search

aws / aws-sdk

Landing page for the AWS SDKs on GitHub
https://aws.amazon.com/tools/
Other
71 stars 14 forks source link

Support Automated Management of CodeStar Connections for GitHub Apps #408

Closed jackson-theisen closed 1 year ago

jackson-theisen commented 2 years ago

Describe the feature

Note: This request pertains specifically to the GitHub provider type, but may be applicable for other supported types.

The current process for creating a connection to GitHub supports programmatic creation of a connection resource. If the connection is created programmatically (AWS CLI, CloudFormation, Terraform, etc.), it is automatically left in a PENDING state. To complete a PENDING connection, you must use the console. Using the console does make sense for the initial one-time authorization and handshake to the provider for creating installations. If the AWS Connector for GitHub App already exists, I would like the ability to programmatically create my connections in an Available state. This could be achieved by supporting an argument for the GitHub App ID. To reap the benefits of this feature, we will also need a way to query GitHub App IDs for a given account/region.

Use Case

In the context of a large, multi-account, environment where everything is managed in code within the same GitHub organization, it is extremely painful to have a required manual step to visit the console and complete a connection. I understand the need for this manual step during the initial one-time installation of AWS Connector for GitHub app, but subsequent connections should not require the manual step if they plan to leverage the existing app (at the time of writing, only one AWS Connector may exist per GitHub Organization). This pain point is further exacerbated by the fact that your standard developer more than likely does not have the proper permissions to perform the connection completion (both on the AWS and GitHub side).

Proposed Solution

The API should support the ability to query for the existence of (and return their IDs if true) GitHub Apps which are already installed and configured. This would allow someone to determine whether creating a connection will require manual steps from an admin to complete the initialization. Furthermore, the creation of a connection for the GitHub App could support an argument that allows you to specify an existing GitHub App ID. This would result in connections being created in the Available state right out of the box.

Other Information

No response

Acknowledgements

CLI version used

aws-cli/2.5.4 Python/3.9.12

Environment details (OS name and version, etc.)

Ubuntu >=20.04, AL2, macOS Monterey >=12.3

tim-finnigan commented 2 years ago

Hi @jackson-theisen thanks for the feature request. I think the console step may be required due to GitHub’s OAuth connection workflow. And that’s why the warning is called out in the documentation you referenced and here as well:

You must use the console to update a pending connection. You cannot update a pending connection using the AWS CLI.

But I will reach out to the CodeStar team and see if there is any possibility of working around this.

tim-finnigan commented 2 years ago

P63767676

rpstreef commented 2 years ago

Are there any updates?

tim-finnigan commented 2 years ago

Hi @rpstreef no update yet but I just pinged the team again so hopefully will hear something back soon.

jackson-theisen commented 2 years ago

@tim-finnigan I figured it'd be worth giving an update around where i'm at on this. After spending some more time using CodeStar Connections, I don't feel that its a feasible solution, at least as of today, in the context i'm using it. Happy to go into more detail, but TLDR is as that CodeStar Connections takes away a lot of the fine-grained access controls I have in place with v1 connections today. Are there plans to sunset the GitHub v1 connections at some point, or are v2 connections now just the AWS recommended approach? It seems like the AWS Terraform provider's community is operating under the assumption that v1 connections will be fully deprecated, and i'd like to steer them away from that mindset if v1 connections will continue to be supported, just not recommended as the best approach by AWS.

evgenygigi commented 2 years ago

Hi @tim-finnigan any updates on this topic? If it will be implemented will it be true for BitBucket also? Thank you.

tim-finnigan commented 2 years ago

Unfortunately there still aren't any updates from the Codestar team. You could try reaching out to AWS Support to get more traction and information on this.

tim-finnigan commented 1 year ago

Thanks all for your patience - still no update but I once again reached out to the CodeStar team for feedback on this. @jackson-theisen regarding your question:

Are there plans to sunset the GitHub v1 connections at some point, or are v2 connections now just the AWS recommended approach?

I don't know if deprecation is planned but based on this documentation it looks like v1 connections are not recommended: https://docs.aws.amazon.com/codepipeline/latest/userguide/update-github-action-connections.html

I'm going to transfer this issue to our cross-SDK repository as it relates to the CodeStar service rather than CLI directly.

tim-finnigan commented 1 year ago

Just heard back from the service team again on this issue. I was told that the manual console steps are part of the security of an app to prevent unilateral installation, which could be used maliciously. Also, there isn't currently a plan to sunset v1 connections. Closing this issue - I recommend reaching out through AWS Support if you have any further questions related to this topic.

github-actions[bot] commented 1 year ago

This issue is now closed.

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

jesseadams commented 7 months ago

Just heard back from the service team again on this issue. I was told that the manual console steps are part of the security of an app to prevent unilateral installation, which could be used maliciously. Also, there isn't currently a plan to sunset v1 connections. Closing this issue - I recommend reaching out through AWS Support if you have any further questions related to this topic.

Several features of AWS can be used maliciously. I'm not sure if that is a valid reason to not provide a feature to end users that are asking for it. For us, it prevents us from fully automating the bootstrapping of pipelines from scratch with CodePipeline, which is really annoying.

carlosjgp commented 6 months ago

Just heard back from the service team again on this issue. I was told that the manual console steps are part of the security of an app to prevent unilateral installation, which could be used maliciously. Also, there isn't currently a plan to sunset v1 connections. Closing this issue - I recommend reaching out through AWS Support if you have any further questions related to this topic.

Several features of AWS can be used maliciously. I'm not sure if that is a valid reason to not provide a feature to end users that are asking for it. For us, it prevents us from fully automating the bootstrapping of pipelines from scratch with CodePipeline, which is really annoying.

I agree. GH organisations could provide the GH application to be used making it explicit and secure to use these instead of initiating the GH app installation from their side