ADD Web based Cognito Authentication for PDS Nucleus based on an ALB …

…Cognito auth and web token based approach Refer to issue: #123
NASA-PDS · Feb 4, 2025 · 0b80135 · 0b80135
1 parent cfa4fe6
commit 0b80135
Show file tree

Hide file tree

Showing 9 changed files with 822 additions and 15 deletions.
diff --git a/terraform/README.md b/terraform/README.md
@@ -38,6 +38,10 @@ system admin team of your AWS account)
 
 6. PDS Registry (OpenSearch) is accessible from the AWS account which is used to deploy PDS Nucleus)
 
+7. A Cognito User Pool to maintain the Nucleus users
+
+8. A certificate to be used for the ALB Listener facing Airflow UI
+
 
 ## Steps to Deploy the PDS Nucleus Baseline System
 
@@ -90,6 +94,9 @@ Note:  Examples of `terraform.tfvars` files are available at `terraform/variable
     - pds_nucleus_config_bucket_name  : S3 Bucket name to keep temporary configurations (E.g.: pds-nucleus-config-mcp-test)
     - pds_nucleus_default_airflow_dag_id : The default example DAG to be included for testing (E.g.: pds-basic-registry-load-use-case)
     - pds_registry_loader_harvest_task_role_arn: An IAM role which is associated with a Cognito user group
+    - cognito_user_pool_id: The ID of the Cognito user pool which is sued to create Nuclues user accounts
+    - cognito_user_pool_domain: Cognitp domain name of the Cognito user pool which is sued to create Nuclues user accounts
+    - auth_alb_listener_certificate_arn: ARN of the certificate to be used for the ALB Listener facing Airflow UI
 
 
 > Note: `terraform.tfvars` is only used to test with your configuration with the actual values in your AWS account. This file will not be uploaded to GitHub as it's ignored by Git. Once testing is completed successfully work with your admin to get the values for these tested variables updated via GitHub secrets, which are dynamically passed in during runtime.
@@ -128,6 +135,11 @@ pds_nucleus_config_bucket_name               = "pds-nucleus-config-mcp-dev"
 pds_nucleus_default_airflow_dag_id = "pds-basic-registry-load-use-case"
 
 pds_registry_loader_harvest_task_role_arn = "arn:aws:iam::12345678:role/harvest-task-role"
+
+
+cognito_user_pool_id              = "us-west-2_ABCDEFG"
+cognito_user_pool_domain          = "pds-registry"
+auth_alb_listener_certificate_arn = "arn:aws:acm:us-west-2:123456789:certificate/ca123456-abcd-abcd-1234-abcdefghi"
 ```
 
 

diff --git a/terraform/main.tf b/terraform/main.tf
@@ -125,4 +125,19 @@ module "test-data" {
 }
 
 
+# The Terraform module to implement Cognito authentication for PDS Nucleus
+module "cognito-auth" {
+  source = "./terraform-modules/cognito-auth"
+
+  vpc_id                            = var.vpc_id
+  permission_boundary_for_iam_roles = var.permission_boundary_for_iam_roles
+  depends_on                        = [module.common]
+  airflow_env_name                  = var.airflow_env_name
+  auth_alb_listener_port            = var.auth_alb_listener_port
+  auth_alb_name                     = var.auth_alb_name
+  auth_alb_subnet_ids               = var.auth_alb_subnet_ids
+  auth_alb_listener_certificate_arn = var.auth_alb_listener_certificate_arn
+  cognito_user_pool_domain          = var.cognito_user_pool_domain
+  cognito_user_pool_id              = var.cognito_user_pool_id
+}