feat: #884 add admin management lambda (#1035)

Co-authored-by: Derek Roberts <[email protected]>

.github/workflows/reusable_terraform_server.yml

@@ -105,6 +105,29 @@ jobs:
           path: ./infrastructure/server/fam-ui-api.zip
           if-no-files-found: error
 
+      - name: Install and Package Dependencies - FAM Admin Management API
+        run: |
+          cd server/admin_management
+          mkdir packaging
+          cd packaging
+          pip install -t . -r ../requirements.txt --platform manylinux2014_x86_64 --only-binary=:all:
+          zip -r9 ../../fam-admin-management-api.zip .
+          cd ..
+          rm -rf packaging
+          cd ../../
+          cd server/admin_management
+          zip -u ../fam-admin-management-api.zip -r api/ -x database/**\* tests/**\* venv/**\* .env
+          cd ..
+          mv fam-admin-management-api.zip ../infrastructure/server
+          cd ..
+
+      - name: Upload zip file artifact - FAM Admin Management API
+        uses: actions/upload-artifact@v3
+        with:
+          name: fam-admin-management-api
+          path: ./infrastructure/server/fam-admin-management-api.zip
+          if-no-files-found: error
+
       - name: Stage Flyway SQL files
         run: |
           mkdir infrastructure/server/sql

.github/workflows/sonar.yml

@@ -97,6 +97,50 @@ jobs:
             -Dsonar.sources=api
             -Dsonar.tests=testspg
 
+  ci-admin-management:
+    runs-on: ubuntu-latest
+    env:
+      environment: dev
+      organization: bcgov
+      POSTGRES_USER: fam_admin_management_api
+      POSTGRES_PASSWORD: test
+      POSTGRES_HOST: localhost
+      POSTGRES_DB: fam
+      POSTGRES_PORT: 5432
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # Deep fetch is required for SonarCloud
+          fetch-depth: 0
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: 3.8
+
+      - name: Tests and coverage
+        run: |
+          cd server/admin_management
+          pip install -r requirements.txt -r requirements-dev.txt
+          pip install pytest-cov
+          pytest --cov=. --cov-branch --cov-report=xml \
+            -v --md=report.md --emoji
+
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_ADMIN }}
+        with:
+          projectBaseDir: server/admin_management
+          args: >
+            -Dsonar.host.url=https://sonarcloud.io
+            -Dsonar.organization=bcgov-sonarcloud
+            -Dsonar.projectKey=nr-forests-access-management_admin
+            -Dsonar.python.coverage.reportPaths=*coverage*.xml
+            -Dsonar.python.version=3.8
+            -Dsonar.sources=api
+            -Dsonar.tests=tests
+
   ci-frontend:
     runs-on: ubuntu-latest
     steps:

.github/workflows/tools_deployment.yml

@@ -5,7 +5,7 @@ on:
   push:
     branches:
       # Enable a specific branch to temporarily test in the tools environment.
-      - "feat/802-aws-bastion-host-terraform"
+      - "feat/884-user-management-lambda"
 
 # When use GHA OIDC provider and for action to create the JWT, it is required to have the id-token: write permission
 # permission can be added at job level or workflow level. Ref: https://github.com/aws-actions/configure-aws-credentials#OIDC

.gitignore

@@ -67,6 +67,7 @@ frontend/domain.txt
 server/credentials.tfrc.json
 server/fam_auth_function.zip
 server/fam-ui-api.zip
+server/fam-admin-management-api.zip
 
 server/junk.bash
 infrastructure/server/github.auto.tfvars
@@ -82,6 +83,7 @@ infrastructure/server/fam_auth_function.zip
 terraform/test/github.auto.tfvars
 infrastructure/fam-ui-api.zip
 infrastructure/server/fam-ui-api.zip
+infrastructure/server/fam-admin-management-api.zip
 
 terraform/tools/github.auto.tfvars
 terraform/tools/.terraform.lock.hcl

docker-base-services.yml

@@ -38,7 +38,7 @@ services:
       - FLYWAY_BASELINE_ON_MIGRATE=true
       - FLYWAY_PLACEHOLDERS_api_db_username=fam_proxy_api
       - FLYWAY_PLACEHOLDERS_api_db_password=test
-      - FLYWAY_PLACEHOLDERS_admin_management_api_db_user=fam_proxy_admin_management_api
+      - FLYWAY_PLACEHOLDERS_admin_management_api_db_user=fam_admin_management_api
       - FLYWAY_PLACEHOLDERS_admin_management_api_db_password=test
       - FLYWAY_PLACEHOLDERS_client_id_fom_public="nolongerinuse1"
       - FLYWAY_PLACEHOLDERS_client_id_fom_ministry="nolongerinuse2"

infrastructure/server/aurora-v2.tf

@@ -172,6 +172,44 @@ resource "aws_secretsmanager_secret_version" "famdb_apicreds_secret_version" {
 EOF
 }
 
+# Create Admin Management API Lambda DB User Credentials
+
+resource "random_password" "famdb_admin_management_api_password" {
+  length           = 16
+  special          = true
+  override_special = "!#$%&*()-_=+[]{}<>:?"
+}
+
+variable "famdb_admin_management_api_username" {
+  description = "The username for the DB admin management api user"
+  type        = string
+  default     = "fam_admin_management_api"
+  sensitive   = true
+}
+
+resource "random_pet" "admin_management_api_creds_secret_name" {
+  prefix = "famdb-admin-management-api-creds"
+  length = 2
+}
+
+resource "aws_secretsmanager_secret" "famdb_admin_management_apicreds_secret" {
+  name = random_pet.admin_management_api_creds_secret_name.id
+
+  tags = {
+    managed-by = "terraform"
+  }
+}
+
+resource "aws_secretsmanager_secret_version" "famdb_admin_management_apicreds_secret_version" {
+  secret_id     = aws_secretsmanager_secret.famdb_admin_management_apicreds_secret.id
+  secret_string = <<EOF
+   {
+    "username": "${var.famdb_admin_management_api_username}",
+    "password": "${random_password.famdb_admin_management_api_password.result}"
+   }
+EOF
+}
+
 # Create Auth Lambda DB User Credentials
 
 variable "famdb_auth_lambda_user" {
@@ -250,6 +288,7 @@ resource "aws_iam_role_policy" "famdb_api_user_rds_proxy_secret_access_policy" {
         ],
         "Resource": [
           "${aws_secretsmanager_secret.famdb_apicreds_secret.arn}",
+          "${aws_secretsmanager_secret.famdb_admin_management_apicreds_secret.arn}",
           "${aws_secretsmanager_secret.famdb_auth_lambda_creds_secret.arn}"
         ]
       }
@@ -278,6 +317,13 @@ resource "aws_db_proxy" "famdb_proxy_api" {
     secret_arn  = aws_secretsmanager_secret.famdb_apicreds_secret.arn
   }
 
+  auth {
+    auth_scheme = "SECRETS"
+    description = "Admin Management API Lambda User"
+    iam_auth    = "DISABLED"
+    secret_arn  = aws_secretsmanager_secret.famdb_admin_management_apicreds_secret.arn
+  }
+
   auth {
     auth_scheme = "SECRETS"
     description = "Auth Lambda User"

infrastructure/server/fam_admin_management_api.tf

@@ -0,0 +1,138 @@
+# Looking up a few things so they can be changed for this file in one place only
+
+data "aws_secretsmanager_secret" "db_admin_management_api_creds_secret" {
+  name = aws_secretsmanager_secret.famdb_admin_management_apicreds_secret.name
+}
+
+data "aws_rds_cluster" "admin_management_api_database" {
+  cluster_identifier = var.famdb_cluster_name
+  depends_on = [
+    module.aurora_postgresql_v2
+  ]
+}
+
+data "aws_db_proxy" "admin_management_api_lambda_db_proxy" {
+  name = aws_db_proxy.famdb_proxy_api.name
+}
+
+locals {
+  admin_management_api_lambda_name = "fam-admin-management-api-lambda-${var.target_env}"
+}
+
+resource "aws_iam_role_policy" "fam_admin_management_api_lambda_access_policy" {
+  name   = "${local.admin_management_api_lambda_name}-access-policy"
+  role   = aws_iam_role.fam_admin_management_api_lambda_exec.id
+  policy = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+            "logs:CreateLogGroup",
+            "logs:CreateLogStream",
+            "logs:PutLogEvents",
+            "ec2:CreateNetworkInterface",
+            "ec2:DescribeNetworkInterfaces",
+            "ec2:DeleteNetworkInterface",
+            "ec2:AssignPrivateIpAddresses",
+            "ec2:UnassignPrivateIpAddresses"
+        ],
+        "Resource": "*"
+      },
+      {
+        "Effect": "Allow",
+        "Action": [
+          "secretsmanager:DescribeSecret",
+          "secretsmanager:GetSecretValue"
+        ],
+        "Resource": "${data.aws_secretsmanager_secret.db_admin_management_api_creds_secret.arn}"
+      },
+      {
+        "Effect": "Allow",
+        "Action": [
+          "secretsmanager:DescribeSecret",
+          "secretsmanager:GetSecretValue"
+        ],
+        "Resource": "${data.aws_secretsmanager_secret.fam_oidc_client_id_secret.arn}"
+      },
+      {
+        "Effect": "Allow",
+        "Action": [
+                "kms:*"
+            ],
+        "Resource": "${aws_kms_key.bcsc_key.arn}"
+      }
+    ]
+  }
+  EOF
+}
+
+data "aws_iam_policy_document" "fam_admin_management_api_lambda_exec_policydoc" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "fam_admin_management_api_lambda_exec" {
+  name               = "${local.admin_management_api_lambda_name}-role"
+  assume_role_policy = data.aws_iam_policy_document.fam_admin_management_api_lambda_exec_policydoc.json
+}
+
+# Had to move COGNITO_CLIENT_ID out of ENV and into an AWS Secret because of a
+# cycle dependency in the build. That's why it's not here. You still need it
+# when running local or in docker.
+# Need to supply COGNITO_CLIENT_ID_SECRET_NAME when deploying with terraform
+
+resource "aws_lambda_function" "fam-admin-management-api-function" {
+  filename      = "fam-admin-management-api.zip"
+  function_name = local.admin_management_api_lambda_name
+  role          = aws_iam_role.fam_admin_management_api_lambda_exec.arn
+  handler       = "api.app.main.handler"
+
+  source_code_hash = filebase64sha256("fam-admin-management-api.zip")
+
+  runtime = "python3.8"
+
+  vpc_config {
+    security_group_ids = ["${aws_security_group.fam_app_sg.id}"]
+    subnet_ids         = [data.aws_subnet.a_app.id, data.aws_subnet.b_app.id]
+  }
+
+  # Increase memory to avoid thrashing and slowing performance
+  # Size is in MB, based on limited testing in dev
+  memory_size = 512
+
+  # Increase timeout to 15 seconds to avoid failures due to slow starts or slow queries.
+  # We have seen transactions taking 7+ seconds in dev.
+  timeout = 15
+
+  environment {
+
+    variables = {
+      DB_SECRET                = "${data.aws_secretsmanager_secret.db_admin_management_api_creds_secret.name}"
+      PG_DATABASE              = "${data.aws_rds_cluster.admin_management_api_database.database_name}"
+      PG_PORT                  = "5432"
+      PG_HOST                  = "${data.aws_db_proxy.admin_management_api_lambda_db_proxy.endpoint}"
+      COGNITO_REGION           = "${data.aws_region.current.name}"
+      COGNITO_USER_POOL_ID     = "${aws_cognito_user_pool.fam_user_pool.id}"
+      COGNITO_USER_POOL_DOMAIN = "${var.fam_user_pool_domain_name}"
+      COGNITO_CLIENT_ID_SECRET = "${data.aws_secretsmanager_secret.fam_oidc_client_id_secret.name}"
+
+      API_GATEWAY_STAGE_NAME = "${var.api_gateway_stage_name}"
+      COGNITO_CLIENT_ID        = "3hv7q2mct0okt12m5i3p5v4phu"
+
+      ALLOW_ORIGIN = "${var.front_end_redirect_path}"
+    }
+
+  }
+
+  tags = {
+    "managed-by" = "terraform"
+  }
+}

