Merge pull request #44 from aws-quickstart/test_fix

Simplify templates and fix reference to ClusterName from EKS stack
aws-quickstart · Feb 15, 2022 · fab4a77 · fab4a77
2 parents 9ca8b4c + 590e1de
commit fab4a77
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 8 deletions.
diff --git a/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml
@@ -32,7 +32,7 @@ Resources:
     Type: Custom::GetOIDCProvider
     Properties:
       ServiceToken: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-ResourceReader"
-      AwsCliCommand: !Sub "eks describe-cluster --name ${ClusterName} --query 'cluster.identity.oidc.{issuer:issuer}'"
+      AwsCliCommand: !Sub "eks describe-cluster --name ${EKSStack.Outputs.EKSClusterName} --query 'cluster.identity.oidc.{issuer:issuer}'"
       IdField: 'issuer'
   PreworkStack:
     Type: AWS::CloudFormation::Stack

diff --git a/blog-assets/eks-cluster-prework/templates/prework.template.yaml b/blog-assets/eks-cluster-prework/templates/prework.template.yaml
@@ -16,10 +16,6 @@ Parameters:
     ConstraintDescription: "a lowercase RFC 1123 subdomain must consist of lower case
       alphanumeric characters, '-' or '.', and must start and end with an alphanumeric
       character"
-  OIDCProvider:
-    Type: String
-    Description: Amazon EKS cluster OIDC provider, without the protocol (e.g., oidc.eks.us-east-1.amazonaws.com/id/SADFASFFASFXCCVXCVSDFSDF).
-    Default: ""
   KubernetesNameSpace:
     Type: String
     Default: "prework-example"
@@ -36,12 +32,12 @@ Resources:
               {
                 "Effect": "Allow",
                 "Principal": {
-                  "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/${OIDCProvider}"
+                  "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/${GetOIDCProvider}"
                 },
                 "Action": "sts:AssumeRoleWithWebIdentity",
                 "Condition": {
                   "StringEquals": {
-                    "${OIDCProvider}:sub": "system:serviceaccount:${NameSpace}:${ResourceName}"
+                    "${GetOIDCProvider}:sub": "system:serviceaccount:${NameSpace}:${ResourceName}"
                   }
                 }
               }
@@ -60,7 +56,13 @@ Resources:
                   - s3:GetObject
                   - s3:HeadObject
                 Resource:
-                  -  !Sub "arn:aws:s3:::${PreworkScriptBucket}/${PreworkScriptObject}"
+                  - !Sub "arn:${AWS::Partition}:s3:::${PreworkScriptBucket}/${PreworkScriptObject}"
+  GetOIDCProvider:
+    Type: Custom::GetOIDCProvider
+    Properties:
+      ServiceToken: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-ResourceReader"
+      AwsCliCommand: !Sub "eks describe-cluster --name ${ClusterName} --query 'cluster.identity.oidc.{issuer:issuer}'"
+      IdField: 'issuer'
   KubePreWorkNamespace:
     Type: "AWSQS::Kubernetes::Resource"
     Properties: