/
secrets.ts
71 lines (64 loc) · 2.11 KB
/
secrets.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
import { aws_secretsmanager as secretsmanager } from 'aws-cdk-lib';
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
/**
* Secrets required for GitHub runners operation.
*/
export class Secrets extends Construct {
/**
* Webhook secret used to confirm events are coming from GitHub and nowhere else.
*/
readonly webhook: secretsmanager.Secret;
/**
* Authentication secret for GitHub containing either app details or personal authentication token. This secret is used to register runners and
* cancel jobs when the runner fails to start.
*
* This secret is meant to be edited by the user after being created.
*/
readonly github: secretsmanager.Secret;
/**
* GitHub app private key. Not needed when using personal authentication tokens.
*
* This secret is meant to be edited by the user after being created. It is separate than the main GitHub secret because inserting private keys into JSON is hard.
*/
readonly githubPrivateKey: secretsmanager.Secret;
constructor(scope: Construct, id: string) {
super(scope, id);
this.webhook = new secretsmanager.Secret(
this,
'Webhook',
{
generateSecretString: {
secretStringTemplate: '{}',
generateStringKey: 'webhookSecret',
includeSpace: false,
excludePunctuation: true,
},
},
);
this.github = new secretsmanager.Secret(
this,
'GitHub',
{
generateSecretString: {
secretStringTemplate: JSON.stringify({
domain: 'github.com',
appId: '',
personalAuthToken: '',
}),
generateStringKey: 'dummy',
includeSpace: false,
excludePunctuation: true,
},
},
);
// we create a separate secret for the private key because putting it in JSON secret is hard for the user
this.githubPrivateKey = new secretsmanager.Secret(
this,
'GitHub Private Key',
{
secretStringValue: cdk.SecretValue.unsafePlainText('-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----'),
},
);
}
}