fix: bug fixes (#43)

* feat: update api to include standard cognito group policy * feat: add group creation and email attribute * feat: changed name for variable placeholder * feat: add temporary deployment file * fix: handle s3 region endpoint bug * fix: correct new style pipeline formatting * feat: doc updates to reflect setup improvements Co-authored-by: Karl Wallbom <[email protected]>
kalleeh · Apr 3, 2020 · 451a9d6 · 451a9d6
1 parent b58d323
commit 451a9d6
Show file tree

Hide file tree

Showing 7 changed files with 109 additions and 57 deletions.
diff --git a/README.md b/README.md
@@ -49,39 +49,13 @@ You can use the included bash script to quickly deploy the API in your account.
 
 Once you have the API up and running you will need to configure your developer accounts so that they can interact with the platform. Follow the below steps to create groups and user accounts for your development teams.
 
-### 1. Create Team Roles
-
-1.1 Navigate to [IAM Roles](https://console.aws.amazon.com/iam/home#/roles) and create a role for each of your development teams using the below policy.
-
-```json
-{
-    "Effect": "Allow",
-    "Action": [
-        "codecommit:*",
-        "logs:FilterLogEvents"
-    ],
-    "Resource": "*",
-    "Condition": {
-        "StringEquals": {
-            "aws:ResourceTag/gurum-groups": "${aws:PrincipalTag/gurum-groups}"
-        }
-    }
-}
-```
-
-1.2 Add the tag gurum-groups on each of the IAM roles you create. The value should be equal to the Cognito group (tenant) you want them to have access to.
-This will dynamically give them permissions to all CodeCommit Repositories and CloudWatch Logs that are tagged with the same group value.
-
-### 2. Configure Cognito
-
-#### 2.1 Create Groups
-
-2.1.1 Navigate to [Cognito User Pools](https://console.aws.amazon.com/cognito/users/) on the web console and select `gurum_users`.
+### 1. Configure Cognito
 
-2.1.2 Select `Users and groups` from the navigation panel under general settings.
+#### 1.1 Create Teams (Cognito Groups)
 
-2.1.3 From the group tab create a new group for each team and assign the correct IAM role created in the last step. *Note: the group name should match the 'team name' defined in the policy.*
+1.1.1 Use the `./helpers/cognito_quick_group.sh` script to create a new Gurum Team that your users can collaborate on.
+This effectively functions as a tenant in Gurum and ownership of apps and services are linked to the Team.
 
-#### 2.2 Create Users
+#### 1.2 Create Users
 
-2.2.1 Use the `./helpers/cognito_quick_user.sh` script to create a new cognito user.
+1.2.1 Use the `./helpers/cognito_quick_user.sh` script to create a new cognito user.
diff --git a/helpers/cognito_quick_group.sh b/helpers/cognito_quick_group.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+set -e
+
+echo -e "Checking if the platform has been setup..\n"
+
+## Retreive Cognito Details
+USER_POOL_ID=$(aws cognito-idp list-user-pools --max-results 20 | jq -r '.UserPools[] | select(.Name == "gurum_users") | .Id')
+if [ -z $USER_POOL_ID ]; then 
+    echo "No user pool found. Ensure the platform has been setup first."
+    exit 1
+fi
+
+##App client id
+IDENTITY_POOL_ID=$(aws cognito-identity list-identity-pools --max-results 20 | jq -r '.IdentityPools[] | select(.IdentityPoolName == "gurum_idp") | .IdentityPoolId')
+if [ -z $IDENTITY_POOL_ID ]; then 
+    echo "No identity pool found. Ensure the platform has been setup first."
+    exit 1
+fi
+
+# MODIFY TRUST POLICY JSON
+MYDIR="$(dirname "$(which "$0")")"
+sed "s/###RESERVED_FOR_QUICK_GROUP_SCRIPT###/$IDENTITY_POOL_ID/g" $MYDIR/group_trust_policy.json > $MYDIR/group_trust_policy.deploy
+
+# USER CREATION
+echo "Enter a group name:"
+read GROUP_NAME
+
+## Create the IAM Role
+ROLE_NAME="gurum-$GROUP_NAME-role"
+ROLE_ARN=$(aws iam create-role \
+    --path '/gurum/groups/' \
+    --role-name $ROLE_NAME \
+    --assume-role-policy-document file://$MYDIR/group_trust_policy.deploy \
+    --description "Gurum Cognito Group Assume Role for $GROUP_NAME" \
+    --tags Key=gurum-groups,Value=$GROUP_NAME | jq -r '.Role.Arn')
+rm $MYDIR/group_trust_policy.deploy # clean up temporary deploy file
+
+## Attach IAM role policy
+ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account')
+aws iam attach-role-policy \
+    --role-name $ROLE_NAME \
+    --policy-arn "arn:aws:iam::$ACCOUNT_ID:policy/gurum/gurum-group-policy"
+
+## Create the Cognito Group
+aws cognito-idp create-group \
+    --group-name $GROUP_NAME \
+    --user-pool-id $USER_POOL_ID \
+    --role-arn $ROLE_ARN > /dev/null
+
+echo -e "\n\nSuccess! Group created and mapped to an IAM role."
diff --git a/helpers/cognito_quick_user.sh b/helpers/cognito_quick_user.sh
@@ -4,14 +4,14 @@ set -e
 echo -e "Checking if the platform has been setup..\n"
 
