Cloudfront auth cognito (#4)

* PR #4 candidate. updated according to incoming PR's (suggestions). * + authz description formatted * + add required params to example.
mslipets · Jul 2, 2020 · ad7cfc5 · ad7cfc5
1 parent 8b28e4b
commit ad7cfc5
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 62 deletions.
diff --git a/example/main.tf b/example/main.tf
@@ -5,16 +5,17 @@ module "cloudfront_auth" {
   cloudfront_distribution = "private.example.com"
   client_id               = "CHANGE_ME"
   client_secret           = "CHANGE_ME"
+  base_uri                = "https://auth-xxxxxx.auth.us-east-1.amazoncognito.com"
   redirect_uri            = "https://private.example.com/callback"
   github_organization     = "exampleorg"
 
   bucket_name                    = "private.example.com"
   region                         = "eu-west-1"
-  cloudfront_acm_certificate_arn = "${aws_acm_certificate.cert.arn}"
+  cloudfront_acm_certificate_arn = aws_acm_certificate.cert.arn
 }
 
 resource "aws_acm_certificate" "cert" {
-  provider          = "aws.us-east-1"
+  provider          = aws.us-east-1
   domain_name       = "example.com"
   validation_method = "EMAIL"
   subject_alternative_names = [
@@ -24,9 +25,9 @@ resource "aws_acm_certificate" "cert" {
 
 // A test object for the bucket.
 resource "aws_s3_bucket_object" "test_object" {
-  bucket       = "${module.cloudfront_auth.s3_bucket}"
+  bucket       = module.cloudfront_auth.s3_bucket
   key          = "index.html"
   source       = "${path.module}/index.html"
   content_type = "text/html"
-  etag         = "${md5(file("${path.module}/index.html"))}"
+  etag         = sha256(file("${path.module}/index.html"))
 }
diff --git a/main.tf b/main.tf
@@ -1,7 +1,22 @@
+#
+# Local nvm presence check
+#
+resource "null_resource" "check_nvm" {
+  provisioner "local-exec" {
+    command = <<EOF
+    if not which nvm; then
+        echo "ERROR: nvm is not installed"
+        exit 1
+    fi
+EOF
+  }
+}
+
 #
 # Local nodejs dependency install.
 #
 resource "null_resource" "provision_nodejs" {
+  depends_on = [null_resource.check_nvm]
   provisioner "local-exec" {
     command = <<EOF
     nvm install -s ${var.nodejs_version} &&\
@@ -18,20 +33,21 @@ resource "null_resource" "copy_source" {
 
   triggers = {
     build_resource = null_resource.provision_nodejs.id
-    always_run     = "${timestamp()}"
+    always_run     = timestamp()
   }
 
   provisioner "local-exec" {
     command = <<EOF
 if [ ! -d "build" ]; then
   if [ ! -L "build" ]; then
-    curl -L https://github.com/mslipets/cloudfront-auth/archive/${var.cloudfront_auth_brach}.zip --output cloudfront-auth-${var.cloudfront_auth_brach}.zip
-    unzip -q cloudfront-auth-${var.cloudfront_auth_brach}.zip -d build/
-    mkdir build/cloudfront-auth-${var.cloudfront_auth_brach}/distributions
+    curl -L https://github.com/mslipets/cloudfront-auth/archive/${var.cloudfront_auth_branch}.zip \
+        --output cloudfront-auth-${var.cloudfront_auth_branch}.zip
+    unzip -q cloudfront-auth-${var.cloudfront_auth_branch}.zip -d build/
+    mkdir build/cloudfront-auth-${var.cloudfront_auth_branch}/distributions
 
     nvm use ${var.nodejs_version}
-    cp ${data.local_file.build-js.filename} build/cloudfront-auth-${var.cloudfront_auth_brach}/build/build.js&&\
-    cd build/cloudfront-auth-${var.cloudfront_auth_brach} && npm i minimist shelljs && npm install && cd build && npm install
+    cp ${data.local_file.build-js.filename} build/cloudfront-auth-${var.cloudfront_auth_branch}/build/build.js&&\
+    cd build/cloudfront-auth-${var.cloudfront_auth_branch} && npm i minimist shelljs && npm install && cd build && npm install
   fi
 fi
 EOF
@@ -58,8 +74,16 @@ resource "null_resource" "build_lambda" {
 
   provisioner "local-exec" {
     command = <<EOF
-nvm use ${var.nodejs_version}&&\
-cd build/cloudfront-auth-${var.cloudfront_auth_brach} && node build/build.js --AUTH_VENDOR=${var.auth_vendor} --CLOUDFRONT_DISTRIBUTION=${var.cloudfront_distribution} --CLIENT_ID=${var.client_id} --CLIENT_SECRET=${var.client_secret == "" ? "none" : var.client_secret} --BASE_URL=${var.base_uri} --REDIRECT_URI=${var.redirect_uri} --HD=${var.hd} --SESSION_DURATION=${var.session_duration} --AUTHZ=${var.authz} --GITHUB_ORGANIZATION=${var.github_organization}
+    nvm use ${var.nodejs_version}&&\
+    cd build/cloudfront-auth-${var.cloudfront_auth_branch} &&\
+    node build/build.js --AUTH_VENDOR=${var.auth_vendor} \
+    --BASE_URL=${var.base_uri} \
+    --CLOUDFRONT_DISTRIBUTION=${var.cloudfront_distribution} \
+    --CLIENT_ID=${var.client_id} \
+    --CLIENT_SECRET=${var.client_secret == "" ? "none" : var.client_secret} \
+    --REDIRECT_URI=${var.redirect_uri} --HD=${var.hd} \
+    --SESSION_DURATION=${var.session_duration} --AUTHZ=${var.authz} \
+    --GITHUB_ORGANIZATION=${var.github_organization}
 EOF
   }
 }
@@ -72,7 +96,7 @@ resource "null_resource" "copy_lambda_artifact" {
   }
 
