├── .devcontainer.json
├── .github
    └── workflows
    │   └── workspace-publish-image.yml
├── Dockerfile
├── README.md
└── utils
    ├── aws-sso-credential-process
    └── refresh_credentials.sh


/.devcontainer.json:
--------------------------------------------------------------------------------
1 | {
2 |     "name": "Dev Container Definition - AWS CDK",
3 |     "image": "public.ecr.aws/pahudnet/github-codespace:latest",
4 |     "extensions": [
5 |         "dbaeumer.vscode-eslint@2.1.5"
6 |     ]
7 | }
8 | 


--------------------------------------------------------------------------------
/.github/workflows/workspace-publish-image.yml:
--------------------------------------------------------------------------------
 1 | name: Publish Docker image
 2 | on:
 3 |   push:
 4 |     branches:
 5 |       - main
 6 |   schedule:
 7 |     - cron: 37 * * * *
 8 |   workflow_dispatch: {}
 9 | 
10 | jobs:
11 |   docker_hub:
12 |     name: Docker Hub
13 |     runs-on: ubuntu-latest
14 |     steps:
15 |       - name: Get short SHA
16 |         id: sha
17 |         run: echo "sha7=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
18 |       - name: Checkout
19 |         uses: actions/checkout@v4
20 |       - name: Set up QEMU
21 |         uses: docker/setup-qemu-action@v3
22 |       - name: Set up Docker Buildx
23 |         uses: docker/setup-buildx-action@v3
24 |       - name: Login to DockerHub
25 |         uses: docker/login-action@v3
26 |         with:
27 |           username: ${{ secrets.DOCKERHUB_USERNAME }}
28 |           password: ${{ secrets.DOCKERHUB_TOKEN }}
29 |       - name: Build and push
30 |         id: docker_build
31 |         uses: docker/build-push-action@v5
32 |         with:
33 |           push: true
34 |           tags: |
35 |             ${{github.repository}}:latest
36 |             ${{github.repository}}:${{ steps.sha.outputs.sha7 }}
37 |       - name: Image digest
38 |         run: echo ${{ steps.docker_build.outputs.digest }}
39 |   # github_container:
40 |   #   name: Github Container Registry
41 |   #   runs-on: ubuntu-latest
42 |   #   steps:
43 |   #     - name: Get short SHA
44 |   #       id: sha
45 |   #       run: echo "::set-output name=sha7::$(echo ${GITHUB_SHA} | cut -c1-7)"
46 |   #     - name: Checkout
47 |   #       uses: actions/checkout@v4
48 |   #     - name: Set up QEMU
49 |   #       uses: docker/setup-qemu-action@v3
50 |   #     - name: Set up Docker Buildx
51 |   #       uses: docker/setup-buildx-action@v3
52 |   #     - name: Login to GitHub Container Registry
53 |   #       uses: docker/login-action@v3
54 |   #       with:
55 |   #         registry: ghcr.io
56 |   #         username: ${{ github.repository_owner }}
57 |   #         password: ${{ secrets.CR_PAT }}
58 |   #     - name: Build and push
59 |   #       id: docker_build
60 |   #       uses: docker/build-push-action@v5
61 |   #       with:
62 |   #         push: true
63 |   #         tags: |
64 |   #           ghcr.io/${{github.repository}}:latest
65 |   #           ghcr.io/${{github.repository}}:${{ steps.sha.outputs.sha7 }}
66 |   #     - name: Image digest
67 |   #       run: echo ${{ steps.docker_build.outputs.digest }}
68 |   ecr_public:
69 |     name: ECR Public
70 |     runs-on: ubuntu-latest
71 |     permissions:
72 |       id-token: write # needed to interact with GitHub's OIDC Token endpoint.
73 |       contents: read
74 |     steps:
75 |       - name: Get repo name
76 |         id: repoName
77 |         run: echo "reponame=$(basename $GITHUB_REPOSITORY)" >> $GITHUB_OUTPUT
78 |       - name: Get short SHA
79 |         id: sha
80 |         run: echo "sha7=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
81 |       - name: Checkout
82 |         uses: actions/checkout@v4
83 |       - name: Configure AWS credentials
84 |         uses: aws-actions/configure-aws-credentials@v4
85 |         with:
86 |           role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
87 |           aws-region: us-east-1
88 |       - name: Build and Push to ECR Public
89 |         id: build-and-push
90 |         uses: pahud/ecr-public-action@ca53da9235f82d0f3aa64079540a1e7885ad47d1
91 |         with:
92 |           tags: |
93 |             public.ecr.aws/pahudnet/${{ steps.repoName.outputs.reponame }}:latest
94 |             public.ecr.aws/pahudnet/${{ steps.repoName.outputs.reponame }}:${{ steps.sha.outputs.sha7 }}
95 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM public.ecr.aws/jsii/superchain:1-buster-slim-node18
 2 | 
 3 | ARG KUBECTL_URL='https://s3.us-west-2.amazonaws.com/amazon-eks/1.28.3/2023-11-14/bin/linux/amd64/kubectl'
 4 | ARG AWS_CLI_V2_URL='https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip'
 5 | ARG TERRAFORM_URL='https://releases.hashicorp.com/terraform/1.6.6/terraform_1.6.6_darwin_amd64.zip'
 6 | 
 7 | USER root:root
 8 | 
 9 | # install jq wget
10 | RUN apt-get update && apt-get install -y jq wget
11 | 
12 | # install aws-cli v2
13 | RUN mv $(which aws) /usr/local/bin/awscliv1 && \
14 |   mkdir /tmp/awscliv2 && cd /tmp/awscliv2 && \
15 |   curl "${AWS_CLI_V2_URL}" -o "awscliv2.zip" && \
16 |   unzip awscliv2.zip && \
17 |   ./aws/install -b /usr/local/bin --update && \
18 |   rm -rf /tmp/awscliv2 && \
19 |   aws --version
20 | 
21 | # install kubectl
22 | RUN curl -o kubectl "${KUBECTL_URL}" && \
23 |   chmod +x kubectl && \
24 |   mv kubectl /usr/local/bin
25 | 
26 | # install terraform
27 | RUN curl -o terraform.zip "${TERRAFORM_URL}" && \
28 |   unzip terraform.zip && \
29 |   mv terraform /usr/local/bin/ && \
30 |   rm -f terraform.zip
31 | 
32 | USER superchain:superchain


