feat: a beginner's guide to openid connect (#7)

* empty commit 21090 * order tags in the order of importance * nearly finish up * fix the highlighting lines * use a tagged version * ignore cloudtrail log * add gh cli tip * remove unnecessary JS from head * upgrade aws * move checkov to CI * remove google adsense and move checkov to CI, again! * fix(ci): pass checkov config file * finish up with the references * fix: modify the footnote orderings * another round of read and modifications * modify color line number * reorder paypal and github sponsors * modify SEO description
developer-friendly · Apr 13, 2024 · 8e5f81d · 8e5f81d
1 parent ff38e5e
commit 8e5f81d
Show file tree

Hide file tree

Showing 15 changed files with 394 additions and 193 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -175,3 +175,23 @@ jobs:
           scan-ref: .
           scan-type: ${{ matrix.scan-type }}
           trivy-config: trivy.yaml
+
+  checkov:
+    permissions:
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Checkov GitHub Action
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          config_file: .checkov_config.yaml
+          output_format: cli,sarif
+          output_file_path: console,results.sarif
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: results.sarif
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -43,28 +43,11 @@ repos:
       - id: forbid-submodules
       - id: mixed-line-ending
       - id: pretty-format-json
+        args:
+          - --autofix
   - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
     rev: v9.14.0
     hooks:
       - id: commitlint
         stages: [commit-msg]
         additional_dependencies: ["@commitlint/config-conventional"]
-  - repo: https://github.com/bridgecrewio/checkov.git
-    rev: 3.2.53
-    hooks:
-      - id: checkov
-        args:
-          - --config-file=.checkov_config.yaml
-  # - repo: https://github.com/mxab/pre-commit-trivy.git
-  #   rev: v0.11.0
-  #   hooks:
-  #     - id: trivyfs-docker
-  #       args:
-  #         # - --skip-dirs
-  #         # - ./tests
-  #         - . # last arg indicates the path/file to scan
-  #     - id: trivyconfig-docker
-  #       args:
-  #         # - --skip-dirs
-  #         # - ./tests
-  #         - . # last arg indicates the path/file to scan
diff --git a/docs/codes/0007/cloudtrail-ci-log.json b/docs/codes/0007/cloudtrail-ci-log.json
@@ -0,0 +1,58 @@
+{
+  "awsRegion": "eu-central-1",
+  "eventCategory": "Management",
+  "eventID": "59d1c8df-5c1b-460b-bba3-9f13e94fa9ac",
+  "eventName": "GetParameters",
+  "eventSource": "ssm.amazonaws.com",
+  "eventTime": "2024-04-11T13:30:29Z",
