draft of changes

ASFHyP3 · Dec 12, 2024 · 2ec5564 · 2ec5564
1 parent fb49035
commit 2ec5564
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 36 deletions.
diff --git a/.github/configure-aws-credentials.yml b/.github/configure-aws-credentials.yml
@@ -9,44 +9,8 @@ Parameters:
     Description: Arn for the GitHub OIDC Provider. (optional)
     Default: ""
     Type: String
-  OIDCAudience:
-    Description: Audience supplied to configure-aws-credentials.
-    Default: "sts.amazonaws.com"
-    Type: String
-
-Conditions:
-  CreateOIDCProvider: !Equals
-    - !Ref OIDCProviderArn
-    - ""
 
 Resources:
-  Role:
-    Type: AWS::IAM::Role
-    Properties:
-      AssumeRolePolicyDocument:
-        Statement:
-          - Effect: Allow
-            Action: sts:AssumeRoleWithWebIdentity
-            Principal:
-              Federated: !If
-                - CreateOIDCProvider
-                - !Ref GithubOidc
-                - !Ref OIDCProviderArn
-            Condition:
-              StringEquals:
-                token.actions.githubusercontent.com:aud: !Ref OIDCAudience
-              StringLike:
-                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
-
-  GithubOidc:
-    Type: AWS::IAM::OIDCProvider
-    Condition: CreateOIDCProvider
-    Properties:
-      Url: https://token.actions.githubusercontent.com
-      ClientIdList:
-        - sts.amazonaws.com
-      ThumbprintList:
-        - ffffffffffffffffffffffffffffffffffffffff
 
 Outputs:
   Role:

diff --git a/docs/deployments/ASF-deployment-ci-cf.yml b/docs/deployments/ASF-deployment-ci-cf.yml
@@ -6,6 +6,31 @@ Parameters:
     Type: String
 
 Resources:
+  GithubOidcRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRoleWithWebIdentity
+            Principal:
+              Federated: !Ref GithubOidc
+            Condition:
+              StringEquals:
+                token.actions.githubusercontent.com:aud: "sts.amazonaws.com"
+              # TODO left off here:
+              StringLike:
+                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
+
+  GithubOidc:
+    Type: AWS::IAM::OIDCProvider
+    Properties:
+      Url: https://token.actions.githubusercontent.com
+      ClientIdList:
+        - sts.amazonaws.com
+      ThumbprintList:
+        - ffffffffffffffffffffffffffffffffffffffff
+
   CloudformationDeploymentRole:
     Type: AWS::IAM::Role
     Properties: