Skip to content

Commit 35e0f0e

Browse files
devksingh4devksingh4
committed
Update secret config
1 parent 148babe commit 35e0f0e

File tree

5 files changed

+19
-17
lines changed

5 files changed

+19
-17
lines changed

Makefile

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,6 @@ build: src/
4141
rm -rf node_modules/aws-crt/dist/bin/{darwin*,linux-x64*,linux-arm64-musl} && \
4242
rm -rf node_modules/argon2/prebuilds/{darwin*,freebsd*,linux-arm,linux-x64*,win32-x64*} && \
4343
rm -rf node_modules/argon2/prebuilds/linux-arm64/argon2.armv8.musl.node"
44-
4544
local:
4645
VITE_BUILD_HASH=$(GIT_HASH) yarn run dev
4746

src/dirsync/config.ts

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -4,18 +4,20 @@ import {
44
} from "@aws-sdk/client-secrets-manager";
55
import { z } from "zod";
66

7-
export const CONFIG_SECRET = "infra-core-api-gsuite-dirsync";
7+
export const CONFIG_SECRET = "infra-core-api-gsuite-dirsync-config";
88

99
const SecretsConfigSchema = z.object({
1010
entraTenantId: z.string().min(1, "entraTenantId is required"),
1111
entraClientId: z.string().min(1, "entraClientId is required"),
12-
entraClientSecret: z.string().min(1, "entraClientSecret is required"),
13-
googleDelegatedUser: z
12+
entraClientCertificate: z
1413
.string()
15-
.email("googleDelegatedUser must be a valid email"),
16-
googleServiceAccountJson: z
17-
.string()
18-
.min(1, "googleServiceAccountJson is required"),
14+
.min(1, "entraClientCertificate is required"),
15+
// googleDelegatedUser: z
16+
// .string()
17+
// .email("googleDelegatedUser must be a valid email"),
18+
// googleServiceAccountJson: z
19+
// .string()
20+
// .min(1, "googleServiceAccountJson is required"),
1921
deleteRemovedContacts: z.boolean().default(false),
2022
});
2123

src/dirsync/entra.ts

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
import { Client } from "@microsoft/microsoft-graph-client";
2-
import { ClientSecretCredential } from "@azure/identity";
2+
import { ClientCertificateCredential } from "@azure/identity";
33
import { parseDisplayName } from "../common/utils.js";
44

55
export interface EntraUser {
@@ -24,13 +24,14 @@ interface GraphUser {
2424
export const createEntraClient = (
2525
tenantId: string,
2626
clientId: string,
27-
clientSecret: string,
27+
clientCertificate: string, // Base64 encoded PFX or PEM certificate
2828
): Client => {
29-
const credential = new ClientSecretCredential(
30-
tenantId,
31-
clientId,
32-
clientSecret,
33-
);
29+
// Decode the certificate from base64
30+
const certificateBuffer = Buffer.from(clientCertificate, "base64");
31+
32+
const credential = new ClientCertificateCredential(tenantId, clientId, {
33+
certificate: certificateBuffer.toString("utf-8"), // For PEM format
34+
});
3435

3536
return Client.initWithMiddleware({
3637
authProvider: {

src/dirsync/sync.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ export const handler = async (
1414
const entraClient = createEntraClient(
1515
secretConfig.entraTenantId,
1616
secretConfig.entraClientId,
17-
secretConfig.entraClientSecret,
17+
secretConfig.entraClientCertificate,
1818
);
1919
const entraUsers = await getAllEntraUsers(entraClient);
2020
logger.info(`Retrieved ${entraUsers.length} users from Entra ID.`);

terraform/modules/dirsync/main.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ resource "aws_iam_policy" "this" {
4343
Action = ["secretsmanager:GetSecretValue"],
4444
Effect = "Allow",
4545
Resource = [
46-
"arn:aws:secretsmanager:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:secret:infra-core-api-gsuite-dirsync*",
46+
"arn:aws:secretsmanager:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:secret:infra-core-api-gsuite-dirsync-config*",
4747
]
4848
},
4949
]

0 commit comments

Comments
 (0)