feat: #1264 config prod bcsc (#1288)

infrastructure/server/oidc_idp_bcsc.tf

@@ -1,8 +1,11 @@
 # BCSC IDP that connects directly to IDIM Consulting OIDC server
-locals{
-  dev_local_bcsc_userinfo_proxy_endpoint = "${aws_api_gateway_deployment.fam_api_gateway_deployment.invoke_url}/bcsc/userinfo/dev"
+locals {
+  dev_local_bcsc_userinfo_proxy_endpoint  = "${aws_api_gateway_deployment.fam_api_gateway_deployment.invoke_url}/bcsc/userinfo/dev"
   test_local_bcsc_userinfo_proxy_endpoint = "${aws_api_gateway_deployment.fam_api_gateway_deployment.invoke_url}/bcsc/userinfo/test"
   prod_local_bcsc_userinfo_proxy_endpoint = "${aws_api_gateway_deployment.fam_api_gateway_deployment.invoke_url}/bcsc/userinfo/prod"
+  dev_local_bcsc_token_proxy_endpoint     = "${aws_api_gateway_deployment.fam_api_gateway_deployment.invoke_url}/bcsc/token/dev"
+  test_local_bcsc_token_proxy_endpoint    = "${aws_api_gateway_deployment.fam_api_gateway_deployment.invoke_url}/bcsc/token/test"
+  prod_local_bcsc_token_proxy_endpoint    = "${aws_api_gateway_deployment.fam_api_gateway_deployment.invoke_url}/bcsc/token/prod"
 }
 
 resource "aws_cognito_identity_provider" "dev_bcsc_oidc_provider" {
@@ -16,25 +19,23 @@ resource "aws_cognito_identity_provider" "dev_bcsc_oidc_provider" {
     client_secret             = var.dev_oidc_bcsc_idp_client_secret
     oidc_issuer               = var.dev_bcsc_oidc_idp_issuer
     attributes_request_method = "GET"
-    authorize_url = "https://idtest.gov.bc.ca/login/oidc/authorize"
-    token_url = "${aws_api_gateway_deployment.fam_api_gateway_deployment.invoke_url}/bcsc/token/dev"
-    attributes_url = "${var.use_override_proxy_endpoints ?  var.dev_override_bcsc_userinfo_proxy_endpoint : local.dev_local_bcsc_userinfo_proxy_endpoint}"
-
-    jwks_uri = "https://idtest.gov.bc.ca/oauth2/jwk.json"
+    authorize_url             = "https://idtest.gov.bc.ca/login/oidc/authorize"
+    token_url                 = "${var.use_override_proxy_endpoints ? var.dev_override_bcsc_token_proxy_endpoint : local.dev_local_bcsc_token_proxy_endpoint}"
+    attributes_url            = "${var.use_override_proxy_endpoints ? var.dev_override_bcsc_userinfo_proxy_endpoint : local.dev_local_bcsc_userinfo_proxy_endpoint}"
+    jwks_uri                  = "https://idtest.gov.bc.ca/oauth2/jwk"
   }
 
   attribute_mapping = {
-    given_name = "given_name",
-    family_name = "family_name",
-    birthdate = "birthdate",
-    gender = "gender",
-    email                      = "email",
-    email_verified = "email_verified",
-    address = "address",
-    "custom:idp_name"          = "aud",
-    "custom:idp_user_id"       = "sub",
-    "custom:idp_display_name"  = "display_name",
-    "custom:given_names" = "given_names"
+    given_name                = "given_name",
+    family_name               = "family_name",
+    birthdate                 = "birthdate",
+    email                     = "email",
+    email_verified            = "email_verified",
+    address                   = "address",
+    "custom:idp_name"         = "aud",
+    "custom:idp_user_id"      = "sub",
+    "custom:idp_display_name" = "display_name",
+    "custom:given_names"      = "given_names"
   }
 }
 
@@ -49,26 +50,23 @@ resource "aws_cognito_identity_provider" "test_bcsc_oidc_provider" {
     client_secret             = var.test_oidc_bcsc_idp_client_secret
     oidc_issuer               = var.test_bcsc_oidc_idp_issuer
     attributes_request_method = "GET"
-    authorize_url = "https://idtest.gov.bc.ca/login/oidc/authorize"
-    token_url = "${aws_api_gateway_deployment.fam_api_gateway_deployment.invoke_url}/bcsc/token/test"
-
-    attributes_url = "${var.use_override_proxy_endpoints ?  var.test_override_bcsc_userinfo_proxy_endpoint : local.test_local_bcsc_userinfo_proxy_endpoint}"
-
-    jwks_uri = "https://idtest.gov.bc.ca/oauth2/jwk.json"
+    authorize_url             = "https://idtest.gov.bc.ca/login/oidc/authorize"
+    token_url                 = "${var.use_override_proxy_endpoints ? var.test_override_bcsc_token_proxy_endpoint : local.test_local_bcsc_token_proxy_endpoint}"
+    attributes_url            = "${var.use_override_proxy_endpoints ? var.test_override_bcsc_userinfo_proxy_endpoint : local.test_local_bcsc_userinfo_proxy_endpoint}"
+    jwks_uri                  = "https://idtest.gov.bc.ca/oauth2/jwk"
   }
 
   attribute_mapping = {
-    given_name = "given_name",
-    family_name = "family_name",
-    birthdate = "birthdate",
-    gender = "gender",
-    email                      = "email",
-    email_verified = "email_verified",
-    address = "address",
-    "custom:idp_name"          = "aud",
-    "custom:idp_user_id"       = "sub",
-    "custom:idp_display_name"  = "display_name",
-    "custom:given_names" = "given_names"
+    given_name                = "given_name",
+    family_name               = "family_name",
+    birthdate                 = "birthdate",
+    email                     = "email",
+    email_verified            = "email_verified",
+    address                   = "address",
+    "custom:idp_name"         = "aud",
+    "custom:idp_user_id"      = "sub",
+    "custom:idp_display_name" = "display_name",
+    "custom:given_names"      = "given_names"
   }
 
 }
@@ -84,26 +82,23 @@ resource "aws_cognito_identity_provider" "prod_bcsc_oidc_provider" {
     client_secret             = var.prod_oidc_bcsc_idp_client_secret
     oidc_issuer               = var.prod_bcsc_oidc_idp_issuer
     attributes_request_method = "GET"
-    authorize_url = "https://idtest.gov.bc.ca/login/oidc/authorize"
-    token_url = "${aws_api_gateway_deployment.fam_api_gateway_deployment.invoke_url}/bcsc/token/prod"
-
-    attributes_url = "${var.use_override_proxy_endpoints ?  var.prod_override_bcsc_userinfo_proxy_endpoint : local.prod_local_bcsc_userinfo_proxy_endpoint}"
-
-    jwks_uri = "https://idtest.gov.bc.ca/oauth2/jwk.json"
+    authorize_url             = "https://id.gov.bc.ca/login/oidc/authorize"
+    token_url                 = "${var.use_override_proxy_endpoints ? var.prod_override_bcsc_token_proxy_endpoint : local.prod_local_bcsc_token_proxy_endpoint}"
+    attributes_url            = "${var.use_override_proxy_endpoints ? var.prod_override_bcsc_userinfo_proxy_endpoint : local.prod_local_bcsc_userinfo_proxy_endpoint}"
+    jwks_uri                  = "https://id.gov.bc.ca/oauth2/jwk"
   }
 
   attribute_mapping = {
-    given_name = "given_name",
-    family_name = "family_name",
-    birthdate = "birthdate",
-    gender = "gender",
-    email                      = "email",
-    email_verified = "email_verified",
-    address = "address",
-    "custom:idp_display_name"  = "display_name",
-    "custom:idp_name"          = "aud",
-    "custom:idp_user_id"       = "sub",
-    "custom:given_names" = "given_names"
+    given_name                = "given_name",
+    family_name               = "family_name",
+    birthdate                 = "birthdate",
+    email                     = "email",
+    email_verified            = "email_verified",
+    address                   = "address",
+    "custom:idp_display_name" = "display_name",
+    "custom:idp_name"         = "aud",
+    "custom:idp_user_id"      = "sub",
+    "custom:given_names"      = "given_names"
   }
 
-}
+}

infrastructure/server/variables_provided.tf

@@ -129,7 +129,7 @@ variable "test_oidc_bcsc_idp_client_id" {
 
 variable "prod_oidc_bcsc_idp_client_id" {
   type = string
-  default = "not.yet.implemented"
+  default = "ca.bc.gov.flnr.fam.prod"
 }
 
 # Networking Variables
@@ -257,9 +257,9 @@ variable "maximum_oidc_attribute_read_list" {
     "custom:idp_user_id",
     "custom:idp_username",
     "custom:keycloak_username",
-    "email", "email_verified",
+    "email",
+    "email_verified",
     "family_name",
-    "gender",
     "given_name",
     "locale",
     "middle_name",
@@ -293,7 +293,6 @@ variable "maximum_oidc_attribute_write_list" {
     "custom:keycloak_username",
     "email",
     "family_name",
-    "gender",
     "given_name",
     "locale",
     "middle_name",
@@ -312,7 +311,7 @@ variable "maximum_oidc_attribute_write_list" {
 # Variables for connecting Cognito to BCSC OIDC
 
 variable "use_override_proxy_endpoints" {
-  description = "Toggle for whether to execute flyway (suppress on terraform plan)"
+  description = "Toggle for whether to use proxy endpoints based on different AWS enviornment, or hardcode it"
   type = bool
   default = false
 }
@@ -335,6 +334,24 @@ variable "prod_override_bcsc_userinfo_proxy_endpoint" {
   default = "not used unless overridden in terragrunt"
 }
 
+variable "dev_override_bcsc_token_proxy_endpoint" {
+  description = "Endpoint for Cognito to get token for BCSC DEV environment"
+  type = string
+  default = "not used unless overridden in terragrunt"
+}
+
+variable "test_override_bcsc_token_proxy_endpoint" {
+  description = "Endpoint for Cognito to get token for BCSC TEST environment"
+  type = string
+  default = "not used unless overridden in terragrunt"
+}
+
+variable "prod_override_bcsc_token_proxy_endpoint" {
+  description = "Endpoint for Cognito to get token for BCSC PROD environment"
+  type = string
+  default = "not used unless overridden in terragrunt"
+}
+
 variable "dev_pr_url_count" {
   description = "Number of pull request redirect urls of Cognito dev clients"
   type = number

server/auth_function/lambda_function.py

@@ -22,7 +22,7 @@
 
 IDP_NAME_BCSC_DEV = "ca.bc.gov.flnr.fam.dev"
 IDP_NAME_BCSC_TEST = "ca.bc.gov.flnr.fam.test"
-IDP_NAME_BCSC_PROD = "ca.bc.gov.flnr.fam"
+IDP_NAME_BCSC_PROD = "ca.bc.gov.flnr.fam.prod"
 IDP_NAME_IDIR = "idir"
 IDP_NAME_BCEID_BUSINESS = "bceidbusiness"
 

server/auth_function/test/login_event_bcsc.json

@@ -25,7 +25,6 @@
             "address": "{'street_address':'4000 SEYMOUR PLACE','country':'CA','locality':'VICTORIA','region':'BC','postal_code':'V8Z 1C8'}",
             "birthdate": "1967-01-23",
             "custom:given_names": "GIVEnull GIVENTWO",
-            "gender": "unknown",
             "sub": "9c7d65b8-a0b1-70eb-bfba-caeadfdbbb48"
         }
     },

server/backend/api/app/routers/router_bcsc_proxy.py

@@ -16,7 +16,7 @@
 
 IDP_NAME_BCSC_DEV = "ca.bc.gov.flnr.fam.dev"
 IDP_NAME_BCSC_TEST = "ca.bc.gov.flnr.fam.test"
-IDP_NAME_BCSC_PROD = "ca.bc.gov.flnr.fam"
+IDP_NAME_BCSC_PROD = "ca.bc.gov.flnr.fam.prod"
 
 router = APIRouter()
 

terraform/dev/terragrunt.hcl

@@ -43,9 +43,12 @@ generate "dev_tfvars" {
   fam_console_idp_name_bceid = "TEST-BCEIDBUSINESS"
   forest_client_api_base_url = "https://nr-forest-client-api-test.api.gov.bc.ca"
   use_override_proxy_endpoints = true
-  dev_override_bcsc_userinfo_proxy_endpoint = "https://c727z9v3cc.execute-api.ca-central-1.amazonaws.com/v1/bcsc/userinfo/dev"
-  test_override_bcsc_userinfo_proxy_endpoint = "https://c727z9v3cc.execute-api.ca-central-1.amazonaws.com/v1/bcsc/userinfo/test"
-  prod_override_bcsc_userinfo_proxy_endpoint = "https://c727z9v3cc.execute-api.ca-central-1.amazonaws.com/v1/bcsc/userinfo/prod"
+  dev_override_bcsc_userinfo_proxy_endpoint = "https://6mud7781pe.execute-api.ca-central-1.amazonaws.com/v1/bcsc/userinfo/dev"
+  test_override_bcsc_userinfo_proxy_endpoint = "https://6mud7781pe.execute-api.ca-central-1.amazonaws.com/v1/bcsc/userinfo/test"
+  prod_override_bcsc_userinfo_proxy_endpoint = "https://6mud7781pe.execute-api.ca-central-1.amazonaws.com/v1/bcsc/userinfo/prod"
+  dev_override_bcsc_token_proxy_endpoint = "https://6mud7781pe.execute-api.ca-central-1.amazonaws.com/v1/bcsc/token/dev"
+  test_override_bcsc_token_proxy_endpoint = "https://6mud7781pe.execute-api.ca-central-1.amazonaws.com/v1/bcsc/token/test"
+  prod_override_bcsc_token_proxy_endpoint = "https://6mud7781pe.execute-api.ca-central-1.amazonaws.com/v1/bcsc/token/prod"
   idim_proxy_api_base_url = "https://nr-fam-idim-lookup-proxy-test-backend.apps.silver.devops.gov.bc.ca"
 EOF
 }

terraform/tools/terragrunt.hcl

@@ -43,10 +43,7 @@ generate "tools_tfvars" {
   fam_console_idp_name = "TEST-IDIR"
   fam_console_idp_name_bceid = "TEST-BCEIDBUSINESS"
   forest_client_api_base_url = "https://nr-forest-client-api-test.api.gov.bc.ca"
-  use_override_proxy_endpoints = true
-  dev_override_bcsc_userinfo_proxy_endpoint = "https://c727z9v3cc.execute-api.ca-central-1.amazonaws.com/v1/bcsc/userinfo/dev"
-  test_override_bcsc_userinfo_proxy_endpoint = "https://c727z9v3cc.execute-api.ca-central-1.amazonaws.com/v1/bcsc/userinfo/test"
-  prod_override_bcsc_userinfo_proxy_endpoint = "https://c727z9v3cc.execute-api.ca-central-1.amazonaws.com/v1/bcsc/userinfo/prod"
+  use_override_proxy_endpoints = false
   idim_proxy_api_base_url = "https://nr-fam-idim-lookup-proxy-test-backend.apps.silver.devops.gov.bc.ca"
 EOF
 }