infrastructure/server/flyway.tf

@@ -17,6 +17,19 @@ data "aws_secretsmanager_secret_version" "db_flyway_api_creds_current" {
   ]
 }
 
+data "aws_secretsmanager_secret" "db_flyway_admin_management_api_creds" {
+  name = aws_secretsmanager_secret.famdb_admin_management_apicreds_secret.name
+}
+
+data "aws_secretsmanager_secret_version" "db_flyway_admin_management_api_creds_current" {
+  secret_id = data.aws_secretsmanager_secret.db_flyway_admin_management_api_creds.id
+
+  depends_on = [
+    # Fix race condition
+    aws_secretsmanager_secret_version.famdb_admin_management_apicreds_secret_version
+  ]
+}
+
 data "aws_secretsmanager_secret" "db_flyway_auth_creds" {
   name = aws_secretsmanager_secret.famdb_auth_lambda_creds_secret.name
 }
@@ -214,6 +227,7 @@ resource "aws_db_cluster_snapshot" "fam_pre_flyway_snapshot" {
 # Need to grab the username and password from the database so they can go into the scripts
 locals {
   flyway_db_creds = jsondecode(data.aws_secretsmanager_secret_version.db_flyway_api_creds_current.secret_string)
+  flyway_db_admin_management_api_creds = jsondecode(data.aws_secretsmanager_secret_version.db_flyway_admin_management_api_creds_current.secret_string)
   flyway_db_auth_creds = jsondecode(data.aws_secretsmanager_secret_version.db_flyway_auth_creds_current.secret_string)
 }
 
@@ -231,8 +245,8 @@ data "aws_lambda_invocation" "invoke_flyway_migration" {
           "api_db_password" : "md5${md5(join("", [local.flyway_db_creds.password, local.flyway_db_creds.username]))}",
           "auth_lambda_db_user" : "${local.flyway_db_auth_creds.username}",
           "auth_lambda_db_password" : "md5${md5(join("", [local.flyway_db_auth_creds.password, local.flyway_db_auth_creds.username]))}",
-          "admin_management_api_db_user" : "fam_proxy_admin_management_api",
-          "admin_management_api_db_password" : "not_real_pwd_to_be_replaced",
+          "admin_management_api_db_user" : "${local.flyway_db_admin_management_api_creds.username}",
+          "admin_management_api_db_password" : "md5${md5(join("", [local.flyway_db_admin_management_api_creds.password, local.flyway_db_admin_management_api_creds.username]))}",
           "client_id_fam_console" : "${aws_cognito_user_pool_client.fam_console_oidc_client.id}",
           "client_id_fom_public" : "nolongerinuse1",
           "client_id_fom_ministry" : "nolongerinuse2",