diff --git a/allowed-breaking-changes.txt b/allowed-breaking-changes.txt index a0ea6f3e517b4..0b7420e8e36c0 100644 --- a/allowed-breaking-changes.txt +++ b/allowed-breaking-changes.txt @@ -966,3 +966,6 @@ removed:aws-cdk-lib.lambda_layer_kubectl.KubectlLayer # Fixing the JsonSchema interface to be consistent with JSON Schema spec changed-type:aws-cdk-lib.aws_apigateway.JsonSchema.additionalItems strengthened:aws-cdk-lib.aws_apigateway.JsonSchema + +# Deprecating OpenIdConnectProvider and using an internal construct in EKS +base-types:aws-cdk-lib.aws_eks.OpenIdConnectProvider diff --git a/packages/aws-cdk-lib/aws-eks/lib/oidc-provider.ts b/packages/aws-cdk-lib/aws-eks/lib/oidc-provider.ts index 5aa6bd410fc95..51a171e7d16ea 100644 --- a/packages/aws-cdk-lib/aws-eks/lib/oidc-provider.ts +++ b/packages/aws-cdk-lib/aws-eks/lib/oidc-provider.ts @@ -36,7 +36,7 @@ export interface OpenIdConnectProviderProps { * @resource AWS::CloudFormation::CustomResource */ @propertyInjectable -export class OpenIdConnectProvider extends iam.OpenIdConnectProvider { +export class OpenIdConnectProvider extends iam.OpenIdConnectProviderInternal { /** Uniquely identifies this class. */ public static readonly PROPERTY_INJECTION_ID: string = 'aws-cdk-lib.aws-eks.OpenIdConnectProvider'; diff --git a/packages/aws-cdk-lib/aws-iam/lib/oidc-provider.ts b/packages/aws-cdk-lib/aws-iam/lib/oidc-provider.ts index a2ba398806e6f..ce9e8b46217a4 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/oidc-provider.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/oidc-provider.ts @@ -90,21 +90,15 @@ export interface OpenIdConnectProviderProps { } /** - * IAM OIDC identity providers are entities in IAM that describe an external - * identity provider (IdP) service that supports the OpenID Connect (OIDC) - * standard, such as Google or Salesforce. You use an IAM OIDC identity provider - * when you want to establish trust between an OIDC-compatible IdP and your AWS - * account. This is useful when creating a mobile app or web application that - * requires access to AWS resources, but you don't want to create custom sign-in - * code or manage your own user identities. + * Internal implementation of OpenIdConnectProvider. * - * @see http://openid.net/connect - * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html + * This class contains the actual implementation and is used internally by EKS, for backwards compatibility. + * It should not be used directly. * - * @resource AWS::CloudFormation::CustomResource + * @internal */ @propertyInjectable -export class OpenIdConnectProvider extends Resource implements IOpenIdConnectProvider { +class OpenIdConnectProviderInternal extends Resource implements IOpenIdConnectProvider { /** Uniquely identifies this class. */ public static readonly PROPERTY_INJECTION_ID: string = 'aws-cdk-lib.aws-iam.OpenIdConnectProvider'; @@ -190,3 +184,30 @@ export class OpenIdConnectProvider extends Resource implements IOpenIdConnectPro }); } } + +/** + * IAM OIDC identity providers are entities in IAM that describe an external + * identity provider (IdP) service that supports the OpenID Connect (OIDC) + * standard, such as Google or Salesforce. You use an IAM OIDC identity provider + * when you want to establish trust between an OIDC-compatible IdP and your AWS + * account. This is useful when creating a mobile app or web application that + * requires access to AWS resources, but you don't want to create custom sign-in + * code or manage your own user identities. + * + * @see http://openid.net/connect + * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html + * + * @resource AWS::CloudFormation::CustomResource + * @deprecated Use `OidcProviderNative` instead + */ +export class OpenIdConnectProvider extends OpenIdConnectProviderInternal { + // This class is intentionally empty - all functionality is in OpenIdConnectProviderInternal +} + +/** + * Export the internal implementation for use by other AWS CDK modules (like EKS). + * This allows internal AWS services to use the implementation without the deprecation warnings. + * + * @internal + */ +export { OpenIdConnectProviderInternal };