alliander-opensource · jehannes · Jul 22, 2024 · Jul 18, 2024 · Jul 22, 2024 · Jul 22, 2024
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/index.keyrotate.ts b/src/index.keyrotate.ts
@@ -19,9 +19,9 @@ import { KEYUTIL, KJUR } from 'jsrsasign'
 
 const client = new KMSClient({})
 
-const ALIAS_PREVIOUS = 'alias/sts/PREVIOUS'
-const ALIAS_CURRENT = 'alias/sts/CURRENT'
-const ALIAS_PENDING = 'alias/sts/PENDING'
+const ALIAS_PREVIOUS = process.env.PREVIOUS_KEY!.toString()
+const ALIAS_CURRENT = process.env.CURRENT_KEY!.toString()
+const ALIAS_PENDING = process.env.PENDING_KEY!.toString()
 
 const ALIASES: string[] = [
   ALIAS_PREVIOUS,

diff --git a/src/index.sign.ts b/src/index.sign.ts
@@ -8,7 +8,7 @@ import base64url from 'base64url'
 
 import { Logger } from '@aws-lambda-powertools/logger'
 
-const KEY_ALIAS_CURRENT = 'alias/sts/CURRENT'
+const KEY_ALIAS_CURRENT = process.env.CURRENT_KEY!.toString()
 const logger = new Logger()
 
 export const handler = async (apiEvent: APIGatewayEvent, context: Context): Promise<APIGatewayProxyResult> => {

diff --git a/src/index.ts b/src/index.ts
@@ -111,6 +111,21 @@ export interface AwsJwtStsProps {
    * Optional custom name for the CloudWatch Alarm monitoring Key Rotation Lambda failures, default: sts-key_rotate_errors_lambda-alarm
    */
   readonly alarmNameKeyRotationLambdaFailed?: string
+
+  /**
+   * current kms key name
+   */
+  readonly currentKeyName?: string
+
+  /**
+   * previous kms key name
+   */
+  readonly previousKeyName?: string
+
+  /**
+   * pending kms key name
+   */
+  readonly pendingKeyName?: string
 }
 
 /* eslint-disable no-new */
@@ -208,7 +223,10 @@ export class AwsJwtSts extends Construct {
       architecture,
       environment: {
         S3_BUCKET: oidcbucket.bucketName,
-        ISSUER: issuer
+        ISSUER: issuer,
+        CURRENT_KEY: 'alias/' + (props.currentKeyName ?? 'sts/CURRENT'),
+        PREVIOUS_KEY: 'alias/' + (props.previousKeyName ?? 'sts/PREVIOUS'),
+        PENDING_KEY: 'alias/' + (props.pendingKeyName ?? 'sts/PENDING')
       }
     })
 
@@ -223,7 +241,8 @@ export class AwsJwtSts extends Construct {
       architecture,
       environment: {
         ISSUER: issuer,
-        DEFAULT_AUDIENCE: props.defaultAudience
+        DEFAULT_AUDIENCE: props.defaultAudience,
+        CURRENT_KEY: 'alias/' + (props.currentKeyName ?? 'sts/CURRENT')
       }
     })
 

diff --git a/src/test/index.keyrotate.test.ts b/src/test/index.keyrotate.test.ts
@@ -6,6 +6,13 @@ import { mockClient } from 'aws-sdk-client-mock'
 import { KMSClient, GetPublicKeyCommand, DescribeKeyCommand } from '@aws-sdk/client-kms'
 import { S3Client } from '@aws-sdk/client-s3'
 
+process.env = { // set env vars as they are called on load of the file
+  CURRENT_KEY: 'alias/sts/CURRENT',
+  PREVIOUS_KEY: 'alias/sts/PREVIOUS',
+  PENDING_KEY: 'alias/sts/PENDING'
+}
+
+// eslint-disable-next-line import/first
 import { handler } from '../index.keyrotate'
 
 const kmsMock = mockClient(KMSClient)

diff --git a/src/test/index.sign.test.ts b/src/test/index.sign.test.ts
@@ -14,6 +14,8 @@ import {
   SignCommand
 } from '@aws-sdk/client-kms'
 
+process.env.CURRENT_KEY = 'key-1'// set env var as it is called on load of the file
+// eslint-disable-next-line import/first
 import { handler } from '../index.sign'
 
 const kmsMock = mockClient(KMSClient)