 ## Retreive Cognito Details
-POOL_ID=$(aws cognito-idp list-user-pools --max-results 20 | jq -r '.UserPools[] | select(.Name == "gurum_users") | .Id')
-if [ -z $POOL_ID ]; then 
+USER_POOL_ID=$(aws cognito-idp list-user-pools --max-results 20 | jq -r '.UserPools[] | select(.Name == "gurum_users") | .Id')
+if [ -z $USER_POOL_ID ]; then 
     echo "No user pool found. Ensure the platform has been setup first."
     exit 1
 fi
 
 ##App client id
-CLIENT_ID=$(aws cognito-idp list-user-pool-clients --user-pool-id $POOL_ID | jq -r '.UserPoolClients[] | select(.ClientName == "gurum-client") | .ClientId')
+CLIENT_ID=$(aws cognito-idp list-user-pool-clients --user-pool-id $USER_POOL_ID | jq -r '.UserPoolClients[] | select(.ClientName == "gurum-client") | .ClientId')
 if [ -z $CLIENT_ID ]; then 
     echo "No client id found. Ensure the platform has been setup first."
     exit 1
@@ -21,21 +21,24 @@ fi
 echo "Enter a username:"
 read USERNAME
 
+echo "Enter a valid e-mail:"
+read EMAIL
+
 echo -e "\nEnter a password:"
 read -s PASSWORD
 
 ## Create the Cognito user
-aws cognito-idp sign-up --client-id $CLIENT_ID --username $USERNAME --password $PASSWORD > /dev/null
+aws cognito-idp sign-up --client-id $CLIENT_ID --username $USERNAME --password $PASSWORD --user-attributes Name="email",Value="$EMAIL" > /dev/null
 
 ## Assign cognito user to group
-GROUP_NAMES=$(aws cognito-idp list-groups --user-pool-id $POOL_ID | jq -r '.Groups | map(.GroupName) | join(" , ")')
+GROUP_NAMES=$(aws cognito-idp list-groups --user-pool-id $USER_POOL_ID | jq -r '.Groups | map(.GroupName) | join(" , ")')
 
 echo -e "\n\nEnter a group for the user (valid: $GROUP_NAMES):"
 read SELECTED_GROUP
 
-aws cognito-idp admin-add-user-to-group --username $USERNAME --user-pool-id $POOL_ID --group-name $SELECTED_GROUP
+aws cognito-idp admin-add-user-to-group --username $USERNAME --user-pool-id $USER_POOL_ID --group-name $SELECTED_GROUP
 
 ## Confirm the user account
-aws cognito-idp admin-confirm-sign-up --username $USERNAME --user-pool-id $POOL_ID
+aws cognito-idp admin-confirm-sign-up --username $USERNAME --user-pool-id $USER_POOL_ID
 
 echo -e "\n\nSuccess! Log-in with your chosen details."
diff --git a/helpers/group_trust_policy.json b/helpers/group_trust_policy.json
@@ -0,0 +1,17 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "cognito-identity.amazonaws.com"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "cognito-identity.amazonaws.com:aud": "###RESERVED_FOR_QUICK_GROUP_SCRIPT###"
+        }
+      }
+    }
+  ]
+}
diff --git a/lambda_layers/dependencies/python/template_generator.py b/lambda_layers/dependencies/python/template_generator.py
@@ -28,7 +28,8 @@ def generate_template_url(stack_type, payload):
     elif stack_type == 'service':
         prefix_path = 'services'
 
-    template_url = 'https://s3.amazonaws.com/{}/{}/{}/{}.yaml'.format(
+    template_url = 'https://s3-{}.amazonaws.com/{}/{}/{}/{}.yaml'.format(
+        platform_config.PLATFORM_REGION,
         platform_config.PLATFORM_BUCKET,
         prefix_path,
         payload['product_flavor'],

diff --git a/src/pipelines/name/update_pipeline.py b/src/pipelines/name/update_pipeline.py
@@ -37,7 +37,7 @@ def patch(event, _context):
 
     # Configure default values if not present
     if 'product_flavor' not in payload:
-        payload['product_flavor'] = 'github'
+        payload['product_flavor'] = 'github/cfn'
     if 'version' not in payload:
         payload['version'] = 'latest'
 

diff --git a/src/template.yaml b/src/template.yaml
@@ -120,7 +120,7 @@ Resources:
       GenerateSecret: false
       UserPoolId: !Ref UserPool
 
-  # Creates a federated Identity pool
+  # Creates a Federated Identity pool
   IdentityPool:
     Type: 'AWS::Cognito::IdentityPool'
     Properties:
@@ -130,11 +130,31 @@ Resources:
         - ClientId: !Ref UserPoolClient
           ProviderName: !GetAtt UserPool.ProviderName
 
+  # Creates an IAM Policy using Tag Based authorization to dynamically authorize
+  # cognito federated roles to their resources based on gurum-groups tag.
+  GurumGroupPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: gurum-group-policy
+      Path: '/gurum/'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: 'Allow'
+            Action:
+              - 'codecommit:*'
+              - 'logs:FilterLogEvents'
+            Resource: '*'
+            Condition:
+              StringEquals:
+                'aws:ResourceTag/gurum-groups': '${aws:PrincipalTag/gurum-groups}'
+
   # Create a role for unauthorized access to AWS resources. Very limited access.
   # Only allows users in the previously created Identity Pool
   CognitoUnAuthorizedRole:
     Type: 'AWS::IAM::Role'
     Properties:
+      Path: '/gurum/'
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
         Statement:
@@ -171,6 +191,7 @@ Resources:
   CognitoAuthorizedRole:
     Type: 'AWS::IAM::Role'
     Properties:
+      Path: '/gurum/'
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
         Statement:
@@ -211,20 +232,6 @@ Resources:
                   - 'cognito-identity:UpdateIdentityPool'
                 Resource: !Sub 'arn:aws:cognito-identity:${AWS::Region}:${AWS::AccountId}:identitypool/${IdentityPool}'
 
-  CognitoESAccessRole:
-    Type: 'AWS::IAM::Role'
-    Properties:
-      ManagedPolicyArns:
-        - arn:aws:iam::aws:policy/AmazonESCognitoAccess
-      AssumeRolePolicyDocument:
-        Version: '2012-10-17'
-        Statement:
-          - Effect: 'Allow'
-            Principal:
-              Service: 'es.amazonaws.com'
-            Action:
-              - 'sts:AssumeRole'
-
   # Assigns the roles to the Identity Pool
   IdentityPoolRoleMapping:
     Type: 'AWS::Cognito::IdentityPoolRoleAttachment'
@@ -237,7 +244,7 @@ Resources:
   DeploymentRole:
     Type: AWS::IAM::Role
     Properties:
-      Path: /
+      Path: '/gurum/'
       AssumeRolePolicyDocument: 
         Version: "2012-10-17"
         Statement: