aws · g-gaston · Jan 28, 2025
diff --git a/hybrid-nodes-cdk/lib/app.ts b/hybrid-nodes-cdk/lib/app.ts
@@ -1,43 +1,76 @@
 #!/usr/bin/env node
 import 'source-map-support/register';
 import * as cdk from 'aws-cdk-lib';
+import { SecretsManagerClient, DescribeSecretCommand } from "@aws-sdk/client-secrets-manager";
 import * as fs from 'fs';
 import { NodeadmBuildStack } from './nodeadm-stack';
 import * as readline from 'readline';
+import { mainModule } from 'process';
 
-const app = new cdk.App();
+const githubSecretName = 'nodeadm-e2e-tests-github-token';
 
-if (fs.existsSync('cdk_dev_env.json')) {
-  const devStackConfig = JSON.parse(
-    fs.readFileSync('cdk_dev_env.json', 'utf-8')
-  );
+async function main() {
+  const app = new cdk.App();
 
-  if (!devStackConfig.account_id) {
-    throw new Error(
-      `'cdk_dev_env.json' is missing required '.account_id' property`
+  if (fs.existsSync('cdk_dev_env.json')) {
+    const devStackConfig = JSON.parse(
+      fs.readFileSync('cdk_dev_env.json', 'utf-8')
     );
-  }
 
-  if (!devStackConfig.region) {
-    throw new Error(
-      `'cdk_dev_env.json' is missing required '.region' property`
-    );
-  }
+    if (!devStackConfig.account_id) {
+      throw new Error(
+        `'cdk_dev_env.json' is missing required '.account_id' property`
+      );
+    }
+
+    if (!devStackConfig.region) {
+      throw new Error(
+        `'cdk_dev_env.json' is missing required '.region' property`
+      );
+    }
 
-  if (!devStackConfig.github_username) {
+    if (!devStackConfig.github_username) {
+      throw new Error(
+        `'cdk_dev_env.json' is missing required '.github_username' property`
+      );
+    }
+
+    const githubSecretExists = await secretExists(new SecretsManagerClient({}), githubSecretName);
+    const githubToken = process.env['HYBRID_GITHUB_TOKEN'];
+    if (!githubSecretExists && githubToken === undefined) {
+      throw new Error(
+        `Github secret '${githubSecretName}' does not exist and 'HYBRID_GITHUB_TOKEN' environment variable is not set`
+      );
+    }
+    const reuseGithubSecret = githubSecretExists && githubToken === undefined;
+
+    new NodeadmBuildStack(app, 'HybridNodesCdkStack', {
+      env: {
+        account: devStackConfig.account_id,
+        region: devStackConfig.region,
+      },
+      githubSecretName: githubSecretName,
+      reuseGithubSecret: reuseGithubSecret,
+      githubToken: githubToken,
+    });
+  } else {
     throw new Error(
-      `'cdk_dev_env.json' is missing required '.github_username' property`
+      `'cdk_dev_env.json' file is missing. Please run 'gen-cdk-env' script to generate it`
     );
   }
+}
 
-  new NodeadmBuildStack(app, 'HybridNodesCdkStack', {
-    env: {
-      account: devStackConfig.account_id,
-      region: devStackConfig.region
+async function secretExists(client: SecretsManagerClient, name: string): Promise<boolean> {
+  const command = new DescribeSecretCommand({ SecretId: name });
+  try {
+    await client.send(command);
+    return true;
+  } catch (error: any) {
+    if (error.name === "ResourceNotFoundException") {
+      return false;
     }
-  });
-} else {
-  throw new Error(
-    `'cdk_dev_env.json' file is missing. Please run 'gen-cdk-env' script to generate it`
-  );
+    throw new Error(`Error checking secret existence: ${error.message}`);
+  }
 }
+
+main();
diff --git a/hybrid-nodes-cdk/lib/constants.ts b/hybrid-nodes-cdk/lib/constants.ts
@@ -6,5 +6,5 @@ export const eksHybridBetaBucketARN = 'arn:aws:s3:::eks-hybrid-beta';
 export const eksReleaseManifestHost = 'hybrid-assets.eks.amazonaws.com';
 export const githubRepo = 'eks-hybrid';
 export const githubBranch = 'main';
-export const requiredEnvVars = ['HYBRID_GITHUB_TOKEN'];
+export const requiredEnvVars = [];
 export const betaEksEndpoint = 'https://api.beta.us-west-2.wesley.amazonaws.com';
diff --git a/hybrid-nodes-cdk/lib/nodeadm-stack.ts b/hybrid-nodes-cdk/lib/nodeadm-stack.ts
@@ -9,8 +9,14 @@ import codepipeline_actions = require('aws-cdk-lib/aws-codepipeline-actions');
 import * as fs from 'fs';
 import { kubernetesVersions, cnis, eksHybridBetaBucketARN, eksReleaseManifestHost, builderBaseImage, githubRepo, githubBranch, requiredEnvVars, betaEksEndpoint, betaKubeVersions } from './constants';
 
+interface NodeadmBuildStackProps extends cdk.StackProps {
+  githubSecretName: string;
+  reuseGithubSecret: boolean;
+  githubToken?: string;
+}
+
 export class NodeadmBuildStack extends cdk.Stack {
-  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
+  constructor(scope: cdk.App, id: string, props: NodeadmBuildStackProps) {
     super(scope, id, props);
 
     const devStackConfig = JSON.parse(
@@ -42,13 +48,19 @@ export class NodeadmBuildStack extends cdk.Stack {
       console.warn(`GOPROXY env var not set or is empty. Defaulting to '${goproxy}'`);
     }
 
-    const githubTokenSecret = new secretsmanager.Secret(this, 'NodeadmE2ETestsGitHubToken', {
-      secretName: 'nodeadm-e2e-tests-github-token',
-      description: 'Personal Access Token for authenticating to GitHub',
-      secretObjectValue: {
-        'github-token': cdk.SecretValue.unsafePlainText(process.env.HYBRID_GITHUB_TOKEN!),
+    const githubTokenSecret: cdk.aws_secretsmanager.ISecret = (() => {
+      if (props.reuseGithubSecret) {
+        return secretsmanager.Secret.fromSecretNameV2(this, 'NodeadmE2ETestsGitHubToken', props.githubSecretName);
+      } else {
+        return new secretsmanager.Secret(this, 'NodeadmE2ETestsGitHubToken', {
+          secretName: props.githubSecretName,
+          description: 'Personal Access Token for authenticating to GitHub',
+          secretObjectValue: {
+            'github-token': cdk.SecretValue.unsafePlainText(props.githubToken!),
+          }
+        });
       }
-    });
+    })();
 
     const goproxySecret = new secretsmanager.Secret(this, 'NodeadmE2ETestsGoproxy', {
       secretName: 'nodeadm-e2e-tests-goproxy',