Open williwlwilliwll opened 1 month ago
The referenced iam.generated defines the CfnOIDCProviderProps
as shown below:
export interface CfnOIDCProviderProps {
/**
* A list of client IDs (also known as audiences) that are associated with the specified IAM OIDC provider resource object.
*
* For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-clientidlist
*/
readonly clientIdList?: Array<string>;
/**
* A list of tags that are attached to the specified IAM OIDC provider.
*
* The returned list of tags is sorted by tag key. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-tags
*/
readonly tags?: Array<cdk.CfnTag>;
/**
* A list of certificate thumbprints that are associated with the specified IAM OIDC provider resource object.
*
* For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-thumbprintlist
*/
readonly thumbprintList: Array<string>;
/**
* The URL that the IAM OIDC provider resource object is associated with.
*
* For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .
*
* @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-url
*/
readonly url?: string;
}
Notice that the clientIdList
is declared as optional, but thumbprintList
is not. the L1 constructs are generated from CloudFormation specification. The IAM OIDC Provider schema aws-iam-oidcprovider.json does not indicate whether the property is required or not.
{
"typeName" : "AWS::IAM::OIDCProvider",
"description" : "Resource Type definition for AWS::IAM::OIDCProvider",
"additionalProperties" : false,
"properties" : {
"ClientIdList" : {
"type" : "array",
"insertionOrder" : false,
"items" : {
"minLength" : 1,
"maxLength" : 255,
"type" : "string"
}
},
...
"ThumbprintList" : {
"type" : "array",
"insertionOrder" : false,
"items" : {
"minLength" : 40,
"maxLength" : 40,
"pattern" : "[0-9A-Fa-f]{40}",
"type" : "string"
},
"maxItems" : 5
},
...
},
Unsure why ClientIdList
is generated as optional whereas it is different for ThumbprintList
.
@williwlwilliwll Thanks for reporting the issue. Are you able to workaround this issue by setting thumbprintList
to an empty array as shown below:
new iam.CfnOIDCProvider(this, 'TestOIDCCfn', {
url: 'http://localhost.com', // set the URL
thumbprintList: []
});
Also curious on why you are not using L2 construct OpenIdConnectProvider
(kindly note that this uses custom resource based implementation, not the L1 construct, as per code here):
new iam.OpenIdConnectProvider(this, 'TestOidc', {
url: 'http://localhost.com'
});
Thanks, Ashish
@ashishdhingra
Thanks for your reply. If you give thumbprintList
a value of empty array then the following error is thrown during stack deployment:
k8clustertest-eks: creating CloudFormation changeset...
11:07:06 AM | CREATE_FAILED | AWS::IAM::OIDCProvider | k8ClusterTestiamoidcProvider
Resource handler returned message: "Thumbprint list must contain at least one entry.
(Service: Iam, Status Code: 400, Request ID: 6b1f1768-5936-41f0-b5ae-86-)"
(RequestToken: 82cbfe67-0e29-b496-d036-, HandlerError Code: InvalidRequest)
I will try using the L2 constuct and let you know :).
Regarding why I was using the L1 construct - I have found that I prefer them because they are not opinionated so I have greater control over them.
Best, Will
Hello 👋🏼 The same issue here; while the CloudFormation documentation states that the attribute is optional, CDK throws an error. In my case, I'm defining the OIDC provider in a CloudFormation template (YAML) and deploying it with the help of the CfnImport
module. But the problem is still the same.
Just FYI, Application Composer UI displays the error about missing ThumprintList:
However, proceeding to deploy the below CloudFormation template works:
Resources:
TestOIDCCfn:
Type: AWS::IAM::OIDCProvider
Properties:
Url: https://token.actions.githubusercontent.com
Metadata:
aws:cdk:path: CdktestStack/TestOIDCCfn
So most likely a CFN schema issue, rather than CDK issue. Need to open the issue with the CloudFormation team.
Thanks, Ashish
Internal ticket for CloudFormation team: P147139122
any update here?
Describe the bug
When trying to create a
CfnOIDCProvider
theCfnOIDCProviderProps
interface is insisting that the object have athumbprintList
property despite it being described as optional in the documentation and the source code comments.Expected Behavior
The
thumbprintList
property should either be optional or the documentation should be changedCurrent Behavior
If you attempt to not include the property then you get the following error:
If you add the property and assign an empty array as its value then you get the following error during stack deployment:
Reproduction Steps
Possible Solution
Change the CfnOIDCProviderProps interface as follows:
Additional Information/Context
No response
CDK CLI Version
2.151
Framework Version
No response
Node.js Version
22.5.1
OS
MacOS Sonoma 14.6
Language
TypeScript
Language Version
No response
Other information
No response