├── .github └── workflows │ └── docker-image-publish.yml ├── .gitpod.Dockerfile ├── .gitpod.yml ├── README.md └── utils ├── aws-sso-credential-process ├── init-script.sh └── refresh_credentials.sh /.github/workflows/docker-image-publish.yml: -------------------------------------------------------------------------------- 1 | name: Publish Docker image 2 | on: 3 | push: 4 | branches: 5 | - main 6 | schedule: 7 | - cron: 37 * * * * 8 | workflow_dispatch: {} 9 | 10 | env: 11 | dockerhub_tag: pahud/gitpod-workspace:latest 12 | ghcr_tag: ghcr.io/pahud/gitpod-workspace:latest 13 | 14 | jobs: 15 | docker_hub: 16 | name: Docker Hub 17 | runs-on: ubuntu-latest 18 | permissions: 19 | id-token: write # needed to interact with GitHub's OIDC Token endpoint. 20 | contents: read 21 | steps: 22 | - name: Get short SHA 23 | id: sha 24 | # run: echo "::set-output name=sha7::$(echo ${GITHUB_SHA} | cut -c1-7)" 25 | # run: echo "{sha7}={$(echo ${GITHUB_SHA} | cut -c1-7)}" >> $GITHUB_OUTPUT 26 | run: echo "sha7=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT 27 | # env: 28 | # GITHUB_SHA: ${{ github.sha }} # Access the SHA from the environment 29 | - name: Checkout 30 | uses: actions/checkout@v4 31 | - name: Set up QEMU 32 | uses: docker/setup-qemu-action@v3 33 | - name: Set up Docker Buildx 34 | uses: docker/setup-buildx-action@v3 35 | - name: Login to DockerHub 36 | uses: docker/login-action@v3 37 | with: 38 | username: ${{ secrets.DOCKERHUB_USERNAME }} 39 | password: ${{ secrets.DOCKERHUB_TOKEN }} 40 | - name: Build and push 41 | id: docker_build 42 | uses: docker/build-push-action@v5 43 | with: 44 | push: true 45 | file: .gitpod.Dockerfile 46 | tags: | 47 | ${{github.repository}}:latest 48 | ${{github.repository}}:${{ steps.sha.outputs.sha7 }} 49 | - name: Image digest 50 | run: echo ${{ steps.docker_build.outputs.digest }} 51 | # github_container: 52 | # name: Github Container Registry 53 | # runs-on: ubuntu-latest 54 | # steps: 55 | # - name: Get short SHA 56 | # id: sha 57 | # run: echo "::set-output name=sha7::$(echo ${GITHUB_SHA} | cut -c1-7)" 58 | # - name: Checkout 59 | # uses: actions/checkout@v4 60 | # - name: Set up QEMU 61 | # uses: docker/setup-qemu-action@v3 62 | # - name: Set up Docker Buildx 63 | # uses: docker/setup-buildx-action@v3 64 | # - name: Login to GitHub Container Registry 65 | # uses: docker/login-action@v3 66 | # with: 67 | # registry: ghcr.io 68 | # username: ${{ github.repository_owner }} 69 | # password: ${{ secrets.CR_PAT }} 70 | # - name: Build and push 71 | # id: docker_build 72 | # uses: docker/build-push-action@v5 73 | # with: 74 | # push: true 75 | # file: .gitpod.Dockerfile 76 | # tags: | 77 | # ghcr.io/${{github.repository}}:latest 78 | # ghcr.io/${{github.repository}}:${{ steps.sha.outputs.sha7 }} 79 | # - name: Image digest 80 | # run: echo ${{ steps.docker_build.outputs.digest }} 81 | ecr_public: 82 | name: ECR Public 83 | runs-on: ubuntu-latest 84 | permissions: 85 | id-token: write # needed to interact with GitHub's OIDC Token endpoint. 86 | contents: read 87 | steps: 88 | - name: Get repo name 89 | id: repoName 90 | # run: echo "::set-output name=reponame::$(echo ${{github.repository}} | cut -d '/' -f 2)" 91 | run: echo "reponame=$(basename $GITHUB_REPOSITORY)" >> $GITHUB_OUTPUT 92 | - name: Get short SHA 93 | id: sha 94 | # run: echo "::set-output name=sha7::$(echo ${GITHUB_SHA} | cut -c1-7)" 95 | run: echo "sha7=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT 96 | - name: Checkout 97 | uses: actions/checkout@v4 98 | - name: Configure AWS credentials 99 | uses: aws-actions/configure-aws-credentials@master 100 | with: 101 | role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} 102 | aws-region: us-east-1 103 | - name: Build and Push to ECR Public 104 | id: build-and-push 105 | uses: pahud/ecr-public-action@ca53da9235f82d0f3aa64079540a1e7885ad47d1 106 | with: 107 | dockerfile: .gitpod.Dockerfile 108 | tags: | 109 | public.ecr.aws/pahudnet/${{ steps.repoName.outputs.reponame }}:latest 110 | public.ecr.aws/pahudnet/${{ steps.repoName.outputs.reponame }}:${{ steps.sha.outputs.sha7 }} 111 | -------------------------------------------------------------------------------- /.gitpod.Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/jsii/superchain:1-bookworm-slim-node20 2 | 3 | ARG KUBECTL_URL='https://s3.us-west-2.amazonaws.com/amazon-eks/1.30.0/2024-05-12/bin/linux/amd64/kubectl' 4 | ARG AWS_CLI_V2_URL='https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip' 5 | ARG TERRAFORM_URL='https://releases.hashicorp.com/terraform/1.9.2/terraform_1.9.2_darwin_amd64.zip' 6 | ARG SESSION_MANAGER_PLUGIN='https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb' 7 | 8 | 9 | USER root:root 10 | # install jq wget 11 | RUN apt-get update && apt-get install -y jq wget 12 | 13 | # install aws-cli v2 14 | RUN mv $(which aws) /usr/local/bin/awscliv1 && \ 15 | mkdir /tmp/awscliv2 && cd /tmp/awscliv2 && \ 16 | curl "${AWS_CLI_V2_URL}" -o "awscliv2.zip" && \ 17 | unzip awscliv2.zip && \ 18 | ./aws/install -b /usr/local/bin --update && \ 19 | rm -rf /tmp/awscliv2 && \ 20 | aws --version 21 | 22 | # install kubectl 23 | RUN curl -o kubectl "${KUBECTL_URL}" && \ 24 | chmod +x kubectl && \ 25 | mv kubectl /usr/local/bin 26 | 27 | # install terraform 28 | RUN curl -o terraform.zip "${TERRAFORM_URL}" && \ 29 | unzip terraform.zip && \ 30 | mv terraform /usr/local/bin/ && \ 31 | rm -f terraform.zip 32 | 33 | # install session-manager-plugin(required for aws ssm start-session) 34 | RUN curl "${SESSION_MANAGER_PLUGIN}" -o "session-manager-plugin.deb" && \ 35 | dpkg -i session-manager-plugin.deb && \ 36 | rm -f session-manager-plugin.deb 37 | 38 | USER superchain:superchain 39 | -------------------------------------------------------------------------------- /.gitpod.yml: -------------------------------------------------------------------------------- 1 | github: 2 | prebuilds: 3 | pullRequestsFromForks: true 4 | addComment: true 5 | 6 | image: 7 | file: .gitpod.Dockerfile 8 | tasks: 9 | - init: ${GITPOD_REPO_ROOT}/utils/init-script.sh 10 | 11 | vscode: 12 | extensions: 13 | - dbaeumer.vscode-eslint 14 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # gitpod-workspace 2 | 3 | This is a workspace template for general AWS CDK development in Gitpod. 4 | 5 | Click this button below to open a fresh new CDK development workspace in Gitpod 6 | 7 | [![Open in Gitpod](https://img.shields.io/badge/Gitpod-ready--to--code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/pahud/gitpod-workspace) 8 | 9 | public dockder image for this codespace: 10 | 11 | `public.ecr.aws/pahudnet/gitpod-workspace:latest` 12 | 13 | 14 | ## Create AWS CDK App 15 | 16 | ```bash 17 | npx projen new awscdk-app-ts 18 | ``` 19 | 20 | ## Create AWS CDK Construct Lib 21 | 22 | ```bash 23 | npx projen new awscdk-construct 24 | ``` 25 | 26 | ## Configure AWS CLI V2 with AWS SSO 27 | 28 | ```bash 29 | aws configure sso --profile default 30 | ``` 31 | 32 | The following example generate the SSO profile with `default` as the profile name: 33 | 34 | ``` 35 | $ aws configure sso --profile default 36 | SSO start URL [None]: https://pahud-sso.awsapps.com/start 37 | SSO Region [None]: us-east-1 38 | Attempting to automatically open the SSO authorization page in your default browser. 39 | If the browser does not open or you wish to use a different device to authorize this request, open the following URL: 40 | 41 | https://device.sso.us-east-1.amazonaws.com/ 42 | 43 | Then enter the code: 44 | 45 | DJHN-QKRK 46 | The only AWS account available to you is: 123456789012 47 | Using the account ID 123456789012 48 | The only role available to you is: AdministratorAccess 49 | Using the role name "AdministratorAccess" 50 | CLI default client Region [None]: ap-northeast-1 51 | CLI default output format [None]: 52 | To use this profile, specify the profile name using --profile, as shown: 53 | 54 | aws s3 ls --profile default 55 | ``` 56 | 57 | ## Validate the Identity with AWS CLI 58 | 59 | ``` 60 | $ aws sts get-caller-identity 61 | ``` 62 | 63 | ## Start your