fix: Correct SamlConsolePrincipal for non-China (#24277)

Naumel · web-flow · commit e47646c0ff31 · 2023-02-22T19:43:45.000Z
Closes #24243. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-iam/lib/principals.ts b/packages/@aws-cdk/aws-iam/lib/principals.ts
@@ -737,7 +737,7 @@ export class SamlConsolePrincipal extends SamlPrincipal {
     super(samlProvider, {
       ...conditions,
       StringEquals: {
-        'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': `https://signin.${cdk.Aws.URL_SUFFIX}/saml`,
+        'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': 'https://signin.aws.amazon.com/saml',
       },
     });
   }
diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.assets.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.assets.json
@@ -1,15 +1,15 @@
 {
-  "version": "30.0.0",
+  "version": "30.1.0",
   "files": {
-    "adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c": {
+    "3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8": {
       "source": {
         "path": "cdk-saml-provider.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c.json",
+          "objectKey": "3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.template.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.template.json
@@ -15,18 +15,7 @@
        "Action": "sts:AssumeRoleWithSAML",
        "Condition": {
         "StringEquals": {
-         "SAML:aud": {
-          "Fn::Join": [
-           "",
-           [
-            "https://signin.",
-            {
-             "Ref": "AWS::URLSuffix"
-            },
-            "/saml"
-           ]
-          ]
-         }
+         "SAML:aud": "https://signin.aws.amazon.com/saml"
         }
        },
        "Effect": "Allow",
@@ -38,8 +27,7 @@
       }
      ],
      "Version": "2012-10-17"
-    },
-    "Description": "fix the partition issue"
+    }
    }
   }
  },
diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk.out b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"30.0.0"}
+{"version":"30.1.0"}
diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/integ.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/integ.json
@@ -1,5 +1,5 @@
 {
-  "version": "30.0.0",
+  "version": "30.1.0",
   "testCases": {
     "saml-provider-test/DefaultTest": {
       "stacks": [
diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/manifest.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/manifest.json
@@ -1,5 +1,5 @@
 {
-  "version": "30.0.0",
+  "version": "30.1.0",
   "artifacts": {
     "cdk-saml-provider.assets": {
       "type": "cdk:asset-manifest",
@@ -17,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/samlprovidertestDefaultTestDeployAssert29A1AF64.assets.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/samlprovidertestDefaultTestDeployAssert29A1AF64.assets.json
@@ -1,5 +1,5 @@
 {
-  "version": "30.0.0",
+  "version": "30.1.0",
   "files": {
     "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
       "source": {
diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/tree.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/tree.json
@@ -56,18 +56,7 @@
                           "Action": "sts:AssumeRoleWithSAML",
                           "Condition": {
                             "StringEquals": {
-                              "SAML:aud": {
-                                "Fn::Join": [
-                                  "",
-                                  [
-                                    "https://signin.",
-                                    {
-                                      "Ref": "AWS::URLSuffix"
-                                    },
-                                    "/saml"
-                                  ]
-                                ]
-                              }
+                              "SAML:aud": "https://signin.aws.amazon.com/saml"
                             }
                           },
                           "Effect": "Allow",
@@ -79,8 +68,7 @@
                         }
                       ],
                       "Version": "2012-10-17"
-                    },
-                    "description": "fix the partition issue"
+                    }
                   }
                 },
                 "constructInfo": {
diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.ts b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.ts
@@ -14,7 +14,6 @@ class TestStack extends Stack {
 
     new iam.Role(this, 'Role', {
       assumedBy: new iam.SamlConsolePrincipal(provider),
-      description: 'fix the partition issue',
     });
   }
 }
diff --git a/packages/@aws-cdk/aws-iam/test/principals.test.ts b/packages/@aws-cdk/aws-iam/test/principals.test.ts
@@ -166,9 +166,7 @@ test('SAML principal', () => {
           Action: 'sts:AssumeRoleWithSAML',
           Condition: {
             StringEquals: {
-              'SAML:aud': {
-                'Fn::Join': ['', ['https://signin.', { Ref: 'AWS::URLSuffix' }, '/saml']],
-              },
+              'SAML:aud': 'https://signin.aws.amazon.com/saml',
             },
           },
           Effect: 'Allow',

Original file line number	Diff line number	Diff line change
`@@ -737,7 +737,7 @@ export class SamlConsolePrincipal extends SamlPrincipal {`
`737`	`737`	`super(samlProvider, {`
`738`	`738`	`...conditions,`
`739`	`739`	`StringEquals: {`
`740`		- 'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': `https://signin.${cdk.Aws.URL_SUFFIX}/saml`,
	`740`	`+ 'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': 'https://signin.aws.amazon.com/saml',`
`741`	`741`	`},`
`742`	`742`	`});`
`743`	`743`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,15 +1,15 @@`
`1`	`1`	`{`
`2`		`- "version": "30.0.0",`
	`2`	`+ "version": "30.1.0",`
`3`	`3`	`"files": {`
`4`		`- "adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c": {`
	`4`	`+ "3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8": {`
`5`	`5`	`"source": {`
`6`	`6`	`"path": "cdk-saml-provider.template.json",`
`7`	`7`	`"packaging": "file"`
`8`	`8`	`},`
`9`	`9`	`"destinations": {`
`10`	`10`	`"current_account-current_region": {`
`11`	`11`	`"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",`
`12`		`- "objectKey": "adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c.json",`
	`12`	`+ "objectKey": "3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8.json",`
`13`	`13`	`"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"`
`14`	`14`	`}`
`15`	`15`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{"version":"30.0.0"}`
	`1`	`+{"version":"30.1.0"}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`		`- "version": "30.0.0",`
	`2`	`+ "version": "30.1.0",`
`3`	`3`	`"testCases": {`
`4`	`4`	`"saml-provider-test/DefaultTest": {`
`5`	`5`	`"stacks": [`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,6 @@ class TestStack extends Stack {`
`14`	`14`
`15`	`15`	`new iam.Role(this, 'Role', {`
`16`	`16`	`assumedBy: new iam.SamlConsolePrincipal(provider),`
`17`		`- description: 'fix the partition issue',`
`18`	`17`	`});`
`19`	`18`	`}`
`20`	`19`	`}`