+  "eventType": "AwsApiCall",
+  "eventVersion": "1.08",
+  "managementEvent": true,
+  "readOnly": true,
+  "recipientAccountId": "XXXXXXXXXXXX",
+  "requestID": "1fd24d3a-cbc7-463d-bf4c-fc48ebe7765f",
+  "requestParameters": {
+    "names": [
+      "/some/parameter/in/aws/ssm"
+    ],
+    "withDecryption": true
+  },
+  "resources": [
+    {
+      "ARN": "arn:aws:ssm:eu-central-1:XXXXXXXXXXXX:parameter/some/parameter/in/aws/ssm",
+      "accountId": "XXXXXXXXXXXX"
+    }
+  ],
+  "responseElements": null,
+  "sourceIPAddress": "172.183.82.224",
+  "tlsDetails": {
+    "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+    "clientProvidedHostHeader": "ssm.eu-central-1.amazonaws.com",
+    "tlsVersion": "TLSv1.2"
+  },
+  "userAgent": "aws-cli/2.15.36 Python/3.11.8 Linux/6.5.0-1017-azure exe/x86_64.ubuntu.22 prompt/off command/ssm.get-parameters",
+  "userIdentity": {
+    "accessKeyId": "ASIA6AMOBUU5LTCAGBVC",
+    "accountId": "XXXXXXXXXXXX",
+    "arn": "arn:aws:sts::XXXXXXXXXXXX:assumed-role/github-actions-oidc-role/GitHubActions",
+    "principalId": "AROA6AMOBUU5GFII4ZDZU:GitHubActions",
+    "sessionContext": {
+      "attributes": {
+        "creationDate": "2024-04-11T13:30:26Z",
+        "mfaAuthenticated": "false"
+      },
+      "sessionIssuer": {
+        "accountId": "XXXXXXXXXXXX",
+        "arn": "arn:aws:iam::XXXXXXXXXXXX:role/github-actions-oidc-role",
+        "principalId": "AROA6AMOBUU5GFII4ZDZU",
+        "type": "Role",
+        "userName": "github-actions-oidc-role"
+      },
+      "webIdFederationData": {
+        "attributes": {},
+        "federatedProvider": "arn:aws:iam::XXXXXXXXXXXX:oidc-provider/token.actions.githubusercontent.com"
+      }
+    },
+    "type": "AssumedRole"
+  }
+}
diff --git a/docs/codes/0007/github-actions-oidc-endpoint.json b/docs/codes/0007/github-actions-oidc-endpoint.json
@@ -0,0 +1,54 @@
+{
+  "claims_supported": [
+    "sub",
+    "aud",
+    "exp",
+    "iat",
+    "iss",
+    "jti",
+    "nbf",
+    "ref",
+    "sha",
+    "repository",
+    "repository_id",
+    "repository_owner",
+    "repository_owner_id",
+    "enterprise",
+    "enterprise_id",
+    "run_id",
+    "run_number",
+    "run_attempt",
+    "actor",
+    "actor_id",
+    "workflow",
+    "workflow_ref",
+    "workflow_sha",
+    "head_ref",
+    "base_ref",
+    "event_name",
+    "ref_type",
+    "ref_protected",
+    "environment",
+    "environment_node_id",
+    "job_workflow_ref",
+    "job_workflow_sha",
+    "repository_visibility",
+    "runner_environment",
+    "issuer_scope"
+  ],
+  "id_token_signing_alg_values_supported": [
+    "RS256"
+  ],
+  "issuer": "https://token.actions.githubusercontent.com",
+  "jwks_uri": "https://token.actions.githubusercontent.com/.well-known/jwks",
+  "response_types_supported": [
+    "id_token"
+  ],
+  "scopes_supported": [
+    "openid"
+  ],
+  "subject_types_supported": [
+    "public",
+    "pairwise"
+  ]
+}
diff --git a/docs/codes/0007/github-oidc-jwks.json → .../codes/0007/github-actions-oidc-jwks.json b/docs/codes/0007/github-oidc-jwks.json → .../codes/0007/github-actions-oidc-jwks.json
@@ -1,44 +1,44 @@
 {
   "keys": [
     {
-      "kty": "RSA",
       "alg": "RS256",
-      "use": "sig",
+      "e": "AQAB",
       "kid": "cc413527-173f-5a05-976e-9c52b1d7b431",
+      "kty": "RSA",
       "n": "w4M936N3ZxNaEblcUoBm-xu0-V9JxNx5S7TmF0M3SBK-2bmDyAeDdeIOTcIVZHG-ZX9N9W0u1yWafgWewHrsz66BkxXq3bscvQUTAw7W3s6TEeYY7o9shPkFfOiU3x_KYgOo06SpiFdymwJflRs9cnbaU88i5fZJmUepUHVllP2tpPWTi-7UA3AdP3cdcCs5bnFfTRKzH2W0xqKsY_jIG95aQJRBDpbiesefjuyxcQnOv88j9tCKWzHpJzRKYjAUM6OPgN4HYnaSWrPJj1v41eEkFM1kORuj-GSH2qMVD02VklcqaerhQHIqM-RjeHsN7G05YtwYzomE5G-fZuwgvQ",
-      "e": "AQAB"
+      "use": "sig"
     },
     {
-      "kty": "RSA",
       "alg": "RS256",
-      "use": "sig",
+      "e": "AQAB",
       "kid": "38826b17-6a30-5f9b-b169-8beb8202f723",
+      "kty": "RSA",
       "n": "5Manmy-zwsk3wEftXNdKFZec4rSWENW4jTGevlvAcU9z3bgLBogQVvqYLtu9baVm2B3rfe5onadobq8po5UakJ0YsTiiEfXWdST7YI2Sdkvv-hOYMcZKYZ4dFvuSO1vQ2DgEkw_OZNiYI1S518MWEcNxnPU5u67zkawAGsLlmXNbOylgVfBRJrG8gj6scr-sBs4LaCa3kg5IuaCHe1pB-nSYHovGV_z0egE83C098FfwO1dNZBWeo4Obhb5Z-ZYFLJcZfngMY0zJnCVNmpHQWOgxfGikh3cwi4MYrFrbB4NTlxbrQ3bL-rGKR5X318veyDlo8Dyz2KWMobT4wB9U1Q",
-      "e": "AQAB",
+      "use": "sig",
       "x5c": [
         "MIIDKzCCAhOgAwIBAgIUDnwm6eRIqGFA3o/P1oBrChvx/nowDQYJKoZIhvcNAQELBQAwJTEjMCEGA1UEAwwaYWN0aW9ucy5zZWxmLXNpZ25lZC5naXRodWIwHhcNMjQwMTIzMTUyNTM2WhcNMzQwMTIwMTUyNTM2WjAlMSMwIQYDVQQDDBphY3Rpb25zLnNlbGYtc2lnbmVkLmdpdGh1YjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOTGp5svs8LJN8BH7VzXShWXnOK0lhDVuI0xnr5bwHFPc924CwaIEFb6mC7bvW2lZtgd633uaJ2naG6vKaOVGpCdGLE4ohH11nUk+2CNknZL7/oTmDHGSmGeHRb7kjtb0Ng4BJMPzmTYmCNUudfDFhHDcZz1Obuu85GsABrC5ZlzWzspYFXwUSaxvII+rHK/rAbOC2gmt5IOSLmgh3taQfp0mB6Lxlf89HoBPNwtPfBX8DtXTWQVnqODm4W+WfmWBSyXGX54DGNMyZwlTZqR0FjoMXxopId3MIuDGKxa2weDU5cW60N2y/qxikeV99fL3sg5aPA8s9iljKG0+MAfVNUCAwEAAaNTMFEwHQYDVR0OBBYEFIPALo5VanJ6E1B9eLQgGO+uGV65MB8GA1UdIwQYMBaAFIPALo5VanJ6E1B9eLQgGO+uGV65MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGS0hZE+DqKIRi49Z2KDOMOaSZnAYgqq6ws9HJHT09MXWlMHB8E/apvy2ZuFrcSu14ZLweJid+PrrooXEXEO6azEakzCjeUb9G1QwlzP4CkTcMGCw1Snh3jWZIuKaw21f7mp2rQ+YNltgHVDKY2s8AD273E8musEsWxJl80/MNvMie8Hfh4n4/Xl2r6t1YPmUJMoXAXdTBb0hkPy1fUu3r2T+1oi7Rw6kuVDfAZjaHupNHzJeDOg2KxUoK/GF2/M2qpVrd19Pv/JXNkQXRE4DFbErMmA7tXpp1tkXJRPhFui/Pv5H9cPgObEf9x6W4KnCXzT3ReeeRDKF8SqGTPELsc="
