CDK_AWS_PARTITION: Does not fix the OIDC region and audience.

[oliott]

Hi,

Setting the environment variable CDK_AWS_PARTITION as specified here: AWS China partition support, does not make sure that the audience and aws-region of this action: aws-actions/configure-aws-credentials@v4 are configured correctly.

This results in the following:

pipeline-definition.yml

# AUTOMATICALLY GENERATED FILE, DO NOT EDIT MANUALLY.
# Generated by AWS CDK and [cdk-pipelines-github](https://github.com/cdklabs/cdk-pipelines-github)

name: deploy-china-partition
on:
  push:
    branches:
      - main
  workflow_dispatch: {}
jobs:
# ... other steps
  Assets-FileAsset1:
    name: Publish Assets Assets-FileAsset1
    needs:
      - Build-Build
    permissions:
      contents: read
      id-token: write
    runs-on: ubuntu-latest
    outputs:
      asset-hash: ${{ steps.Publish.outputs.asset-hash }}
    steps:
      - name: Download cdk.out
        uses: actions/download-artifact@v4
        with:
          name: cdk.out
          path: cdk.out
      - name: Install
        run: npm install --no-save cdk-assets
      - name: Authenticate Via OIDC Role
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-west-1
          role-duration-seconds: 1800
          role-skip-session-tagging: true
          role-to-assume: arn:aws-cn:iam::000000000000:role/DummyOIDCRole
      - id: Publish
        name: Publish Assets-FileAsset1
        run: /bin/bash ./cdk.out/assembly-DummyStage/publish-Assets-FileAsset1-step.sh
# ... other steps

The aws-region part can be fixed by setting publishAssetsAuthRegion, when creating the pipeline. However the audience is not set to sts.amazonaws.com.cn which is a requirement for the OIDC authentication to work: OIDC Audience. Because of this the github action to assume the OIDC role will fail.

Relevant issues:

• Add support for aws-cn partition #820

Reproducible python code:

requirements.txt

aws-cdk-lib==2.154.0
constructs>=10.0.0,<11.0.0
cdk-pipelines-github

cdk.json

{
  "app": "python3 app.py",
  "watch": {
    "include": [
      "**"
    ],
    "exclude": [
      "README.md",
      "cdk*.json",
      "requirements*.txt",
      "source.bat",
      "**/__init__.py",
      "**/__pycache__",
      "tests"
    ]
  },
  "context": {
    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
    "@aws-cdk/core:checkSecretUsage": true,
    "@aws-cdk/core:target-partitions": [
      "aws",
      "aws-cn"
    ],
    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
    "@aws-cdk/aws-iam:minimizePolicies": true,
    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
    "@aws-cdk/core:enablePartitionLiterals": true,
    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
    "@aws-cdk/aws-route53-patters:useCertificate": true,
    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
    "@aws-cdk/aws-redshift:columnId": true,
    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
    "@aws-cdk/aws-kms:aliasNameRef": true,
    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true
  }
}

app.py

#!/usr/bin/env python3

import aws_cdk as cdk
import os

from constructs import Construct
from cdk_pipelines_github import GitHubWorkflow, AwsCredentials, JsonPatch

app = cdk.App()

TEST_ACCOUNT_ID = os.environ['TEST_ACCOUNT_ID']
TEST_OIDC_ROLE_NAME = os.environ['TEST_OIDC_ROLE_NAME']

class DummyStack(cdk.Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        cdk.aws_sqs.Queue(
            self,
            "IssueGithubPipelinesQueue",
            visibility_timeout=cdk.Duration.seconds(300),
        )


class DummyPipelineStage(cdk.Stage):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        DummyStack(self, f"TestStack", **kwargs)


github_pipeline = GitHubWorkflow(
    app,
    "GithubPipeline",
    synth=cdk.pipelines.ShellStep(
        "Build",
        commands=[
            "npm install -g aws-cdk",
            "python -m pip install -r requirements.txt",
            "cdk synth",
        ],
    ),
    aws_creds=AwsCredentials.from_open_id_connect(
        git_hub_action_role_arn=f"arn:aws-cn:iam::{TEST_ACCOUNT_ID}:role/{TEST_OIDC_ROLE_NAME}"
    ),
    workflow_name="deploy-china-partition",
    workflow_path=".github/workflows/deploy-china-partition.yml",
    publish_assets_auth_region="cn-northwest-1",
)
github_pipeline.workflow_file.patch(
    JsonPatch.add(
        '/env',
        {
            'AWS_STS_REGIONAL_ENDPOINTS' : 'regional',
            'TEST_ACCOUNT_ID' : '${{ vars.TEST_ACCOUNT_ID }}',
            'TEST_OIDC_ROLE_NAME' : '${{ vars.TEST_OIDC_ROLE_NAME }}',
        }
    )
)
wave = github_pipeline.add_wave("MultiRegion")

stage = DummyPipelineStage(
    app,
    "DummyStage",
    env=cdk.Environment(account=TEST_ACCOUNT_ID, region="cn-north-west-1"),
)

wave.add_stage(
    stage,
)


app.synth()

Version

Python 3.10.0 cdk-pipelines-github version: cdk-pipelines-github==0.4.124

Modifications/environment/deployment

I Have made no modifactions to code environment or deployment that should affect this.

Issue

Setting the environment variable CDK_AWS_PARTITION does not setup the OIDC Github Action correctly.

Local testing:

0. (Make sure you have python, pip and cdk isntalled).
1. copy, cdk.json, app.py, and requirements.txt
2. python3 -m venv .venv
3. source .venv/bin/activate
4. pip install -r requirements.txt
5. export TEST_ACCOUNT_ID=<account-id> && export TEST_OIDC_ROLE_NAME=<oicd-role-name>
6. cdk synth

View the output workflow file in .github/workflows/.

EDITS:

1. Updated the python file by changing the env variables for the workflow. Added cdk.json. Added description on how to test locally.