Merge pull request #38 from nearform/current

v0.1.18

CHANGELOG.md

@@ -4,7 +4,11 @@ All notable changes to this project will be documented in this file.
 
 
 ## Unreleased
+- Added: Optional parameters "security_allow_no_token"
+- Added: Optional parameters "security_token_lifetime_no_refresh"
 
+## [0.1.17] 2020-12-18
+- Added: optional SMS cleanup lambda
 
 ## [0.1.16] 2020-12-14
 - Added: Missing variables for proxy URLs

alb.tf

@@ -1,3 +1,99 @@
+# #########################################
+# ALB ADMIN
+# #########################################
+module "alb_admin_sg" {
+  source      = "./modules/security-group"
+  open_egress = true
+  name        = format("%s-%s", module.labels.id, "alb-admin")
+  environment = var.environment
+  vpc_id      = module.vpc.vpc_id
+  tags        = module.labels.tags
+}
+
+resource "aws_security_group_rule" "alb_admin_http_ingress" {
+  description       = "Allows connection on port 80 from anywhere"
+  type              = "ingress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = module.alb_admin_sg.id
+}
+
+resource "aws_lb" "admin" {
+  name                             = format("%s-%s", module.labels.id, "admin")
+  internal                         = false
+  subnets                          = module.vpc.public_subnets
+  security_groups                  = ["${module.alb_admin_sg.id}"]
+  enable_cross_zone_load_balancing = true
+  enable_http2                     = true
+  ip_address_type                  = "dualstack"
+  enable_deletion_protection       = true
+  tags                             = module.labels.tags
+
+  access_logs {
+    bucket  = module.alb_logs.aws_logs_bucket
+    prefix  = "admin"
+    enabled = true
+  }
+}
+
+resource "aws_lb_target_group" "admin" {
+  name                 = format("%s-%s", module.labels.id, "admin")
+  port                 = var.admin_listening_port
+  protocol             = var.admin_listening_protocol
+  vpc_id               = module.vpc.vpc_id
+  deregistration_delay = 10
+  target_type          = "ip"
+
+  health_check {
+    path                = var.health_check_path
+    matcher             = var.health_check_matcher
+    interval            = var.health_check_interval
+    timeout             = var.health_check_timeout
+    healthy_threshold   = var.health_check_healthy_threshold
+    unhealthy_threshold = var.health_check_unhealthy_threshold
+  }
+
+  tags = module.labels.tags
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_lb_listener" "admin_http" {
+  load_balancer_arn = aws_lb.admin.id
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    type = "fixed-response"
+
+    fixed_response {
+      content_type = "text/plain"
+      message_body = "Forbidden"
+      status_code  = "403"
+    }
+  }
+}
+
+resource "aws_lb_listener_rule" "admin_header_check" {
+  listener_arn = aws_lb_listener.admin_http.arn
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.admin.arn
+  }
+
+  condition {
+    http_header {
+      http_header_name = "X-Routing-Secret"
+      values           = [jsondecode(data.aws_secretsmanager_secret_version.api_gateway_header.secret_string)["header-secret"]]
+    }
+  }
+}
+
 # #########################################
 # ALB API
 # #########################################
@@ -178,7 +274,7 @@ module "alb_logs" {
   source  = "trussworks/logs/aws"
   version = "8.2.0"
 
-  alb_logs_prefixes       = ["api", "push"]
+  alb_logs_prefixes       = ["admin", "api", "push"]
   allow_alb               = true
   default_allow           = false
   force_destroy           = true