       ],
       "x5t": "ykNaY4qM_ta4k2TgZOCEYLkcYlA"
     },
     {
-      "kty": "RSA",
       "alg": "RS256",
-      "use": "sig",
+      "e": "AQAB",
       "kid": "1F2AB83404C08EC9EA0BB99DAED02186B091DBF4",
+      "kty": "RSA",
       "n": "u8zSYn5JR_O5yywSeOhmWWd7OMoLblh4iGTeIhTOVon-5e54RK30YQDeUCjpb9u3vdHTO7XS7i6EzkwLbsUOir27uhqoFGGWXSAZrPocOobSFoLC5l0NvSKRqVtpoADOHcAh59vLbr8dz3xtEEGx_qlLTzfFfWiCIYWiy15C2oo1eNPxzQfOvdu7Yet6Of4musV0Es5_mNETpeHOVEri8PWfxzw485UHIj3socl4Lk_I3iDyHfgpT49tIJYhHE5NImLNdwMha1cBCIbJMy1dJCfdoK827Hi9qKyBmftNQPhezGVRsOjsf2BfUGzGP5pCGrFBjEOcLhj_3j-TJebgvQ",
-      "e": "AQAB",
+      "use": "sig",
       "x5c": [
         "MIIDrDCCApSgAwIBAgIQAP4blP36Q3WmMOhWf0RBMzANBgkqhkiG9w0BAQsFADA2MTQwMgYDVQQDEyt2c3RzLXZzdHNnaHJ0LWdoLXZzby1vYXV0aC52aXN1YWxzdHVkaW8uY29tMB4XDTIzMTAyNDE0NTI1NVoXDTI1MTAyNDE1MDI1NVowNjE0MDIGA1UEAxMrdnN0cy12c3RzZ2hydC1naC12c28tb2F1dGgudmlzdWFsc3R1ZGlvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALvM0mJ+SUfzucssEnjoZllnezjKC25YeIhk3iIUzlaJ/uXueESt9GEA3lAo6W/bt73R0zu10u4uhM5MC27FDoq9u7oaqBRhll0gGaz6HDqG0haCwuZdDb0ikalbaaAAzh3AIefby26/Hc98bRBBsf6pS083xX1ogiGFosteQtqKNXjT8c0Hzr3bu2Hrejn+JrrFdBLOf5jRE6XhzlRK4vD1n8c8OPOVByI97KHJeC5PyN4g8h34KU+PbSCWIRxOTSJizXcDIWtXAQiGyTMtXSQn3aCvNux4vaisgZn7TUD4XsxlUbDo7H9gX1Bsxj+aQhqxQYxDnC4Y/94/kyXm4L0CAwEAAaOBtTCBsjAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwNgYDVR0RBC8wLYIrdnN0cy12c3RzZ2hydC1naC12c28tb2F1dGgudmlzdWFsc3R1ZGlvLmNvbTAfBgNVHSMEGDAWgBSmWMP5CXuaSzoLKwcLXYZnoeCJmDAdBgNVHQ4EFgQUpljD+Ql7mks6CysHC12GZ6HgiZgwDQYJKoZIhvcNAQELBQADggEBAINwybFwYpXJkvauL5QbtrykIDYeP8oFdVIeVY8YI9MGfx7OwWDsNBVXv2B62zAZ49hK5G87++NmFI/FHnGOCISDYoJkRSCy2Nbeyr7Nx2VykWzUQqHLZfvr5KqW4Gj1OFHUqTl8lP3FWDd/P+lil3JobaSiICQshgF0GnX2a8ji8mfXpJSP20gzrLw84brmtmheAvJ9X/sLbM/RBkkT6g4NV2QbTMqo6k601qBNQBsH+lTDDWPCkRoAlW6a0z9bWIhGHWJ2lcR70zagcxIVl5/Fq35770/aMGroSrIx3JayOEqsvgIthYBKHzpT2VFwUz1VpBpNVJg9/u6jCwLY7QA="
       ],
       "x5t": "Hyq4NATAjsnqC7mdrtAhhrCR2_Q"
     },
     {
-      "kty": "RSA",
       "alg": "RS256",
-      "use": "sig",
+      "e": "AQAB",
       "kid": "001DDCD014A848E8824577B3E4F3AEDB3BCF5FFD",
+      "kty": "RSA",
       "n": "sI_r4iOwvRxksSovyZN8da5u-dh07fdcqh7FjyKKZCOVr7da898xk0TG9eZ7lfA1CmBTH4sX5evg4Yg2xdFDxYK4xmLZcwMyQZIDiZcdIujnttaqplrMv_v-YyAapHFmudbBO8NVuOH3gmGaJ02G8u1Vdf8C3PdNK13ch4wpNvyoxwqaIWGPSzudA6mGPGovRLhu5dEOOJSJtsLzExNvNmHnhPJZk06r7FePkBWSQ1CCHXAzpB-aUWEZC1FKMSiq2dvfOCyiJttEdyj8O_5yqb0wLAPb-8NdzkppbRal2WGowoU-AejqoWImhfDzlOBQStnhuAluKpA6sH0ifKlQsQ",
