From 1fd6d68b1af6424782cfc8f6a0c1b803c2ce1397 Mon Sep 17 00:00:00 2001 From: Jonathan Williams Date: Fri, 19 Jan 2024 10:56:20 -0500 Subject: [PATCH] :pencil: update ci/cd docs --- docs/cicd.md | 18 +++++++++--------- readme.md | 2 ++ 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/docs/cicd.md b/docs/cicd.md index 759dc3c..1acb2ee 100644 --- a/docs/cicd.md +++ b/docs/cicd.md @@ -3,9 +3,9 @@ Since [Github Actions](https://docs.github.com/actions) runs our CI/CD pipeline, a recommended refresher on CI/CD is the github ["CI/CD explained" article](https://resources.github.com/ci-cd/). The implementation of this pipeline is a one-time exercise, with this as a record detailing what was done. -### Overview +## Overview -A rudimentary [workflow](https://docs.github.com/en/actions/using-workflows/about-workflows#about-workflows) has been setup for deployment of the app that breaks down into the following sequence: +A [workflow](https://docs.github.com/en/actions/using-workflows/about-workflows#about-workflows) has been setup for deployment of the app that breaks down into the following sequence: 1. A feature branch is approved and merged into the main branch of the github repository for the app. This kicks off the [workflow](https://docs.github.com/en/actions/using-workflows/about-workflows#about-workflows). @@ -31,7 +31,7 @@ The abridged steps are: The role "WordpressProtectedAssetsGithubActionsCloudformingRole" can be found [here](https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/roles/details/WordpressProtectedAssetsGithubActionsCloudformingRole?section=permissions) Role policy: - ``` + ```json { "Version": "2012-10-17", "Statement": [ @@ -60,7 +60,7 @@ The abridged steps are: Trust relationship: - ``` + ```json { "Version": "2012-10-17", "Statement": [ @@ -87,7 +87,7 @@ The abridged steps are: 3. Create the github action (located in `.github/workflows/cicd.yml`) Below are relevant excerpts that shows the deploy job step that uses the role (`role-session-name`) - ``` + ```yaml env: AWS_REGION: us-east-1 @@ -98,9 +98,9 @@ The abridged steps are: ... jobs: - ... - deploy: - ... + ... + deploy: + ... - uses: aws-actions/configure-aws-credentials@v2 with: role-to-assume: arn:aws:iam::115619461932:role/WordpressProtectedAssetsGithubActionsCloudformingRole @@ -121,4 +121,4 @@ OIDC (OpenID Connect) is an identity layer built on top of OAuth 2.0 that allows 4. **Defense Against Key Exfiltration:** If an attacker gains access to the OIDC provider's private key used for token signing, they might try to insert their own public key into the provider's configuration. The OIDC thumbprint can help prevent such attacks by verifying that the public key used for token validation aligns with the trusted key. 5. **Third-Party OIDC Providers:** In scenarios where the relying party trusts multiple OIDC providers, the thumbprint can help ensure that tokens are only accepted from the intended and validated OIDC provider, preventing tokens from unauthorized providers. -In summary, the OIDC thumbprint is a security mechanism that enhances the trustworthiness of the OIDC authentication process by providing a means to verify the authenticity of the OIDC provider's token validation endpoint. It adds an additional layer of protection against various attack vectors, particularly those involving tampering, impersonation, and unauthorized token sources. \ No newline at end of file +In summary, the OIDC thumbprint is a security mechanism that enhances the trustworthiness of the OIDC authentication process by providing a means to verify the authenticity of the OIDC provider's token validation endpoint. It adds an additional layer of protection against various attack vectors, particularly those involving tampering, impersonation, and unauthorized token sources. diff --git a/readme.md b/readme.md index 90a0942..3d44483 100644 --- a/readme.md +++ b/readme.md @@ -57,6 +57,8 @@ wp access network-update-dynamodb The parameters of the BU production deployment are in the `samconfig.toml` file under the "prod" stanza. +Deployments are handled automatically by a Github Action that runs a `sam build` and `sam deploy` with the `prod` configuration when a commit is made to the `main` branch. More details about the Github Action are available in the [Continuous integration/deployment (CI/CD)](./docs/cicd.md) documentation. + ## Testing The package includes a suite of unit tests that can be run using the following command: