From 9fb1b55baa4e14ed244ccde170ae6f1cc2b87518 Mon Sep 17 00:00:00 2001
From: Yuriy Bezsonov <bezsonov@amazon.de>
Date: Sun, 7 Jan 2024 19:33:07 +0100
Subject: [PATCH] Add construct for credentials and pack under main stack

---
 docs/patterns/workloads-codecommit.md         | 51 ++++---------------
 .../codecommit-credentials.ts                 | 43 ++++++++++++++++
 lib/workloads-codecommit-construct/index.ts   |  6 ++-
 ....ts => workloads-codecommit-repo-stack.ts} | 16 +++++-
 4 files changed, 73 insertions(+), 43 deletions(-)
 create mode 100644 lib/workloads-codecommit-construct/codecommit-credentials.ts
 rename lib/workloads-codecommit-construct/{WorkloadsCodeCommitRepo.ts => workloads-codecommit-repo-stack.ts} (66%)

diff --git a/docs/patterns/workloads-codecommit.md b/docs/patterns/workloads-codecommit.md
index 3fd87b50..b5544734 100644
--- a/docs/patterns/workloads-codecommit.md
+++ b/docs/patterns/workloads-codecommit.md
@@ -76,46 +76,19 @@ blueprints-addon-argocd-repo-server-66df7f448f-kvwmw              1/1     Runnin
 blueprints-addon-argocd-server-584db5f545-8xp48                   1/1     Running   0          1h
 ```
 
-## Give ArgoCD access to AWS CodeCommit
+## Get ArgoCD Url and credentials
 
 ```bash
 until kubectl get svc blueprints-addon-argocd-server -n argocd -o json | jq --raw-output '.status.loadBalancer.ingress[0].hostname' | grep -m 1 "elb.amazonaws.com"; do sleep 5 ; done;
 export ARGOCD_SERVER=`kubectl get svc blueprints-addon-argocd-server -n argocd -o json | jq --raw-output '.status.loadBalancer.ingress[0].hostname'`
-
-export ARGOCD_USER=argocd-cc
 export CC_REPO_NAME=eks-blueprints-workloads-cc
 
-aws iam create-service-specific-credential --user-name $ARGOCD_USER --service-name codecommit.amazonaws.com --no-cli-pager
-export CC_REPO_URL=$(aws codecommit get-repository --repository-name $CC_REPO_NAME --query 'repositoryMetadata.cloneUrlHttp' --output text)
-export SSC_ID=$(aws iam list-service-specific-credentials --user-name $ARGOCD_USER --query 'ServiceSpecificCredentials[0].ServiceSpecificCredentialId' --output text)
-export SSC_USER=$(aws iam list-service-specific-credentials --user-name $ARGOCD_USER --query 'ServiceSpecificCredentials[0].ServiceUserName' --output text)
-export SSC_PWD=$(aws iam reset-service-specific-credential --user-name $ARGOCD_USER --service-specific-credential-id $SSC_ID --query 'ServiceSpecificCredential.ServicePassword' --output text)
-
-cat > argocd-workloads-repos-creds.yaml <<EOF
-apiVersion: v1
-kind: Secret
-metadata:
-  name: repo-creds-platform-https
-  namespace: argocd
-  labels:
-    argocd.argoproj.io/secret-type: repo-creds
-stringData:
-  url: ${CC_REPO_URL}
-  password: ${SSC_PWD}
-  username: ${SSC_USER}
-EOF
-
-kubectl apply -f argocd-workloads-repos-creds.yaml
-rm argocd-workloads-repos-creds.yaml
-
-echo Deployment finished.
-echo "AWS CodeCommit Blueprint workloads repository URL: $CC_REPO_URL"
 echo "ArgoCD URL: https://$ARGOCD_SERVER"
 echo "ArgoCD server user: admin"
 echo "ArgoCD admin password: $(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d)"
 ```
 
-## Create notification trigger
+## Create notification trigger from AWS CodeCommit push to ArgoCD Sync
 
