diff --git a/auth/aws/provider.go b/auth/aws/provider.go index f185539c2..8d87638a8 100644 --- a/auth/aws/provider.go +++ b/auth/aws/provider.go @@ -21,6 +21,7 @@ import ( "encoding/base64" "errors" "fmt" + "net/http" "os" "regexp" "strings" @@ -32,6 +33,9 @@ import ( "github.com/aws/aws-sdk-go-v2/service/ecrpublic" "github.com/aws/aws-sdk-go-v2/service/eks" "github.com/aws/aws-sdk-go-v2/service/sts" + "github.com/aws/smithy-go/aws-http-auth/credentials" + "github.com/aws/smithy-go/aws-http-auth/sigv4" + v4 "github.com/aws/smithy-go/aws-http-auth/v4" "github.com/google/go-containerregistry/pkg/authn" corev1 "k8s.io/api/core/v1" @@ -39,7 +43,10 @@ import ( ) // ProviderName is the name of the AWS authentication provider. -const ProviderName = "aws" +const ( + ProviderName = "aws" + codeCommitCanonicalTimestampFormat = "20060102T150405" +) // Provider implements the auth.Provider interface for AWS authentication. type Provider struct{ Implementation } @@ -396,3 +403,81 @@ func (p Provider) impl() Implementation { } return p.Implementation } + +type signerHeaderHostOnly struct{} + +func (signerHeaderHostOnly) IsSigned(h string) bool { + return h == "host" +} + +// NewCodeCommitGitToken returns HTTPS Git credentials for AWS CodeCommit. +func (Provider) NewCodeCommitGitCredentials(_ context.Context, accessTokens []auth.Token, opts ...auth.Option) (string, string, error) { + var o auth.Options + o.Apply(opts...) + + gitURL := o.GitURL + if gitURL == nil { + return "", "", fmt.Errorf("Git URL must be specified for AWS CodeCommit authentication") + } + if !strings.EqualFold(gitURL.Scheme, "https") { + return "", "", fmt.Errorf("AWS CodeCommit authentication requires an HTTPS Git URL") + } + + urlSplit := strings.Split(gitURL.Hostname(), ".") + + // https://docs.aws.amazon.com/codecommit/latest/userguide/regions.html#regions-git + if len(urlSplit) < 4 || + !(strings.HasPrefix(gitURL.Hostname(), "git-codecommit.") || strings.HasPrefix(gitURL.Hostname(), "git-codecommit-fips.")) || + !(strings.HasSuffix(gitURL.Hostname(), ".amazonaws.com") || strings.HasSuffix(gitURL.Hostname(), ".amazonaws.com.cn")) { + return "", "", fmt.Errorf("invalid AWS CodeCommit Git URL: %s", gitURL.Host) + } + + region := urlSplit[1] + if len(accessTokens) == 0 { + return "", "", fmt.Errorf("AWS access token is required for region %q", region) + } + + creds, ok := accessTokens[0].(*Credentials) + if !ok { + return "", "", fmt.Errorf("failed to cast token to AWS token: %T", accessTokens[0]) + } + + req, err := http.NewRequest("GIT", gitURL.String(), nil) + if err != nil { + return "", "", fmt.Errorf("failed to build CodeCommit signing request: %w", err) + } + req.Host = gitURL.Host + + signingTime := time.Now().UTC() + + signer := sigv4.New(func(o *v4.SignerOptions) { + o.HeaderRules = signerHeaderHostOnly{} + o.DisableUnsignedPayloadSentinel = true + o.CanonicalTimeFormat = codeCommitCanonicalTimestampFormat + }) + signInput := &sigv4.SignRequestInput{ + Request: req, + Service: "codecommit", + Region: region, + Credentials: credentials.Credentials{ + AccessKeyID: *creds.AccessKeyId, + SecretAccessKey: *creds.SecretAccessKey, + SessionToken: *creds.SessionToken, + Expires: *creds.Expiration, + }, + Time: signingTime, + } + + if err := signer.SignRequest(signInput); err != nil { + return "", "", fmt.Errorf("failed to sign request: %w", err) + } + + authHeader := req.Header.Get("Authorization") + sigStart := strings.Index(authHeader, "Signature=") + signature := authHeader[sigStart+10:] + + username := strings.Join([]string{*creds.AccessKeyId, *creds.SessionToken}, "%") + password := signingTime.Format(codeCommitCanonicalTimestampFormat) + "Z" + signature + + return username, password, nil +} diff --git a/auth/aws/provider_test.go b/auth/aws/provider_test.go index 3b36ebbbd..7fb191e4c 100644 --- a/auth/aws/provider_test.go +++ b/auth/aws/provider_test.go @@ -32,6 +32,7 @@ import ( "github.com/fluxcd/pkg/auth" "github.com/fluxcd/pkg/auth/aws" + "github.com/fluxcd/pkg/auth/generic" ) func TestProvider_NewControllerToken(t *testing.T) { @@ -536,3 +537,109 @@ func TestProvider_GetAccessTokenOptionsForCluster(t *testing.T) { g.Expect(o.STSRegion).To(Equal("us-west-2")) } + +func TestProvider_NewCodeCommitGitCredentials(t *testing.T) { + invalidToken := &generic.Token{Token: "invalid", ExpiresAt: time.Now().Add(time.Hour)} + proxyUrl := url.URL{Scheme: "http", Host: "proxy.example.com"} + awsRegion := "us-east-1" + for _, tt := range []struct { + name string + gitURL string + getAccessToken bool + accessTokens []auth.Token + expectedUsername string + err string + }{ + { + name: "valid CodeCommit URL", + gitURL: "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo", + getAccessToken: true, + expectedUsername: "access-key-id%session-token", + }, + { + name: "valid CodeCommit FIPS URL", + gitURL: "https://git-codecommit-fips.us-east-1.amazonaws.com/v1/repos/test-repo", + getAccessToken: true, + expectedUsername: "access-key-id%session-token", + }, + { + name: "valid CodeCommit China URL", + gitURL: "https://git-codecommit.cn-north-1.amazonaws.com.cn/v1/repos/test-repo", + getAccessToken: true, + expectedUsername: "access-key-id%session-token", + }, + { + name: "missing Git URL", + getAccessToken: true, + err: "Git URL must be specified for AWS CodeCommit authentication", + }, + { + name: "non HTTPS URL", + gitURL: "http://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo", + getAccessToken: true, + err: "AWS CodeCommit authentication requires an HTTPS Git URL", + }, + { + name: "invalid CodeCommit URL", + gitURL: "https://github.com/org/repo", + getAccessToken: true, + err: "invalid AWS CodeCommit Git URL: github.com", + }, + { + name: "missing access token", + gitURL: "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo", + getAccessToken: false, + accessTokens: []auth.Token{}, + err: `AWS access token is required for region "us-east-1"`, + }, + { + name: "invalid access token type", + gitURL: "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo", + getAccessToken: false, + accessTokens: []auth.Token{invalidToken}, + err: "failed to cast token to AWS token: *generic.Token", + }, + } { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + + impl := &mockImplementation{ + t: t, + argRegion: awsRegion, + argProxyURL: &proxyUrl, + returnCreds: awssdk.Credentials{AccessKeyID: "access-key-id", SecretAccessKey: "secret-access-key", SessionToken: "session-token"}, + } + + opts := []auth.Option{} + if tt.gitURL != "" { + gitURL, err := url.Parse(tt.gitURL) + g.Expect(err).NotTo(HaveOccurred()) + opts = append(opts, auth.WithGitURL(*gitURL)) + } + + provider := aws.Provider{Implementation: impl} + accessTokens := tt.accessTokens + if tt.getAccessToken { + accessToken, err := auth.GetAccessToken(context.Background(), provider, + auth.WithSTSRegion(awsRegion), + auth.WithProxyURL(proxyUrl), + ) + g.Expect(err).NotTo(HaveOccurred()) + accessTokens = []auth.Token{accessToken} + } + + username, password, err := provider.NewCodeCommitGitCredentials(context.Background(), accessTokens, opts...) + + if tt.err == "" { + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(username).To(Equal(tt.expectedUsername)) + g.Expect(password).To(MatchRegexp(`^[0-9]{8}T[0-9]{6}Z[0-9a-f]{64}$`)) + } else { + g.Expect(err).To(HaveOccurred()) + g.Expect(err.Error()).To(Equal(tt.err)) + g.Expect(username).To(BeEmpty()) + g.Expect(password).To(BeEmpty()) + } + }) + } +} diff --git a/auth/go.mod b/auth/go.mod index ac96d7b2c..afd5ec503 100644 --- a/auth/go.mod +++ b/auth/go.mod @@ -21,6 +21,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.38.9 github.com/aws/aws-sdk-go-v2/service/eks v1.77.0 github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 + github.com/aws/smithy-go/aws-http-auth v1.1.3 github.com/coreos/go-oidc/v3 v3.17.0 github.com/fluxcd/pkg/apis/meta v1.26.0 github.com/fluxcd/pkg/cache v0.13.0 diff --git a/auth/go.sum b/auth/go.sum index 1d132fe12..be081e9df 100644 --- a/auth/go.sum +++ b/auth/go.sum @@ -56,6 +56,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 h1:5fFjR/ToSOzB2OQ/XqWpZBmNvmP/ github.com/aws/aws-sdk-go-v2/service/sts v1.41.6/go.mod h1:qgFDZQSD/Kys7nJnVqYlWKnh0SSdMjAi0uSwON4wgYQ= github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk= github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0= +github.com/aws/smithy-go/aws-http-auth v1.1.3 h1:8/T7/2n8x+x9sIAmi5h5mDKS8v7/u2GEpF6T6RrGMrc= +github.com/aws/smithy-go/aws-http-auth v1.1.3/go.mod h1:KL46VTjVK9De3jurMqDLBkXCP9vrAvD03zQrmyzyrQ0= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= diff --git a/auth/options.go b/auth/options.go index afcf3ba82..8f2ffaed4 100644 --- a/auth/options.go +++ b/auth/options.go @@ -42,6 +42,7 @@ type Options struct { STSRegion string STSEndpoint string ProxyURL *url.URL + GitURL *url.URL CAData string ClusterResource string ClusterAddress string @@ -122,6 +123,13 @@ func WithProxyURL(proxyURL url.URL) Option { } } +// WithGitURL sets the Git repository URL used by Git credential providers. +func WithGitURL(gitURL url.URL) Option { + return func(o *Options) { + o.GitURL = &gitURL + } +} + // WithCAData sets the CA data for credentials that require a CA, // e.g. for Kubernetes REST config. func WithCAData(caData string) Option { diff --git a/auth/utils/git.go b/auth/utils/git.go index 4ec7cefe7..1190e71d7 100644 --- a/auth/utils/git.go +++ b/auth/utils/git.go @@ -22,6 +22,7 @@ import ( "slices" "github.com/fluxcd/pkg/auth" + "github.com/fluxcd/pkg/auth/aws" "github.com/fluxcd/pkg/auth/azure" ) @@ -46,6 +47,22 @@ func GetGitCredentials(ctx context.Context, providerName string, opts ...auth.Op return &GitCredentials{ BearerToken: token.(*azure.Token).Token, }, nil + case aws.ProviderName: + provider := aws.Provider{} + awsOpts := slices.Clone(opts) + token, err := auth.GetAccessToken(ctx, provider, awsOpts...) + if err != nil { + return nil, err + } + + username, password, err := provider.NewCodeCommitGitCredentials(ctx, []auth.Token{token}, awsOpts...) + if err != nil { + return nil, err + } + return &GitCredentials{ + Username: username, + Password: password, + }, nil default: return nil, fmt.Errorf("provider '%s' does not support Git credentials", providerName) } diff --git a/auth/utils/git_test.go b/auth/utils/git_test.go index 992ddb43a..dd4aabfd0 100644 --- a/auth/utils/git_test.go +++ b/auth/utils/git_test.go @@ -18,11 +18,14 @@ package utils_test import ( "context" + "fmt" + "net/url" "testing" "time" . "github.com/onsi/gomega" + "github.com/fluxcd/pkg/auth" authutils "github.com/fluxcd/pkg/auth/utils" ) @@ -44,4 +47,17 @@ func TestGetGitCredentials(t *testing.T) { g.Expect(err.Error()).To(Equal("provider 'unknown' does not support Git credentials")) g.Expect(p).To(BeNil()) }) + + t.Run("aws", func(t *testing.T) { + g := NewWithT(t) + region := "us-east-1" + t.Setenv("AWS_REGION", region) + u, err := url.Parse(fmt.Sprintf("https://git-codecommit.