Merge pull request #2531 from guardian/aa/GitHubOidcProvider-tags

fix(GitHubOidcProvider): Ensure `AWS::IAM::OIDCProvider` resource is tagged
guardian · Dec 6, 2024 · c07d5c7 · c07d5c7
2 parents 5f483a0 + 60639fd
commit c07d5c7
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/.changeset/nasty-parrots-mix.md b/.changeset/nasty-parrots-mix.md
@@ -0,0 +1,6 @@
+---
+"@guardian/cdk": patch
+---
+
+Apply the standard `Stack`, `Stage`, `App` and `gu:repo` tags to the `AWS::IAM::OIDCProvider` resource
+created via the `GitHubOidcProvider` construct.
diff --git a/src/constructs/iam/roles/github-actions.test.ts b/src/constructs/iam/roles/github-actions.test.ts
@@ -1,7 +1,7 @@
 import { Template } from "aws-cdk-lib/assertions";
-import { simpleGuStackForTesting } from "../../../utils/test";
+import { GuTemplate, simpleGuStackForTesting } from "../../../utils/test";
 import { GuGetS3ObjectsPolicy } from "../policies";
-import { GuGithubActionsRole } from "./github-actions";
+import { GitHubOidcProvider, GuGithubActionsRole } from "./github-actions";
 
 describe("The GitHubActionsRole construct", () => {
   it("should create the correct resources with minimal config", () => {
@@ -47,3 +47,12 @@ describe("The GitHubActionsRole construct", () => {
     });
   });
 });
+
+describe("The GitHubOidcProvider construct", () => {
+  it("should be tagged correctly", () => {
+    const stack = simpleGuStackForTesting();
+    new GitHubOidcProvider(stack);
+
+    GuTemplate.fromStack(stack).hasGuTaggedResource("AWS::IAM::OIDCProvider");
+  });
+});
diff --git a/src/constructs/iam/roles/github-actions.ts b/src/constructs/iam/roles/github-actions.ts
@@ -75,6 +75,7 @@ export class GitHubOidcProvider extends CfnResource {
         Url: `https://${GITHUB_ACTIONS_ID_TOKEN_REQUEST_DOMAIN}`,
         ClientIdList: ["sts.amazonaws.com"],
         ThumbprintList: GITHUB_ACTIONS_ID_TOKEN_REQUEST_DOMAIN_THUMBPRINTS,
+        Tags: scope.tags.renderedTags,
       },
     });
   }