Add identity provider option to service layer

navapbc · Jun 20, 2024 · b866bce · b866bce
1 parent 2e259af
commit b866bce
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 9 deletions.
diff --git a/infra/app/app-config/dev.tf b/infra/app/app-config/dev.tf
@@ -10,6 +10,7 @@ module "dev_config" {
   enable_https                    = false
   has_database                    = local.has_database
   has_incident_management_service = local.has_incident_management_service
+  enable_identity_provider        = local.enable_identity_provider
 
   # Enables ECS Exec access for debugging or jump access.
   # See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html

diff --git a/infra/app/app-config/env-config/outputs.tf b/infra/app/app-config/env-config/outputs.tf
@@ -34,6 +34,12 @@ output "service_config" {
       # For job configs that don't define a source_bucket, add the source_bucket config property
       job_name => merge({ source_bucket = local.bucket_name }, job_config)
     }
+
+    # Identity provider configuration
+    enable_identity_provider = var.enable_identity_provider
+    # Support local development against remote resources
+    auth_callback_urls = var.domain_name != null ? ["https://${var.domain_name}", "http://localhost:3000"] : ["http://localhost:3000"]
+    logout_urls        = var.domain_name != null ? ["https://${var.domain_name}", "http://localhost:3000"] : ["http://localhost:3000"]
   }
 }
 

diff --git a/infra/app/app-config/env-config/variables.tf b/infra/app/app-config/env-config/variables.tf
@@ -87,3 +87,9 @@ variable "enable_command_execution" {
   description = "Enables the ability to manually execute commands on running service containers using AWS ECS Exec"
   default     = false
 }
+
+variable "enable_identity_provider" {
+  type        = bool
+  description = "Enables identity provider"
+  default     = false
+}
diff --git a/infra/app/app-config/main.tf b/infra/app/app-config/main.tf
@@ -24,6 +24,13 @@ locals {
 
   has_incident_management_service = false
 
+  # Whether or not the application should deploy an identity provider
+  # If enabled:
+  # 1. A Cognito user pool will be created
+  # 2. A Cognito user pool app client will be created
+  # 3. Environment variables for the app client will be added to the service
+  enable_identity_provider = false
+
   environment_configs = {
     dev     = module.dev_config
     staging = module.staging_config

diff --git a/infra/app/app-config/prod.tf b/infra/app/app-config/prod.tf
@@ -10,6 +10,7 @@ module "prod_config" {
   enable_https                    = false
   has_database                    = local.has_database
   has_incident_management_service = local.has_incident_management_service
+  enable_identity_provider        = local.enable_identity_provider
 
   # These numbers are a starting point based on this article
   # Update the desired instance size and counts based on the project's specific needs

diff --git a/infra/app/app-config/staging.tf b/infra/app/app-config/staging.tf
@@ -10,6 +10,7 @@ module "staging_config" {
   enable_https                    = false
   has_database                    = local.has_database
   has_incident_management_service = local.has_incident_management_service
+  enable_identity_provider        = local.enable_identity_provider
 
   # Enables ECS Exec access for debugging or jump access.
   # See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html

diff --git a/infra/app/service/main.tf b/infra/app/service/main.tf
@@ -153,19 +153,33 @@ module "service" {
   extra_environment_variables = merge({
     FEATURE_FLAGS_PROJECT = module.feature_flags.evidently_project_name
     BUCKET_NAME           = local.storage_config.bucket_name
-  }, local.service_config.extra_environment_variables)
-
-  secrets = [
-    for secret_name in keys(local.service_config.secrets) : {
+    },
+    local.service_config.enable_identity_provider ? {
+      COGNITO_USER_POOL_ID = module.identity_provider[0].user_pool_id
+      COGNITO_CLIENT_ID    = module.identity_provider_client[0].client_id
+    } : {},
+    local.service_config.extra_environment_variables
+  )
+
+  secrets = concat(
+    [for secret_name in keys(local.service_config.secrets) : {
       name      = secret_name
       valueFrom = module.secrets[secret_name].secret_arn
-    }
-  ]
-
-  extra_policies = {
+    }],
+    local.service_config.enable_identity_provider ? [{
+      name      = "COGNITO_CLIENT_SECRET"
+      valueFrom = module.identity_provider_client[0].client_secret_arn
+    }] : []
+  )
+
+  extra_policies = merge({
     feature_flags_access = module.feature_flags.access_policy_arn,
     storage_access       = module.storage.access_policy_arn
-  }
+    },
+    local.service_config.enable_identity_provider ? {
+      identity_access = module.identity_provider_client[0].access_policy_arn,
+    } : {}
+  )
 
   is_temporary = local.is_temporary
 }
@@ -191,3 +205,19 @@ module "storage" {
   source = "../../modules/storage"
   name   = local.storage_config.bucket_name
 }
+
+module "identity_provider" {
+  count  = local.service_config.enable_identity_provider ? 1 : 0
+  source = "../../modules/identity-provider"
+  name   = local.service_config.service_name
+}
+
+module "identity_provider_client" {
+  count  = local.service_config.enable_identity_provider ? 1 : 0
+  source = "../../modules/identity-provider-client"
+  name   = local.service_config.service_name
+
+  cognito_user_pool_id = module.identity_provider[0].user_pool_id
+  callback_urls        = local.service_config.auth_callback_urls
+  logout_urls          = local.service_config.logout_urls
+}