%s.amazonaws.com/v1/repos/repo-name", region)) + g.Expect(err).ToNot(HaveOccurred()) + opts := []auth.Option{auth.WithGitURL(*u)} + p, err := authutils.GetGitCredentials(context.Background(), "aws", opts...) + g.Expect(err).To(HaveOccurred()) + g.Expect(err.Error()).To(ContainSubstring("failed to create provider access token")) + g.Expect(p).To(BeNil()) + }) } diff --git a/tests/integration/Dockerfile b/tests/integration/Dockerfile index 70eaeb17b..71129994b 100644 --- a/tests/integration/Dockerfile +++ b/tests/integration/Dockerfile @@ -1,7 +1,7 @@ # Using scratch base image results in `x509: certificate signed by unknown # authority` error. # Use alpine to include the necessary certificates. -FROM alpine:3.16 +FROM alpine:3.23 COPY app . diff --git a/tests/integration/Makefile b/tests/integration/Makefile index ca8a4e15f..f28a1361b 100644 --- a/tests/integration/Makefile +++ b/tests/integration/Makefile @@ -21,6 +21,9 @@ test: test-aws: $(MAKE) test PROVIDER_ARG="-provider aws" +test-aws-git: + $(MAKE) test PROVIDER_ARG="-provider aws" GO_TEST_PREFIX="TestGit" + test-azure: $(MAKE) test PROVIDER_ARG="-provider azure" diff --git a/tests/integration/README.md b/tests/integration/README.md index 966789350..ba3b20b8e 100644 --- a/tests/integration/README.md +++ b/tests/integration/README.md @@ -49,7 +49,7 @@ metadata: ### Amazon Web Services - AWS account with access key ID and secret access key with permissions to - create EKS cluster and ECR repository. + create EKS cluster, ECR and a CodeCommit repositories. - AWS CLI v2.x, does not need to be configured with the AWS account. - Docker CLI for registry login. - kubectl for applying certain install manifests. @@ -68,6 +68,13 @@ provisioning the infrastructure and running the tests: "Sid": "testinfra", "Effect": "Allow", "Action": [ + "codecommit:CreateRepository", + "codecommit:DeleteRepository", + "codecommit:GetRepository", + "codecommit:TagResource", + "codecommit:UntagResource", + "codecommit:GitPull", + "codecommit:GitPush", "ec2:AllocateAddress", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", @@ -213,6 +220,13 @@ module "aws_gh_actions" { aws_policy_name = "oci-e2e" aws_policy_description = "policy for OCI e2e tests" aws_provision_perms = [ + "codecommit:CreateRepository", + "codecommit:DeleteRepository", + "codecommit:GetRepository", + "codecommit:TagResource", + "codecommit:UntagResource", + "codecommit:GitPull", + "codecommit:GitPush", "ec2:AllocateAddress", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", diff --git a/tests/integration/aws_test.go b/tests/integration/aws_test.go index 14df772fc..3546d8624 100644 --- a/tests/integration/aws_test.go +++ b/tests/integration/aws_test.go @@ -22,11 +22,15 @@ package integration import ( "context" "fmt" + "net/url" tfjson "github.com/hashicorp/terraform-json" "github.com/fluxcd/pkg/apis/meta" + "github.com/fluxcd/pkg/auth" "github.com/fluxcd/pkg/auth/aws" + authutils "github.com/fluxcd/pkg/auth/utils" + "github.com/fluxcd/pkg/git" "github.com/fluxcd/test-infra/tftestenv" ) @@ -94,7 +98,7 @@ func registryLoginECR(ctx context.Context, output map[string]*tfjson.StateOutput // logged in and is capable of pushing the test images. func pushAppTestImagesECR(ctx context.Context, localImgs map[string]string, output map[string]*tfjson.StateOutput) (map[string]string, error) { // Get the registry name and construct the image names accordingly. - repo := output["ecr_test_app_repo_url"].Value.