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # github-codespace
 2 | 
 3 | This is a codespace template for general AWS CDK development in **GitHub Codespace**.
 4 | 
 5 | public dockder image for this codespace:
 6 | 
 7 | `public.ecr.aws/pahudnet/github-codespace:latest`
 8 | 
 9 | 
10 | ## Create AWS CDK App
11 | 
12 | ```bash
13 | npx projen new awscdk-app-ts
14 | ```
15 | 
16 | ## Create AWS CDK Construct Lib
17 | 
18 | ```bash
19 | npx projen new awscdk-construct
20 | ```
21 | 
22 | ## Configure AWS CLI V2 with AWS SSO
23 | 
24 | ```bash
25 | aws configure sso --profile default
26 | ```
27 | 
28 | The following example generate the SSO profile with `default` as the profile name:
29 | 
30 | ```
31 | $ aws configure sso --profile default
32 | SSO start URL [None]: https://pahud-sso.awsapps.com/start                                                                                                                               
33 | SSO Region [None]: us-east-1                                                                                                                                                            
34 | Attempting to automatically open the SSO authorization page in your default browser.
35 | If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
36 | 
37 | https://device.sso.us-east-1.amazonaws.com/
38 | 
39 | Then enter the code:
40 | 
41 | DJHN-QKRK
42 | The only AWS account available to you is: 123456789012
43 | Using the account ID 123456789012
44 | The only role available to you is: AdministratorAccess
45 | Using the role name "AdministratorAccess"
46 | CLI default client Region [None]: ap-northeast-1                                                                     
47 | CLI default output format [None]:                                                                                    
48 | 
49 | To use this profile, specify the profile name using --profile, as shown:
50 | 
51 | aws s3 ls --profile default        
52 | ```
53 | 
54 | ## Validate the Identity with AWS CLI
55 | 
56 | ```sh
57 | $ aws sts get-caller-identity
58 | ```
59 | 
60 | ## Start your CDK development
61 | 
62 | You should be able to run the CDK CLI now.
63 | 
64 | ```sh
65 | $ cdk diff
66 | $ cdk deploy
67 | $ cdk destroy
68 | ```