 ```bash
 export LAMBDA_ARN=$(aws lambda get-function --function-name eks-blueprints-workloads-cc-webhook | jq -r .Configuration.FunctionArn)
@@ -138,6 +111,13 @@ aws codecommit put-repository-triggers --repository-name $CC_REPO_NAME --trigger
 rm trigger.json
 ```
 
+## Set AWS_REGION
+
+```bash
+export AWS_REGION=$(aws ec2 describe-availability-zones --output text --query 'AvailabilityZones[0].[RegionName]')
+echo $AWS_REGION
+```
+
 ## Populate AWS CodeCommit with Blueprint workloads Sample repository
 
 ```bash
@@ -163,23 +143,14 @@ To teardown and remove the resources created in this example:
 
 1. Delete "bootstrap-apps" project in ArgoCD UI and wait until ArgoCD delete workloads
 
-2. Delete AWS CodeCommit credentials
-
-```sh
-export SSC_ID=$(aws iam list-service-specific-credentials --user-name $ARGOCD_USER --query 'ServiceSpecificCredentials[1].ServiceSpecificCredentialId' --output text)
-aws iam delete-service-specific-credential --user-name $ARGOCD_USER --service-specific-credential-id $SSC_ID
-export SSC_ID=$(aws iam list-service-specific-credentials --user-name $ARGOCD_USER --query 'ServiceSpecificCredentials[0].ServiceSpecificCredentialId' --output text)
-aws iam delete-service-specific-credential --user-name $ARGOCD_USER --service-specific-credential-id $SSC_ID
-```
-
-3. Delete deployed resources
+2. Delete deployed resources
 
 ```sh
 cd cdk-eks-blueprints-patterns
 make pattern workloads-codecommit destroy
 ```
 