(string) + repo := output["ecr_repository_url"].Value.(string) remoteImage := repo + ":test" return tftestenv.PushTestAppImagesECR(ctx, localImgs, remoteImage) } @@ -138,17 +142,52 @@ func getClusterUsersAWS(output map[string]*tfjson.StateOutput) ([]string, error) return []string{clusterUser}, nil } -// When implemented, getGitTestConfigAws would return the git-specific test config for AWS func getGitTestConfigAWS(outputs map[string]*tfjson.StateOutput) (*gitTestConfig, error) { - return nil, fmt.Errorf("NotImplemented for AWS") + repoURL := outputs["git_repo_http_url"].Value.(string) + if repoURL == "" { + return nil, fmt.Errorf("no AWS CodeCommit repository URL in terraform output") + } + + region := outputs["region"].Value.(string) + if region == "" { + return nil, fmt.Errorf("no AWS region in terraform output") + } + + parsedRepoURL, err := url.Parse(repoURL) + if err != nil { + return nil, fmt.Errorf("failed to parse AWS CodeCommit repository URL: %w", err) + } + + creds, err := authutils.GetGitCredentials(context.Background(), aws.ProviderName, + auth.WithSTSRegion(region), + auth.WithGitURL(*parsedRepoURL), + ) + if err != nil { + return nil, fmt.Errorf("failed to get AWS CodeCommit credentials: %w", err) + } + + authOpts, err := getAuthOpts(repoURL, map[string][]byte{ + "username": []byte(creds.Username), + "password": []byte(creds.Password), + }) + if err != nil { + return nil, err + } + + return &gitTestConfig{ + defaultGitTransport: git.HTTPS, + defaultAuthOpts: authOpts, + applicationRepository: repoURL, + applicationRepositoryWithoutUser: repoURL, + }, nil } -// When implemented, grantPermissionsToGitRepositoryAWS would grant the required permissions to AWS CodeCommit repository func grantPermissionsToGitRepositoryAWS(ctx context.Context, cfg *gitTestConfig, output map[string]*tfjson.StateOutput) error { - return fmt.Errorf("NotImplemented for AWS") + // Noop, CodeCommit permissions are granted via Terraform + return nil } -// When implemented, revokePermissionsToGitRepositoryAWS would revoke the permissions granted to AWS CodeCommit repository func revokePermissionsToGitRepositoryAWS(ctx context.Context, cfg *gitTestConfig, outputs map[string]*tfjson.StateOutput) error { - return fmt.Errorf("NotImplemented for AWS") + // Noop, CodeCommit permissions are granted via Terraform + return nil } diff --git a/tests/integration/git_test.go b/tests/integration/git_test.go index 3e86f3cdb..f6bef70dc 100644 --- a/tests/integration/git_test.go +++ b/tests/integration/git_test.go @@ -83,7 +83,10 @@ func TestGitCloneUsingProvider(t *testing.T) { } func TestGitCloneUsingSSH(t *testing.T) { - if !testGit { + // Skip SSH authentication test for CodeCommit + // while it is possible, it is based on SSH keys attached to an IAM user + // which is not the recommended way. + if *targetProvider == "aws" || !testGit { t.Skip("Skipping git test, not supported for provider") } diff --git a/tests/integration/go.mod b/tests/integration/go.mod index 38c86b79f..446cdb69b 100644 --- a/tests/integration/go.mod +++ b/tests/integration/go.mod @@ -69,6 +69,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 // indirect github.com/aws/smithy-go v1.24.0 // indirect + github.com/aws/smithy-go/aws-http-auth v1.1.3 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect diff --git a/tests/integration/go.sum