CDK development 64 | 65 | You should be able to run the CDK CLI now. 66 | 67 | ```sh 68 | $ cdk diff 69 | $ cdk deploy 70 | $ cdk destroy 71 | ``` 72 | -------------------------------------------------------------------------------- /utils/aws-sso-credential-process: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This script generates output for process_credentials from a user authenticated via SSO 4 | # Before using, make sure that the AWS SSO is configured in your CLI: `aws configure sso` 5 | # Usage: aws-sso-credential-process [AWS_PROFILE_NAME] 6 | 7 | if [ $# -gt 0 ]; then 8 | AWS_PROFILE="$1" 9 | fi 10 | 11 | profile=${AWS_PROFILE-default} 12 | temp_identity=$(aws --profile "$profile" sts get-caller-identity) 13 | account_id=$(echo $temp_identity | jq -r .Arn | cut -d: -f5) 14 | assumed_role_name=$(echo $temp_identity | jq -r .Arn | cut -d/ -f2) 15 | session_name=$(echo $temp_identity | jq -r .Arn | cut -d/ -f3) 16 | sso_region=$(aws --profile "$profile" configure get sso_region) 17 | 18 | if [[ $sso_region == 'us-east-1' ]]; then 19 | sso_region_string='' 20 | else 21 | sso_region_string="${sso_region}/" 22 | fi 23 | role_arn="arn:aws:iam::${account_id}:role/aws-reserved/sso.amazonaws.com/${sso_region_string}${assumed_role_name}" 24 | 25 | 26 | request_credentials() { 27 | credentials=$( 28 | aws sts assume-role \ 29 | --profile $profile \ 30 | --role-arn $role_arn \ 31 | --role-session-name $session_name | jq '.Credentials + {Version: 1}' 32 | ) 33 | } 34 | 35 | request_credentials 36 | 37 | if [ $? -ne 0 ]; then 38 | aws sso login --profile "$profile" 39 | 40 | if [ $? -ne 0 ]; then 41 | exit 1 42 | fi 43 | 44 | request_credentials 45 | fi 46 | 47 | echo $credentials 48 | 49 | exit 0 50 | -------------------------------------------------------------------------------- /utils/init-script.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "source /usr/share/bash-completion/completions/git" >> $HOME/.bashrc -------------------------------------------------------------------------------- /utils/refresh_credentials.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This script generates AWS Programmatic Access credentials from a user authenticated via SSO 4 | # Before using, make sure that the AWS SSO is configured in your CLI: `aws configure sso` 5 | 6 | profile=${AWS_PROFILE-default} 7 | temp_identity=$(aws --profile "$profile" sts get-caller-identity) 8 | account_id=$(echo $temp_identity | jq -r .Arn | cut -d: -f5) 9 | assumed_role_name=$(echo $temp_identity | jq -r .Arn | cut -d/ -f2) 10 | session_name=$(echo $temp_identity | jq -r .Arn | cut -d/ -f3) 11 | sso_region=$(aws --profile "$profile" configure get sso_region) 12 | 13 | if [[ $sso_region == 'us-east-1' ]]; then 14 | sso_region_string='' 15 | else 16 | sso_region_string="${sso_region}/" 17 | fi 18 | role_arn="arn:aws:iam::${account_id}:role/aws-reserved/sso.amazonaws.com/${sso_region_string}${assumed_role_name}" 19 | 20 | 21 | request_credentials() { 22 | credentials=$( 23 | aws sts assume-role \ 24 | --profile $profile \ 25 | --role-arn $role_arn \ 26 | --role-session-name $session_name 27 | ) 28 | } 29 | 30 | echo "=> requesting temporary credentials" 31 | request_credentials 32 | 33 | if [ $? -ne 0 ]; then 34 | aws sso login --profile "$profile" 35 | 36 | if [ $? -ne 0 ]; then 37 | exit 1 38 | fi 39 | 40 | request_credentials 41 | fi 42 | 43 | echo "=> updating ~/.aws/credentials as profile $profile" 44 | 45 | access_key_id=$(echo $credentials | jq -r .Credentials.AccessKeyId) 46 | secret_access_key=$(echo $credentials | jq -r .Credentials.SecretAccessKey) 47 | session_token=$(echo $credentials | jq -r .Credentials.SessionToken) 48 | 49 | aws configure set --profile "$profile" aws_access_key_id "$access_key_id" 50 | aws configure set --profile "$profile" aws_secret_access_key "$secret_access_key" 51 | aws configure set --profile "$profile" aws_session_token "$session_token" 52 | 53 | echo "[OK] done" 54 | 55 | --------------------------------------------------------------------------------