-4. Delete cloned repositories (`if necessary`)
+3. Delete cloned repositories (`if necessary`)
 
 ```sh
 pushd ..
diff --git a/lib/workloads-codecommit-construct/codecommit-credentials.ts b/lib/workloads-codecommit-construct/codecommit-credentials.ts
new file mode 100644
index 00000000..a50afd94
--- /dev/null
+++ b/lib/workloads-codecommit-construct/codecommit-credentials.ts
@@ -0,0 +1,43 @@
+import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId, PhysicalResourceIdReference } from 'aws-cdk-lib/custom-resources';
+import { Construct } from 'constructs';
+
+export class CodeCommitCredentials extends Construct {
+    readonly serviceSpecificCredentialId: string;
+    readonly serviceName: string;
+    readonly serviceUserName: string;
+    readonly servicePassword: string;
+    readonly status: string;
+
+    constructor(scope: Construct, id: string, userName: string) {
+        super(scope, id);
+
+        const codeCommitCredentialsResponse = new AwsCustomResource(this, "codecommit-credentials-custom-resource", {
+            onCreate: {
+                service: "IAM",
+                action: "createServiceSpecificCredential",
+                parameters: {
+                    ServiceName: "codecommit.amazonaws.com",
+                    UserName: userName
+                },
+                physicalResourceId: PhysicalResourceId.fromResponse("ServiceSpecificCredential.ServiceSpecificCredentialId")
+            },
+            onDelete: {
+                service: "IAM",
+                action: "deleteServiceSpecificCredential",
+                parameters: {
+                    ServiceSpecificCredentialId: new PhysicalResourceIdReference(),
+                    UserName: userName,
+                }
+            },
+            policy: AwsCustomResourcePolicy.fromSdkCalls({
+                resources: AwsCustomResourcePolicy.ANY_RESOURCE,
+            }),
+        });
+
+        this.serviceSpecificCredentialId = codeCommitCredentialsResponse.getResponseField("ServiceSpecificCredential.ServiceSpecificCredentialId");
+        this.serviceName = codeCommitCredentialsResponse.getResponseField("ServiceSpecificCredential.ServiceName");
+        this.serviceUserName = codeCommitCredentialsResponse.getResponseField("ServiceSpecificCredential.ServiceUserName");
+        this.servicePassword = codeCommitCredentialsResponse.getResponseField("ServiceSpecificCredential.ServicePassword");
+        this.status = codeCommitCredentialsResponse.getResponseField("ServiceSpecificCredential.Status");
+    }
+}
\ No newline at end of file
diff --git a/lib/workloads-codecommit-construct/index.ts b/lib/workloads-codecommit-construct/index.ts
index 846e7fcf..8b5c9752 100644
--- a/lib/workloads-codecommit-construct/index.ts
+++ b/lib/workloads-codecommit-construct/index.ts
@@ -1,6 +1,6 @@
 import * as blueprints from '@aws-quickstart/eks-blueprints';
 import { Construct } from 'constructs';
-import WorkloadsCodeCommitRepoStack from './WorkloadsCodeCommitRepo';
+import WorkloadsCodeCommitRepoStack from './workloads-codecommit-repo-stack';
 
 /**
  * Demonstrates how to use AWS CodeCommmit as a repository for ArgoCD workloads.
@@ -22,6 +22,8 @@ export default class WorkloadsCodeCommitConstruct extends Construct {
         const bootstrapRepo : blueprints.ApplicationRepository = {
             repoUrl,
             targetRevision: 'main',
+            credentialsSecretName: repoName + '-codecommit-secret',
+            credentialsType: 'TOKEN'
         };
 
         const addOns: Array<blueprints.ClusterAddOn> = [
@@ -33,7 +35,7 @@ export default class WorkloadsCodeCommitConstruct extends Construct {
             new blueprints.ArgoCDAddOn({
                 bootstrapRepo: {
                     ...bootstrapRepo,
-                    path: 'envs/dev',
+                    path: 'envs/dev'
                 },
                 values: {
                     server: {
diff --git a/lib/workloads-codecommit-construct/WorkloadsCodeCommitRepo.ts b/lib/workloads-codecommit-construct/workloads-codecommit-repo-stack.ts
similarity index 66%
rename from lib/workloads-codecommit-construct/WorkloadsCodeCommitRepo.ts
rename to lib/workloads-codecommit-construct/workloads-codecommit-repo-stack.ts
index 84a90db4..1b5be17c 100644
--- a/lib/workloads-codecommit-construct/WorkloadsCodeCommitRepo.ts
+++ b/lib/workloads-codecommit-construct/workloads-codecommit-repo-stack.ts
@@ -1,9 +1,11 @@
 import { Construct } from 'constructs';
-import { NestedStack, NestedStackProps } from 'aws-cdk-lib';
+import { NestedStack, NestedStackProps, SecretValue } from 'aws-cdk-lib';
 import * as blueprints from '@aws-quickstart/eks-blueprints';
 import * as codecommit from 'aws-cdk-lib/aws-codecommit';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
+import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
+import { CodeCommitCredentials } from './codecommit-credentials';
 
 export default class WorkloadsCodeCommitRepoStack extends NestedStack {
     public static builder(userName: string, repoName: string): blueprints.NestedStackBuilder {
@@ -26,6 +28,18 @@ export default class WorkloadsCodeCommitRepoStack extends NestedStack {
         });
         repo.grantPull(user);
 
+        const credentials = new CodeCommitCredentials(this, "codecommit-credentials", user.userName);
+        credentials.node.addDependency(user);
+
+        new secretsmanager.Secret(this, 'codecommit-secret', {
+            secretObjectValue: {
+                username: SecretValue.unsafePlainText(credentials.serviceUserName),
+                password: SecretValue.unsafePlainText(credentials.servicePassword),
+                url: SecretValue.unsafePlainText(repo.repositoryCloneUrlHttp)
+            },
+            secretName: repoName + '-codecommit-secret'
+        });
+
         const fn = new lambda.Function(this, repoName + '-webhook', {
             runtime: lambda.Runtime.NODEJS_20_X,
             functionName: repoName + '-webhook',