Move to TypeScript, fix various issues

config.js → config.ts

@@ -1,9 +1,11 @@
 const Conf = {
-  APP_IAM_AWS_REGION: process.env.APP_IAM_AWS_REGION,
+  APP_AWS_REGION: process.env.APP_AWS_REGION,
   APP_OIDC_IAM_ARN: process.env.APP_OIDC_IAM_ARN,
   OIDC_LOGIN_DOMAIN: process.env.OIDC_LOGIN_DOMAIN
 }
 
-module.exports.config = () => {
+function Config() {
   return Conf
-}
+}
+
+export default Config

env.yml

@@ -1,3 +1,3 @@
-APP_IAM_AWS_REGION: us-east-1
+APP_AWS_REGION: us-east-1
 APP_OIDC_IAM_ARN: arn:aws:iam::xxxxxxxx:oidc-provider/login-domain.com
 OIDC_LOGIN_DOMAIN: login-domain.com

handler.ts

@@ -0,0 +1,36 @@
+"use strict";
+import AWS from "aws-sdk";
+const sslCertificate = require('get-ssl-certificate-fork');
+import Config from './config';
+
+exports.run = async (event, context) => {
+  const conf = Config();
+  const cert = await sslCertificate.get(conf.OIDC_LOGIN_DOMAIN, 5000, 443, "https:", true);
+  let fingerprint = cert.issuerCertificate.fingerprint.toLowerCase().replace(/:/g, '');
+  console.log(fingerprint);
+
+  AWS.config.update({ region: conf.APP_AWS_REGION })
+  const iam = new AWS.IAM()
+  const options = {
+    OpenIDConnectProviderArn: conf.APP_OIDC_IAM_ARN
+  };
+  iam.getOpenIDConnectProvider(options, (err, data) => {
+    if (err) console.log(err, err.stack);
+    else {
+      console.dir(data);
+      console.dir(data.ThumbprintList);
+      if (data.ThumbprintList.indexOf(fingerprint) === -1) {
+        console.log("UPDATE AWS CERT!!!");
+        data.ThumbprintList[0] = fingerprint;
+        const updateParams = {
+          OpenIDConnectProviderArn: conf.APP_OIDC_IAM_ARN,
+          ThumbprintList: data.ThumbprintList
+        };
+        iam.updateOpenIDConnectProviderThumbprint(updateParams, function (err, data) {
+          if (err) console.log(err, err.stack); // an error occurred
+          else console.log('Cert successfully updated', data); // successful response
+        });
+      }
+    }
+  });
+};

package.json

@@ -5,6 +5,10 @@
   "author": "[email protected]",
   "license": "MIT",
   "dependencies": {
-    "openssl-nodejs": "^1.0.5"
+    "get-ssl-certificate-fork": "^2.3.5"
+  },
+  "devDependencies": {
+    "aws-sdk": "^2.819.0",
+    "serverless-bundle": "^4.1.0"
   }
 }

serverless.yml

@@ -1,15 +1,41 @@
 service: aws-oidc-thumbprint
 
+frameworkVersion: ">2.0.0"
+
+plugins:
+  - serverless-webpack
+
+custom:
+  webpack:
+    webpackConfig: './webpack.config.js'
+    includeModules:
+      forceInclude:
+        - get-ssl-certificate-fork
+
 provider:
   name: aws
   runtime: nodejs12.x
+
   environment:
-    APP_IAM_AWS_REGION: ${file(.env.yml):APP_IAM_AWS_REGION}
+    APP_AWS_REGION: ${file(.env.yml):APP_AWS_REGION}
     APP_OIDC_IAM_ARN: ${file(.env.yml):APP_OIDC_IAM_ARN}   
+    OIDC_LOGIN_DOMAIN: ${file(.env.yml):OIDC_LOGIN_DOMAIN}
+
+  iamRoleStatements:
+    - Effect: Allow
+      Action:
+        - iam:GetOpenIDConnectProvider
+      Resource:
+        - ${file(.env.yml):APP_OIDC_IAM_ARN}  
+    - Effect: Allow
+      Action:
+        - iam:UpdateOpenIDConnectProviderThumbprint
+      Resource:
+        - ${file(.env.yml):APP_OIDC_IAM_ARN}  
 
 functions:
   cron:
-    handler: handler
+    handler: handler.run
     events:
       # Invoke Lambda function every 5 minute
-      - schedule: cron(0/1 * * * ? *)
+      - schedule: cron(0/1 * * * ? *)

tsconfig.json

@@ -0,0 +1,24 @@
+{
+  "compilerOptions": {
+    "lib": [
+      "es2017"
+    ],
+    "removeComments": true,
+    "moduleResolution": "node",
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "sourceMap": true,
+    "target": "es2017",
+    "outDir": "lib"
+  },
+  "include": [
+    "./**/*.ts"
+  ],
+  "exclude": [
+    "node_modules/**/*",
+    ".serverless/**/*",
+    ".webpack/**/*",
+    "_warmup/**/*",
+    ".vscode/**/*"
+  ]
+}

webpack.config.js

@@ -0,0 +1,51 @@
+const path = require('path');
+const slsw = require('serverless-webpack');
+const nodeExternals = require('webpack-node-externals');
+const ForkTsCheckerWebpackPlugin = require('fork-ts-checker-webpack-plugin');
+
+module.exports = {
+  context: __dirname,
+  mode: slsw.lib.webpack.isLocal ? 'development' : 'production',
+  entry: slsw.lib.entries,
+  devtool: slsw.lib.webpack.isLocal ? 'cheap-module-eval-source-map' : 'source-map',
+  resolve: {
+    extensions: ['.mjs', '.json', '.ts'],
+    symlinks: false,
+    cacheWithContext: false,
+  },
+  output: {
+    libraryTarget: 'commonjs',
+    path: path.join(__dirname, '.webpack'),
+    filename: '[name].js',
+  },
+  target: 'node',
+  externals: [nodeExternals()],
+  module: {
+    rules: [
+      // all files with a `.ts` or `.tsx` extension will be handled by `ts-loader`
+      {
+        test: /\.(tsx?)$/,
+        loader: 'ts-loader',
+        exclude: [
+          [
+            path.resolve(__dirname, 'node_modules'),
+            path.resolve(__dirname, '.serverless'),
+            path.resolve(__dirname, '.webpack'),
+          ],
+        ],
+        options: {
+          transpileOnly: true,
+          experimentalWatchApi: true,
+        },
+      },
+    ],
+  },
+  plugins: [
+    // new ForkTsCheckerWebpackPlugin({
+    //   eslint: true,
+    //   eslintOptions: {
+    //     cache: true
+    //   }
+    // })
+  ],
+};