Skip to content

feat: Add credentialsSecretKMSKeyId to Wso2Config so the custom resource lambda has permission to use CMK encrypted secrets #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
flaviostutz merged 2 commits into from
Nov 28, 2024
Merged

feat: Add credentialsSecretKMSKeyId to Wso2Config so the custom resource lambda has permission to use CMK encrypted secrets #50

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2bac034
feat: add cmk configuration to wso2 custom resource
flaviostutz Nov 28, 2024
801ee0d
chore: reverting previous commit changes
flaviostutz Nov 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
433 changes: 256 additions & 177 deletions examples/pnpm-lock.yaml
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 3 additions & 1 deletion lib/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,10 +71,12 @@
"//pnpm.overrides.braces": "braces is used by @stoplight/spectral-cli - Open issue: https://github.com/stoplightio/spectral/issues/2639. We will remove this override once the issue is fixed.",
"//pnpm.overrides.jsonpath-plus": "jsonpath-plus is used by @stoplight/spectral-cli and the safe version is not used yet by this library",
"pnpm": {
"// cross-spawn: audit errors due to @stutzlab/[email protected] and [email protected]": "",
"overrides": {
"braces@<3.0.3": ">=3.0.3",
"rollup@<3.29.5": ">=3.29.5",
"jsonpath-plus": ">=10"
"jsonpath-plus": ">=10",
"cross-spawn": ">=7.0.5"
}
}
}
44 changes: 7 additions & 37 deletions lib/pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions lib/src/wso2/types.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,12 @@ export type Wso2Config = {
* @example 'wso2/customers/credentials' - with json contents "{ user: 'myuser', pwd: 'mypass' }"
*/
credentialsSecretId: string;
/**
* KMS key id used to decrypt the secret with credentials for accessing the WSO2 API.
* A permission to this KMS key will be added to the Lambda function that will be used to invoke the WSO2 API.
* @example '122234-55445-23423'
*/
credentialsSecretKMSKeyId?: string;
/**
* Version of the WSO2 server API
* @default v1
Expand Down
27 changes: 20 additions & 7 deletions lib/src/wso2/utils-cdk.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,25 @@ export const addLambdaAndProviderForWso2Operations = (args: {
}
}

// define the initial policy for the custom resource lambda by adding secret and CMK permissions
const initialPolicy = [
PolicyStatement.fromJson({
Effect: 'Allow',
Action: 'secretsmanager:GetSecretValue',
Resource: `arn:aws:secretsmanager:${region}:${accountId}:secret:${args.props.wso2Config.credentialsSecretId}*`,
}),
];

if (args.props.wso2Config.credentialsSecretKMSKeyId) {
initialPolicy.push(
PolicyStatement.fromJson({
Effect: 'Allow',
Action: 'kms:decrypt',
Resource: `arn:aws:kms:${region}:${accountId}:key/${args.props.wso2Config.credentialsSecretKMSKeyId}`,
}),
);
}

// lambda function used for invoking WSO2 APIs during CFN operations
const customResourceFunction = new BaseNodeJsFunction(args.scope, `${args.id}-custom-lambda`, {
...customResourceConfig,
Expand All @@ -72,13 +91,7 @@ export const addLambdaAndProviderForWso2Operations = (args: {
createLiveAlias: false,
createDefaultLogGroup: true,
entry: wso2LambdaEntry,
initialPolicy: [
PolicyStatement.fromJson({
Effect: 'Allow',
Action: 'secretsmanager:GetSecretValue',
Resource: `arn:aws:secretsmanager:${region}:${accountId}:secret:${args.props.wso2Config.credentialsSecretId}*`,
}),
],
initialPolicy,
logGroupRetention,
});

Expand Down
2 changes: 1 addition & 1 deletion lib/src/wso2/wso2-api/handler/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/* eslint-disable no-console */
import { CdkCustomResourceEvent, CdkCustomResourceResponse } from 'aws-lambda';
import { AxiosInstance } from 'axios';
import { CdkCustomResourceEvent, CdkCustomResourceResponse } from 'aws-lambda';

import { PublisherPortalAPIv1 } from '../v1/types';
import { Wso2ApiCustomResourceProperties } from '../types';
Expand Down
5 changes: 5 additions & 0 deletions lib/src/wso2/wso2-api/wso2-api.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ describe('wso2-api-construct', () => {
const template = Template.fromStack(stack);
// console.log(JSON.stringify(template.toJSON(), null, 2));

const templateStr = JSON.stringify(template.toJSON());
expect(templateStr).toContain('"Action":"secretsmanager:GetSecretValue"');
expect(templateStr).toContain('"Action":"kms:decrypt"');

template.hasResourceProperties('Custom::Wso2Api', {
wso2Config: testProps1.wso2Config,
apiDefinition: wso2Api.apiDefinition,
Expand Down Expand Up @@ -94,6 +98,7 @@ const testProps = (): Wso2ApiProps => {
wso2Config: {
baseApiUrl: 'http://localhost:8080/wso2',
credentialsSecretId: 'arn::creds',
credentialsSecretKMSKeyId: '1234-5678-0000',
},
apiDefinition: testWso2ApiDefs({
context: '/test1',
Expand Down