fix: aws deployment

action/docs/access-token.owner-template.yaml

@@ -20,7 +20,6 @@ allowed-repository-permissions: # https://docs.github.com/en/rest/authentication
   # environments : write # read or write
   # issues : write # read or write
   # merge-queues : write # read or write
-  # metadata : write # read or write
   # packages : write # read or write
   # pages : write # read or write
   # projects : write # read or write or admin
@@ -31,7 +30,6 @@ allowed-repository-permissions: # https://docs.github.com/en/rest/authentication
   # secret-scanning-alerts : write # read or write
   # secrets : write # read or write
   # security-events : write # read or write
-  # single-file : write # read or write
   # statuses : write # read or write
   # team-discussions : write # read or write
   # vulnerability-alerts : write # read or write
@@ -78,7 +76,6 @@ statements:
     # environments : write # read or write
     # issues : write # read or write
     # merge-queues : write # read or write
-    # metadata : write # read or write
     # packages : write # read or write
     # pages : write # read or write
     # projects : write # read or write or admin
@@ -89,7 +86,6 @@ statements:
     # secret-scanning-alerts : write # read or write
     # secrets : write # read or write
     # security-events : write # read or write
-    # single-file : write # read or write
     # statuses : write # read or write
     # team-discussions : write # read or write
     # vulnerability-alerts : write # read or write

action/docs/access-token.repo-template.yaml

@@ -41,7 +41,6 @@ statements:
       # environments : write # read or write
       # issues : write # read or write
       # merge-queues : write # read or write
-      # metadata : write # read or write
       # packages : write # read or write
       # pages : write # read or write
       # projects : write # read or write or admin
@@ -52,7 +51,6 @@ statements:
       # secret-scanning-alerts : write # read or write
       # secrets : write # read or write
       # security-events : write # read or write
-      # single-file : write # read or write
       # statuses : write # read or write
       # team-discussions : write # read or write
       # vulnerability-alerts : write # read or write

server/deployments/aws/infrastructure/bin/app.ts

@@ -1,5 +1,7 @@
 import * as cdk from 'aws-cdk-lib'
 import {AppStack} from '../lib/app-stack'
+import {DeploymentStack} from '../lib/deployment-stack';
 
 const app = new cdk.App()
-new AppStack(app, 'GitHubActionsAccessTokens')
+const appStack = new AppStack(app, 'GitHubActionsAccessTokens')
+// new DeploymentStack(app, appStack.stackName + '-Deployment')

server/deployments/aws/infrastructure/lib/app-stack.ts

@@ -33,12 +33,20 @@ export class AppStack extends Stack {
       timeout: Duration.seconds(30),
       code: lambda.Code.fromAsset(path.join(__dirname, '../../../../dist')),
       environment: {
-        LOG_LEVEL: 'INFO',
+        LOG_LEVEL: 'info',
         GITHUB_APP_SECRETS_NAME: githubAppSecret.secretName,
         GITHUB_ACTIONS_TOKEN_ALLOWED_SUBJECTS: GITHUB_ACTIONS_TOKEN_ALLOWED_SUBJECTS.join(','),
       },
     })
     githubAppSecret.grantRead(httpApiAccessTokenFunction.role!)
+    new Policy(this, `${httpApiAccessTokenFunction.node.id}RolePolicy`, {
+      statements: [
+        new PolicyStatement({
+          actions: ['lambda:GetFunctionUrlConfig'],
+          resources: [ httpApiAccessTokenFunction.functionArn ],
+        })
+      ]
+    }).attachToRole(httpApiAccessTokenFunction.role!)
 
     // --- add function url
     const httpApiAccessTokenFunctionUrl = httpApiAccessTokenFunction.addFunctionUrl({

server/deployments/aws/infrastructure/lib/deployment-stack.ts

@@ -0,0 +1,30 @@
+import {Stack, StackProps} from 'aws-cdk-lib';
+import {Construct} from 'constructs';
+import {OpenIdConnectPrincipal, OpenIdConnectProvider, Role} from 'aws-cdk-lib/aws-iam';
+
+export class DeploymentStack extends Stack {
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props)
+
+    const githubOidcProvider = OpenIdConnectProvider.fromOpenIdConnectProviderArn(
+        this, "GithubOpenIdConnectProvider",
+        `arn:aws:iam::${this.account}:oidc-provider/token.actions.githubusercontent.com`);
+
+    new Role(this, 'DeploymentRole', {
+      roleName: this.stackName,
+      managedPolicies: [
+        {managedPolicyArn: 'arn:aws:iam::aws:policy/AdministratorAccess'},
+      ],
+      assumedBy: new OpenIdConnectPrincipal(githubOidcProvider, {
+        'StringEquals': {
+          // Official AWS GitHub Action https://github.com/aws-actions/configure-aws-credentials set audience to `sts.amazonaws.com` by default
+          // https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws'
+          [`${githubOidcProvider.openIdConnectProviderIssuer}:aud`]: 'sts.amazonaws.com',
+        },
+        'ForAnyValue:StringLike': {
+          [`${githubOidcProvider.openIdConnectProviderIssuer}:sub`]: ['repo:JH-JDS/actions--access-token:ref:refs/heads/main'],
+        }
+      }),
+    })
+  }
+}

server/deployments/aws/lambda-handler.ts

@@ -17,8 +17,8 @@ const secretsManager = new SecretsManager({region: process.env.AWS_REGION});
 const githubAppSecret = await secretsManager.send(new GetSecretValueCommand({
   SecretId: process.env.GITHUB_APP_SECRETS_NAME,
 })).then((output) => JSON.parse(output.SecretString ?? '{}'));
-process.env.GITHUB_ACTIONS_APP_ID = githubAppSecret.appId;
-process.env.GITHUB_ACTIONS_APP_PRIVATE_KEY = githubAppSecret.privateKey;
+process.env.GITHUB_APP_ID = githubAppSecret.appId;
+process.env.GITHUB_APP_PRIVATE_KEY = githubAppSecret.privateKey;
 
 process.env.REQUEST_ID_HEADER = 'x-request-id';
 

server/src/logger.ts

@@ -2,7 +2,7 @@ import pino from 'pino';
 import process from 'process';
 
 const logger = pino({
-  level: process.env.LOG_LEVEL || 'info',
+  level: process.env.LOG_LEVEL?.toLowerCase() || 'info',
   formatters: {
     level: (label:string) => ({level: label.toUpperCase()}),
   },