   provisioner "local-exec" {
-    command = "cp build/cloudfront-auth-${var.cloudfront_auth_brach}/distributions/${var.cloudfront_distribution}/${var.cloudfront_distribution}.zip ${local.lambda_filename}"
+    command = "cp build/cloudfront-auth-${var.cloudfront_auth_branch}/distributions/${var.cloudfront_distribution}/${var.cloudfront_distribution}.zip ${local.lambda_filename}"
   }
 }
 
@@ -101,28 +125,13 @@ resource "aws_s3_bucket" "default" {
 data "aws_iam_policy_document" "s3_bucket_policy" {
   statement {
     actions = [
-      "s3:GetObject"
-    ]
-
-    resources = [
-      "${aws_s3_bucket.default.arn}/*",
-    ]
-
-    principals {
-      type = "AWS"
-      identifiers = [
-        aws_cloudfront_origin_access_identity.default.iam_arn,
-      ]
-    }
-  }
-
-  statement {
-    actions = [
-      "s3:ListBucket",
+      "s3:GetObject",
+      "s3:ListBucket"
     ]
 
     resources = [
       aws_s3_bucket.default.arn,
+      "${aws_s3_bucket.default.arn}/*"
     ]
 
     principals {
@@ -133,35 +142,27 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     }
   }
 
-  statement {
-    actions = [
-      "s3:GetBucketLocation",
-      "s3:ListBucket"
-    ]
-
-    resources = [
-      aws_s3_bucket.default.arn,
-    ]
+  dynamic "statement" {
+    for_each = var.bucket_access_roles_arn_list
+    iterator = arn
+    content {
 
-    principals {
-      type        = "AWS"
-      identifiers = var.bucket_access_roles_arn_list
-    }
-  }
-
-  statement {
-    actions = [
-      "s3:GetObject",
-      "s3:PutObject"
-    ]
+      actions = [
+        "s3:GetBucketLocation",
+        "s3:ListBucket",
+        "s3:GetObject",
+        "s3:PutObject"
+      ]
 
-    resources = [
-      "${aws_s3_bucket.default.arn}/*",
-    ]
+      resources = [
+        aws_s3_bucket.default.arn,
+        "${aws_s3_bucket.default.arn}/*"
+      ]
 
-    principals {
-      type        = "AWS"
-      identifiers = var.bucket_access_roles_arn_list
+      principals {
+        type        = "AWS"
+        identifiers = [arn.value]
+      }
     }
   }
 }
@@ -268,7 +269,7 @@ data "aws_iam_policy_document" "lambda_log_access" {
 
 # This function is created in us-east-1 as required by CloudFront.
 resource "aws_lambda_function" "default" {
-  depends_on = [null_resource.copy_lambda_artifact]
+  depends_on = [null_resource.check_nvm, null_resource.copy_lambda_artifact]
 
   provider         = aws.us-east-1
   description      = "Managed by Terraform"

diff --git a/variables.tf b/variables.tf
@@ -1,4 +1,4 @@
-variable "cloudfront_auth_brach" {
+variable "cloudfront_auth_branch" {
   type        = string
   default     = "cognito"
   description = "https://github.com/mslipets/cloudfront-auth/{branch_name} (current actual \"cognito\")"
@@ -49,7 +49,17 @@ variable "session_duration" {
 variable "authz" {
   type        = string
   default     = "1"
-  description = "The authorisation method (google, microsoft only). Mirosoft: (1) Azure AD Login (default)\n   (2) JSON Username Lookup\n\n Google: (1) Hosted Domain - verify email's domain matches that of the given hosted domain\n   (2) HTTP Email Lookup - verify email exists in JSON array located at given HTTP endpoint\n   (3) Google Groups Lookup - verify email exists in one of given Google Groups"
+  description = <<-DOC
+    A string containing an integer specifying the authorization method for auth_vendor google
+    and microsoft. This has no effect on other auth_vendors.
+    microsoft:
+      "1" Azure AD Login (default)
+      "2" JSON Username Lookup
+    google:
+      "1" Hosted Domain - verify email's domain matches that of the given hosted domain
+      "2" HTTP Email Lookup - verify email exists in JSON array located at given HTTP endpoint
+      "3" Google Groups Lookup - verify email exists in one of given Google Groups"
+    DOC
 }
 
 variable "github_organization" {
@@ -94,7 +104,6 @@ variable "cloudfront_default_root_object" {
 
 variable "cloudfront_acm_certificate_arn" {
   description = "ACM Certificate ARN for Cloudfront"
-  default     = ""
 }
 
 variable "nodejs_version" {
@@ -111,5 +120,6 @@ variable "geo_restriction_whitelisted_locations" {
 
 variable "bucket_access_roles_arn_list" {
   type        = list(string)
-  description = "A Role ARN which granted RW rights to bucket (to be used by instance profiles)"
+  default     = []
+  description = "A Role ARN which granted RW rights to bucket (to be used by instance profiles in order to upload/cleanup bucket content)"
 }