Add identity provider modules

infra/app/app-config/dev.tf

@@ -10,6 +10,13 @@ module "dev_config" {
  has_database = local.has_database
  has_incident_management_service = local.has_incident_management_service
 
+ # Enable and configure identity provider.
+ enable_identity_provider = local.enable_identity_provider
+
+ # Support local development against the dev instance.
+ extra_identity_provider_callback_urls = ["http://localhost"]
+ extra_identity_provider_logout_urls = ["http://localhost"]
+
  # Enables ECS Exec access for debugging or jump access.
  # See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html
  # Defaults to `false`. Uncomment the next line to enable.

infra/app/app-config/env-config/identity-provider.tf

@@ -0,0 +1,42 @@
+# Identity provider configuration.
+# If the notification service is configured, the identity provider will use the
+# SES-verified email to send notifications.
+locals {
+ # If your application should redirect users, after successful authentication, to a
+ # page other than the homepage, specify the path fragment here.
+ # Example: "profile"
+ callback_url_path = ""
+
+ # If your application should redirect users, after signing out, to a page other than
+ # the homepage, specify the path fragment here.
+ # Example: "logout"
+ logout_url_path = ""
+
+ identity_provider_config = var.enable_identity_provider ? {
+ identity_provider_name = "${local.prefix}${var.app_name}-${var.environment}"
+
+ password_policy = {
+ password_minimum_length = 12
+ temporary_password_validity_days = 7
+ }
+
+ # Optionally configure email template for resetting a password.
+ # Set any attribute to a non-null value to override AWS Cognito defaults.
+ verification_email = {
+ verification_email_message = null
+ verification_email_subject = null
+ }
+
+ # Do not modify this block directly.
+ client = {
+ callback_urls = concat(
+ var.domain_name != null ? ["https://${var.domain_name}/${local.callback_url_path}"] : [],
+ var.extra_identity_provider_callback_urls
+ )
+ logout_urls = concat(
+ var.domain_name != null ? ["https://${var.domain_name}/${local.logout_url_path}"] : [],
+ var.extra_identity_provider_logout_urls
+ )
+ }
+ } : null
+}

infra/app/app-config/env-config/notifications.tf

@@ -0,0 +1,15 @@
+# Notifications configuration
+locals {
+ notifications_config = var.enable_notifications ? {
+ # Set to an SES-verified email address to be used when sending emails.
+ sender_email = null
+
+ # Configure the name that users see in the "From" section of their inbox, so that it's
+ # clearer who the email is from.
+ sender_display_name = null
+
+ # Configure the REPLY-TO email address if it should be different from the sender.
+ # Note: Only used by the identity-provider service.
+ reply_to_email = null
+ } : null
+}

infra/app/app-config/env-config/outputs.tf

@@ -38,6 +38,14 @@ output "service_config" {
  }
 }
 
+output "identity_provider_config" {
+ value = local.identity_provider_config
+}
+
+output "notifications_config" {
+ value = local.notifications_config
+}
+
 output "storage_config" {
  value = {
  # Include project name in bucket name since buckets need to be globally unique across AWS

infra/app/app-config/env-config/variables.tf

@@ -31,11 +31,35 @@ variable "enable_https" {
  default = false
 }
 
+variable "enable_identity_provider" {
+ type = bool
+ description = "Enables identity provider"
+ default = false
+}
+
+variable "enable_notifications" {
+ type = bool
+ description = "Enables notifications"
+ default = false
+}
+
 variable "environment" {
  description = "name of the application environment (e.g. dev, staging, prod)"
  type = string
 }
 
+variable "extra_identity_provider_callback_urls" {
+ type = list(string)
+ description = "List of additional URLs that the identity provider will redirect the user to after a successful sign-in. Used for local development."
+ default = []
+}
+
+variable "extra_identity_provider_logout_urls" {
+ type = list(string)
+ description = "List of additional URLs that the identity provider will redirect the user to after signing out. Used for local development."
+ default = []
+}
+
 variable "has_database" {
  type = bool
 }

infra/app/app-config/main.tf

@@ -24,6 +24,18 @@ locals {
 
  has_incident_management_service = false
 
+ # Whether or not the application should deploy an identity provider
+ # If enabled:
+ # 1. Creates a Cognito user pool
+ # 2. Creates a Cognito user pool app client
+ # 3. Adds environment variables for the app client to the service
+ enable_identity_provider = false
+
+ # Whether or not the application should deploy a notification service
+ # Note: This is not yet ready for use.
+ # TODO(https://github.com/navapbc/template-infra/issues/567)
+ enable_notifications = false
+
  environment_configs = {
  dev = module.dev_config
  staging = module.staging_config

infra/app/app-config/outputs.tf

@@ -30,6 +30,10 @@ output "has_incident_management_service" {
  value = local.has_incident_management_service
 }
 
+output "enable_identity_provider" {
+ value = local.enable_identity_provider
+}
+
 output "image_repository_name" {
  value = local.image_repository_name
 }

infra/app/app-config/prod.tf

@@ -9,6 +9,7 @@ module "prod_config" {
  enable_https = false
  has_database = local.has_database
  has_incident_management_service = local.has_incident_management_service
+ enable_identity_provider = local.enable_identity_provider
 
  # These numbers are a starting point based on this article
  # Update the desired instance size and counts based on the project's specific needs

infra/app/app-config/staging.tf

@@ -9,6 +9,7 @@ module "staging_config" {
  enable_https = false
  has_database = local.has_database
  has_incident_management_service = local.has_incident_management_service
+ enable_identity_provider = local.enable_identity_provider
 
  # Enables ECS Exec access for debugging or jump access.
  # See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html

infra/app/service/main.tf

@@ -35,6 +35,8 @@ locals {
  database_config = local.environment_config.database_config
  storage_config = local.environment_config.storage_config
  incident_management_service_integration_config = local.environment_config.incident_management_service_integration
+ identity_provider_config = local.environment_config.identity_provider_config
+ notifications_config = local.environment_config.notifications_config
 
  network_config = module.project_config.network_configs[local.environment_config.network_name]
 }
@@ -150,22 +152,38 @@ module "service" {
  }
  } : null
 
- extra_environment_variables = merge({
- FEATURE_FLAGS_PROJECT = module.feature_flags.evidently_project_name
- BUCKET_NAME = local.storage_config.bucket_name
- }, local.service_config.extra_environment_variables)
-
- secrets = [
- for secret_name in keys(local.service_config.secrets) : {
+ extra_environment_variables = merge(
+ {
+ FEATURE_FLAGS_PROJECT = module.feature_flags.evidently_project_name
+ BUCKET_NAME = local.storage_config.bucket_name
+ },
+ module.app_config.enable_identity_provider ? {
+ COGNITO_USER_POOL_ID = module.identity_provider[0].user_pool_id
+ COGNITO_CLIENT_ID = module.identity_provider_client[0].client_id
+ } : {},
+ local.service_config.extra_environment_variables
+ )
+
+ secrets = concat(
+ [for secret_name in keys(local.service_config.secrets) : {
  name = secret_name
  valueFrom = module.secrets[secret_name].secret_arn
- }
- ]
-
- extra_policies = {
- feature_flags_access = module.feature_flags.access_policy_arn,
- storage_access = module.storage.access_policy_arn
- }
+ }],
+ module.app_config.enable_identity_provider ? [{
+ name = "COGNITO_CLIENT_SECRET"
+ valueFrom = module.identity_provider_client[0].client_secret_arn
+ }] : []
+ )
+
+ extra_policies = merge(
+ {
+ feature_flags_access = module.feature_flags.access_policy_arn,
+ storage_access = module.storage.access_policy_arn
+ },
+ module.app_config.enable_identity_provider ? {
+ identity_provider_access = module.identity_provider_client[0].access_policy_arn,
+ } : {}
+ )
 
  is_temporary = local.is_temporary
 }
@@ -192,3 +210,29 @@ module "storage" {
  name = local.storage_config.bucket_name
  is_temporary = local.is_temporary
 }
+
+module "identity_provider" {
+ count = module.app_config.enable_identity_provider ? 1 : 0
+ source = "../../modules/identity-provider"
+ is_temporary = local.is_temporary
+
+ name = local.identity_provider_config.identity_provider_name
+ password_minimum_length = local.identity_provider_config.password_policy.password_minimum_length
+ temporary_password_validity_days = local.identity_provider_config.password_policy.temporary_password_validity_days
+ verification_email_message = local.identity_provider_config.verification_email.verification_email_message
+ verification_email_subject = local.identity_provider_config.verification_email.verification_email_subject
+
+ sender_email = local.notifications_config == null ? null : local.notifications_config.sender_email
+ sender_display_name = local.notifications_config == null ? null : local.notifications_config.sender_display_name
+ reply_to_email = local.notifications_config == null ? null : local.notifications_config.reply_to_email
+}
+
+module "identity_provider_client" {
+ count = module.app_config.enable_identity_provider ? 1 : 0
+ source = "../../modules/identity-provider-client"
+
+ name = local.identity_provider_config.identity_provider_name
+ cognito_user_pool_id = module.identity_provider[0].user_pool_id
+ callback_urls = local.identity_provider_config.client.callback_urls
+ logout_urls = local.identity_provider_config.client.logout_urls
+}

infra/modules/identity-provider-client/access-control.tf

@@ -0,0 +1,15 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+resource "aws_iam_policy" "cognito_access" {
+ name = "${var.name}-cognito-access"
+ policy = data.aws_iam_policy_document.cognito_access.json
+}
+
+data "aws_iam_policy_document" "cognito_access" {
+ statement {
+ actions = ["cognito-idp:*"]
+ effect = "Allow"
+ resources = ["arn:aws:cognito-idp:${data.aws_region.current.name}:${data.aws_caller_identity.current.id}:userpool/${var.cognito_user_pool_id}"]
+ }
+}

infra/modules/identity-provider-client/main.tf

@@ -0,0 +1,37 @@
+resource "aws_cognito_user_pool_client" "client" {
+ name = var.name
+ user_pool_id = var.cognito_user_pool_id
+
+ callback_urls = var.callback_urls
+ logout_urls = var.logout_urls
+ supported_identity_providers = ["COGNITO"]
+ refresh_token_validity = 1
+ access_token_validity = 60
+ id_token_validity = 60
+ token_validity_units {
+ refresh_token = "days"
+ access_token = "minutes"
+ id_token = "minutes"
+ }
+
+ generate_secret = true
+ allowed_oauth_flows_user_pool_client = true
+ allowed_oauth_flows = ["code"]
+ allowed_oauth_scopes = ["phone", "email", "openid", "profile"]
+ explicit_auth_flows = ["ALLOW_ADMIN_USER_PASSWORD_AUTH", "ALLOW_REFRESH_TOKEN_AUTH"]
+
+ # Avoid security issue where error messages indicate when a user doesn't exist
+ prevent_user_existence_errors = "ENABLED"
+
+ enable_token_revocation = true
+ enable_propagate_additional_user_context_data = false
+
+ read_attributes = ["email", "email_verified", "phone_number", "phone_number_verified", "updated_at"]
+ write_attributes = ["email", "updated_at", "phone_number"]
+}
+
+resource "aws_ssm_parameter" "client_secret" {
+ name = "/${var.name}/identity-provider/client-secret"
+ type = "SecureString"
+ value = aws_cognito_user_pool_client.client.client_secret
+}

infra/modules/identity-provider-client/outputs.tf

@@ -0,0 +1,13 @@
+output "access_policy_arn" {
+ value = aws_iam_policy.cognito_access.arn
+}
+
+output "client_id" {
+ description = "The ID of the user pool client"
+ value = aws_cognito_user_pool_client.client.id
+}
+
+output "client_secret_arn" {
+ description = "The arn for the SSM parameter storing the user pool client secret"
+ value = aws_ssm_parameter.client_secret.arn
+}

infra/modules/identity-provider-client/variables.tf

@@ -0,0 +1,21 @@
+variable "callback_urls" {
+ type = list(string)
+ description = "The URL(s) that the identity provider will redirect to after a successful login"
+ default = []
+}
+
+variable "cognito_user_pool_id" {
+ type = string
+ description = "The ID of the user pool that the client will be associated with"
+}
+
+variable "logout_urls" {
+ type = list(string)
+ description = "The URL that the identity provider will redirect to after a successful logout"
+ default = []
+}
+
+variable "name" {
+ type = string
+ description = "Name of the application or service that will act as a client to the identity provider"
+}