b/tests/integration/go.sum index 205eb8f60..c9ebb3492 100644 --- a/tests/integration/go.sum +++ b/tests/integration/go.sum @@ -73,6 +73,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 h1:5fFjR/ToSOzB2OQ/XqWpZBmNvmP/ github.com/aws/aws-sdk-go-v2/service/sts v1.41.6/go.mod h1:qgFDZQSD/Kys7nJnVqYlWKnh0SSdMjAi0uSwON4wgYQ= github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk= github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0= +github.com/aws/smithy-go/aws-http-auth v1.1.3 h1:8/T7/2n8x+x9sIAmi5h5mDKS8v7/u2GEpF6T6RrGMrc= +github.com/aws/smithy-go/aws-http-auth v1.1.3/go.mod h1:KL46VTjVK9De3jurMqDLBkXCP9vrAvD03zQrmyzyrQ0= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= diff --git a/tests/integration/suite_test.go b/tests/integration/suite_test.go index 54ede5ac8..a44eb9095 100644 --- a/tests/integration/suite_test.go +++ b/tests/integration/suite_test.go @@ -432,6 +432,7 @@ func getProviderConfig(provider string) *ProviderConfig { grantPermissionsToGitRepository: grantPermissionsToGitRepositoryAWS, revokePermissionsToGitRepository: revokePermissionsToGitRepositoryAWS, getGitTestConfig: getGitTestConfigAWS, + supportsGit: true, } case "azure": providerCfg := &ProviderConfig{ diff --git a/tests/integration/terraform/aws/main.tf b/tests/integration/terraform/aws/main.tf index 654356200..153db8e3e 100644 --- a/tests/integration/terraform/aws/main.tf +++ b/tests/integration/terraform/aws/main.tf @@ -50,7 +50,7 @@ resource "aws_iam_role" "assume_role" { count = var.enable_wi ? 1 : 0 name = local.name description = "IAM role used for testing Workload integration for OCI repositories in Flux" - assume_role_policy = templatefile("oidc_assume_role_policy.json", { + assume_role_policy = templatefile("${path.module}/oidc_assume_role_policy.json", { OIDC_ARN = module.eks.cluster_oidc_arn, OIDC_URL = replace(module.eks.cluster_oidc_url, "https://", ""), NAMESPACE = var.wi_k8s_sa_ns, @@ -90,6 +90,14 @@ resource "aws_iam_policy" "wi_role_policy" { ] Resource = "*" }, + { + Effect = "Allow" + Action = [ + "codecommit:GitPull", + "codecommit:GitPush", + ] + Resource = aws_codecommit_repository.test_git.arn + }, ], }) } @@ -103,3 +111,9 @@ resource "aws_eks_access_entry" "wi_access_entry" { principal_arn = aws_iam_role.assume_role[0].arn user_name = aws_iam_role.assume_role[0].arn } + +resource "aws_codecommit_repository" "test_git" { + repository_name = local.name + description = "Test repository for Flux integration tests" + tags = var.tags +} diff --git a/tests/integration/terraform/aws/outputs.tf b/tests/integration/terraform/aws/outputs.tf index 3a3f4a5ba..d24c3fc0d 100644 --- a/tests/integration/terraform/aws/outputs.tf +++ b/tests/integration/terraform/aws/outputs.tf @@ -47,3 +47,11 @@ output "aws_wi_iam_arn" { output "ecrpublic_repository_url" { value = aws_ecrpublic_repository.test_ecr_public.repository_uri } + +output "git_repo_http_url" { + value = aws_codecommit_repository.test_git.clone_url_http +} + +output "git_repo_name" { + value = aws_codecommit_repository.test_git.repository_name +} diff --git a/tests/integration/testapp/main.go b/tests/integration/testapp/main.go index b3d563d0f..05b527c1c 100644 --- a/tests/integration/testapp/main.go +++ b/tests/integration/testapp/main.go @@ -238,7 +238,7 @@ func checkGit(ctx context.Context) { panic(err) } if !*gitSSH { - creds, err := authutils.GetGitCredentials(ctx, *provider, authOpts...) + creds, err := authutils.GetGitCredentials(ctx, *provider, append(authOpts, auth.WithGitURL(*u))...) if err != nil { panic(err) }