cognito.tf

@@ -0,0 +1,68 @@
+locals {
+  enable_domain_count = var.enable_dns && var.enable_certificates ? 1 : 0
+}
+resource "aws_cognito_user_pool" "admin_user_pool" {
+  name                = "${module.labels.id}-admin-userpool"
+  username_attributes = ["email"]
+}
+
+resource "aws_cognito_user_pool_client" "user_pool_client" {
+  name                         = "${module.labels.id}-admin-userpool-client"
+  user_pool_id                 = aws_cognito_user_pool.admin_user_pool.id
+  allowed_oauth_flows          = ["code", "implicit"]
+  callback_urls                = ["http://localhost"]
+  default_redirect_uri         = "http://localhost"
+  allowed_oauth_scopes         = ["phone", "email", "openid", "profile", "aws.cognito.signin.user.admin"]
+  supported_identity_providers = ["COGNITO"]
+}
+
+resource "aws_cognito_user_pool_domain" "main" {
+  count           = local.enable_domain_count
+  domain          = format("%s-login.%s", module.labels.id, var.route53_zone)
+  user_pool_id    = aws_cognito_user_pool.admin_user_pool.id
+  certificate_arn = aws_acm_certificate.wildcard_cert_us[0].arn
+}
+
+resource "aws_route53_record" "auth_cognito_A_record" {
+  count    = local.enable_domain_count
+  provider = aws.dns
+  name     = aws_cognito_user_pool_domain.main[0].domain
+  type     = "A"
+  zone_id  = data.aws_route53_zone.primary[0].id
+  alias {
+    evaluate_target_health = false
+    name                   = aws_cognito_user_pool_domain.main[0].cloudfront_distribution_arn
+    # This zone_id is fixed
+    zone_id = "Z2FDTNDATAQYW2"
+  }
+}
+
+resource "aws_cognito_user_group" "settings_read" {
+  name         = "settings-read"
+  user_pool_id = aws_cognito_user_pool.admin_user_pool.id
+}
+
+resource "aws_cognito_user_group" "settings_write" {
+  name         = "settings-write"
+  user_pool_id = aws_cognito_user_pool.admin_user_pool.id
+}
+
+resource "aws_cognito_user_group" "otc_send" {
+  name         = "otc-send"
+  user_pool_id = aws_cognito_user_pool.admin_user_pool.id
+}
+
+resource "aws_cognito_user_group" "qr_admin" {
+  name         = "qr-admin"
+  user_pool_id = aws_cognito_user_pool.admin_user_pool.id
+}
+
+resource "aws_cognito_user_group" "qr_user" {
+  name         = "qr-user"
+  user_pool_id = aws_cognito_user_pool.admin_user_pool.id
+}
+
+resource "aws_cognito_user_group" "manage_users" {
+  name         = "manage-users"
+  user_pool_id = aws_cognito_user_pool.admin_user_pool.id
+}

docs/admin.md

@@ -0,0 +1,9 @@
+# Admin Web App
+
+## Requirements
+
+### DNS Root Record for Cognito
+
+In order to configure cognito, a DNS Root `A` record **must** be set on domain's DNS table. 
+
+Any target will work, even a fake IP address, Cognito must see that this record is just _present_.

docs/secrets-parameters.md

@@ -160,7 +160,7 @@ The format of the secret is as follows:
 }
 ```
 
-#### jwt Secret
+#### jwt Secretdevice_check
 The `jwt` secret is used for signing the JSON Web Tokens with the HMAC algorithm. These are issued to users for API authentication,
 and the signature is checked by the service to ensure their legitimacy.
 
@@ -209,3 +209,7 @@ The format of the secret is as follows:
 #### Notice Secret
 The `notice` secret contains the information required for self isolation notices.
 The format varies depending on tenant as there are implementation specific details.
+
+### Push Service Token
+Token used by the backend to authenticate on the push service.
+This is used when the admin backend needs to send an OTC to users

ecr.tf

@@ -37,6 +37,7 @@ data "aws_iam_policy_document" "write" {
     ]
 
     resources = [
+      aws_ecr_repository.admin.arn,
       aws_ecr_repository.api.arn,
       aws_ecr_repository.push.arn
     ]
@@ -59,6 +60,7 @@ data "aws_iam_policy_document" "read" {
     ]
 
     resources = [
+      aws_ecr_repository.admin.arn,
       aws_ecr_repository.api.arn,
       aws_ecr_repository.push.arn
     ]
@@ -119,6 +121,22 @@ locals {
 EOF
 }
 
+resource "aws_ecr_repository" "admin" {
+  name = "${var.namespace}/admin"
+
+  tags = module.labels.tags
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "admin_policy" {
+  repository = aws_ecr_repository.admin.name
+
+  policy = local.image_rotation_policy
+}
+
 resource "aws_ecr_repository" "api" {
   name = "${var.namespace}/api"