--------------------------------------------------------------------------------
/utils/aws-sso-credential-process:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # This script generates output for process_credentials from a user authenticated via SSO
 4 | # Before using, make sure that the AWS SSO is configured in your CLI: `aws configure sso`
 5 | # Usage: aws-sso-credential-process [AWS_PROFILE_NAME]
 6 | 
 7 | if [ $# -gt 0 ]; then
 8 |   AWS_PROFILE="$1"
 9 | fi
10 | 
11 | profile=${AWS_PROFILE-default}
12 | temp_identity=$(aws --profile "$profile" sts get-caller-identity)
13 | account_id=$(echo $temp_identity | jq -r .Arn | cut -d: -f5)
14 | assumed_role_name=$(echo $temp_identity | jq -r .Arn | cut -d/ -f2)
15 | session_name=$(echo $temp_identity | jq -r .Arn | cut -d/ -f3)
16 | sso_region=$(aws --profile "$profile" configure get sso_region)
17 | 
18 | if [[ $sso_region == 'us-east-1' ]]; then 
19 |   sso_region_string=''
20 | else
21 |   sso_region_string="${sso_region}/"
22 | fi
23 | role_arn="arn:aws:iam::${account_id}:role/aws-reserved/sso.amazonaws.com/${sso_region_string}${assumed_role_name}"
24 | 
25 | 
26 | request_credentials() {
27 |   credentials=$(
28 |     aws sts assume-role \
29 |       --profile $profile \
30 |       --role-arn $role_arn \
31 |       --role-session-name $session_name | jq '.Credentials + {Version: 1}'
32 |   )
33 | }
34 | 
35 | request_credentials
36 | 
37 | if [ $? -ne 0 ]; then
38 |   aws sso login --profile "$profile"
39 | 
40 |   if [ $? -ne 0 ]; then
41 |     exit 1
42 |   fi
43 | 
44 |   request_credentials
45 | fi
46 | 
47 | echo $credentials
48 | 
49 | exit 0
50 | 


--------------------------------------------------------------------------------
/utils/refresh_credentials.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # This script generates AWS Programmatic Access credentials from a user authenticated via SSO
 4 | # Before using, make sure that the AWS SSO is configured in your CLI: `aws configure sso`
 5 | 
 6 | profile=${AWS_PROFILE-default}
 7 | temp_identity=$(aws --profile "$profile" sts get-caller-identity)
 8 | account_id=$(echo $temp_identity | jq -r .Arn | cut -d: -f5)
 9 | assumed_role_name=$(echo $temp_identity | jq -r .Arn | cut -d/ -f2)
10 | session_name=$(echo $temp_identity | jq -r .Arn | cut -d/ -f3)
11 | sso_region=$(aws --profile "$profile" configure get sso_region)
12 | 
13 | if [[ $sso_region == 'us-east-1' ]]; then 
14 |   sso_region_string=''
15 | else
16 |   sso_region_string="${sso_region}/"
17 | fi
18 | role_arn="arn:aws:iam::${account_id}:role/aws-reserved/sso.amazonaws.com/${sso_region_string}${assumed_role_name}"
19 | 
20 | 
21 | request_credentials() {
22 |   credentials=$(
23 |     aws sts assume-role \
24 |       --profile $profile \
25 |       --role-arn $role_arn \
26 |       --role-session-name $session_name
27 |   )
28 | }
29 | 
30 | echo "=> requesting temporary credentials"
31 | request_credentials
32 | 
33 | if [ $? -ne 0 ]; then
34 |   aws sso login --profile "$profile"
35 | 
36 |   if [ $? -ne 0 ]; then
37 |     exit 1
38 |   fi
39 | 
40 |   request_credentials
41 | fi
42 | 
43 | echo "=> updating ~/.aws/credentials as profile $profile"
44 | 
45 | access_key_id=$(echo $credentials | jq -r .Credentials.AccessKeyId)
46 | secret_access_key=$(echo $credentials | jq -r .Credentials.SecretAccessKey)
47 | session_token=$(echo $credentials | jq -r .Credentials.SessionToken)
48 | 
49 | aws configure set --profile "$profile" aws_access_key_id "$access_key_id"
50 | aws configure set --profile "$profile" aws_secret_access_key "$secret_access_key"
51 | aws configure set --profile "$profile" aws_session_token "$session_token"
52 | 
53 | echo "[OK] done"
54 | 
55 | 


--------------------------------------------------------------------------------