-      "e": "AQAB",
+      "use": "sig",
       "x5c": [
         "MIIDrDCCApSgAwIBAgIQKiyRrA01T5qtxdzvZ/ErzjANBgkqhkiG9w0BAQsFADA2MTQwMgYDVQQDEyt2c3RzLXZzdHNnaHJ0LWdoLXZzby1vYXV0aC52aXN1YWxzdHVkaW8uY29tMB4XDTIzMTAxODE1MDExOFoXDTI1MTAxODE1MTExOFowNjE0MDIGA1UEAxMrdnN0cy12c3RzZ2hydC1naC12c28tb2F1dGgudmlzdWFsc3R1ZGlvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALCP6+IjsL0cZLEqL8mTfHWubvnYdO33XKoexY8iimQjla+3WvPfMZNExvXme5XwNQpgUx+LF+Xr4OGINsXRQ8WCuMZi2XMDMkGSA4mXHSLo57bWqqZazL/7/mMgGqRxZrnWwTvDVbjh94JhmidNhvLtVXX/Atz3TStd3IeMKTb8qMcKmiFhj0s7nQOphjxqL0S4buXRDjiUibbC8xMTbzZh54TyWZNOq+xXj5AVkkNQgh1wM6QfmlFhGQtRSjEoqtnb3zgsoibbRHco/Dv+cqm9MCwD2/vDXc5KaW0WpdlhqMKFPgHo6qFiJoXw85TgUErZ4bgJbiqQOrB9InypULECAwEAAaOBtTCBsjAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwNgYDVR0RBC8wLYIrdnN0cy12c3RzZ2hydC1naC12c28tb2F1dGgudmlzdWFsc3R1ZGlvLmNvbTAfBgNVHSMEGDAWgBQ45rBfvl4JJ7vg3WgLjQTfhDihvzAdBgNVHQ4EFgQUOOawX75eCSe74N1oC40E34Q4ob8wDQYJKoZIhvcNAQELBQADggEBABdN6HPheRdzwvJgi4xGHnf9pvlUC8981kAtgHnPT0VEYXh/dCMnKJSvCDJADpdmkuKxLxAfACeZR2CUHkQ0eO1ek/ihLvPqywDhLENq6Lvzu3qlhvUPBkGYjydpLtXQ1bBXUQ1FzT5/L1U19P2rJso9mC4ltu2OHJ9NLCKG0zffBItAJqhAiXtKbCUg4c9RbQxi9T2/xr9R72di4Qygfnmr3QleAqmjRG918cm5/uJ0s5EaK3QI7GQy7+tc44o3H3AI5eFtrHwIV0zoY4A9YIsaRmMHq9soHFBEO1HDKKRUOl/4tjpx8zHpp5Clz0wiZMgvSIdBa3/fTeUJ3flUYMo="
       ],

diff --git a/docs/codes/0007/github-oidc-endpoint.json b/docs/codes/0007/github-oidc-endpoint.json
diff --git a/docs/codes/0007/github.tf b/docs/codes/0007/github.tf
@@ -12,3 +12,9 @@ resource "github_actions_variable" "this" {
   variable_name = each.key
   value         = each.value
 }
+
+resource "github_actions_secret" "this" {
+  repository      = var.github_repository
+  secret_name     = "AWS_ACCOUNT_ID"
+  plaintext_value = data.aws_caller_identity.this.account_id
+}
diff --git a/docs/codes/0007/providers.tf b/docs/codes/0007/providers.tf
@@ -0,0 +1,3 @@
+provider "github" {
+  owner = var.github_owner
+}
diff --git a/docs/codes/0007/versions.tf b/docs/codes/0007/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.44"
+      version = "~> 5.45"
     }
     tls = {
       source  = "hashicorp/tls"
@@ -16,7 +16,3 @@ terraform {
     }
   }
 }
-
-provider "github" {
-  owner = var.github_owner
-}
diff --git a/docs/posts/0004-github-actions-dynamic-matrix.md b/docs/posts/0004-github-actions-dynamic-matrix.md
@@ -1,6 +1,7 @@
 ---
 date: 2024-03-09
 draft: false
+description: Learn how to leverage GitHub Actions to define a dynamic matrix that can parallelize your jobs and increases your CI/CD throughput on-demand.
 categories:
   - GitHub
   - CI/CD