-automation aws-cdk-automation dismissed their stale review August 22, 2025 16:53

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@github-actions github-actions bot added effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1 and removed p2 labels Aug 22, 2025
@iankhou iankhou changed the title chore(iam): deprecate OpenIdConnectProvider public API chore(iam)!: deprecate OpenIdConnectProvider public API Aug 22, 2025
aws-cdk-automation
aws-cdk-automation requested changes Aug 22, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter fails with the following errors:

❌ Fixes must contain a change to a test file.
❌ Fixes must contain a change to an integration test file and the resulting snapshot.
❌ The title prefix of this pull request must be one of "feat|fix|build|chore|ci|docs|style|refactor|perf|test|revert"

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

@iankhou iankhou changed the title chore(iam)!: deprecate OpenIdConnectProvider public API fix(iam)!: deprecate OpenIdConnectProvider public API Aug 22, 2025
@mrgrain mrgrain added the pr/request-cli-integ-tests Request CLI integ tests to be run. You will need to review the code and approve the deployment. label Aug 22, 2025
@aws-cdk-automation
Copy link
Collaborator

➡️ PR build request submitted to test-main-pipeline ⬅️

A maintainer must now check the pipeline and add the pr-linter/cli-integ-tested label once the pipeline succeeds.

@iankhou iankhou marked this pull request as ready for review August 22, 2025 21:53
@iankhou iankhou closed this Aug 28, 2025
@github-actions
Copy link
Contributor

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 28, 2025
@iankhou iankhou deleted the iankhou-oidc-provider-deprecation branch October 7, 2025 05:19
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@aws-cdk-automation aws-cdk-automation Awaiting requested review from aws-cdk-automation

@rix0rrr rix0rrr Awaiting requested review from rix0rrr

Assignees

@iankhou iankhou

Labels

contribution/core This is a PR that came from AWS. effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1 pr/request-cli-integ-tests Request CLI integ tests to be run. You will need to review the code and approve the deployment.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(iam): configure OpenIdConnectProvider custom resource role

3 participants

@iankhou @aws-cdk-automation @mrgrain