Fix: [AEA-0000] - do not use cognito custom domain for pull request (#185)

anthony-nhs · dependabot[bot] · web-flow · commit b9883515d814 · 2024-11-19T11:22:10.000Z
## Summary

- Routine Change

### Details

- do not use custom cognito domain for pull request
- use argjson to pass boolean to cdk.json
- update to latest quality checks
- add secret scanning config

---------

Signed-off-by: dependabot[bot] &lt;support@github.com&gt;
Co-authored-by: dependabot[bot] &lt;49699333+dependabot[bot]@users.noreply.github.com&gt;
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -14,6 +14,8 @@
       "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind",
       "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind"
     ],
+    "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
+    "postAttachCommand": "docker build -f https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/tags/v4.0.4/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets . && poetry run pre-commit install --install-hooks -f",
     "features": {
       "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
         "version": "latest",
diff --git a/.gitallowed b/.gitallowed
@@ -0,0 +1,23 @@
+token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
+github-token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
+token: ?"?\$\{\{\s*secrets\.DEPENDABOT_TOKEN\s*\}\}"?
+id-token: write
+accountId: "123456789012"
+token: `https:\/\/\${props\.fullCloudfrontDomain}\/api\/token`,
+token: `https:\/\/\${props\.fullCloudfrontDomain}\/api\/mocktoken`,
+target: RecordTarget.fromIpAddresses\("127.0.0.1"\),
+const token = jwks.token\({
+.SAMtemplates*
+.*\.gitallowed.*
+.test\/*
+.127\.0\.0\.1
+.token: newToken
+const token = await getToken()
+const token = new sam.CfnFunction\(this, 'Token', {
+const token = new nodeLambda.NodejsFunction\(this, "tokenLambda", {
+AWS_ACCOUNT_ID=591291862413
+const token = new .*\(this, "TokenResources", {
+token: props..*TokenEndpoint
+token: `\${baseApiGwUrl}\/.*[Tt]oken`
+token: `.*{props\.cloudfrontDomain}\/api\/token`
+packages\/auth_demo\/src\/App.tsx:150
diff --git a/.github/workflows/cdk_release_code.yml b/.github/workflows/cdk_release_code.yml
@@ -46,6 +46,8 @@ on:
         type: string
       useLocalhostCallback:
         type: boolean
+      useCustomCognitoDomain:
+        type: boolean
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE:
         required: true
@@ -139,7 +141,7 @@ jobs:
           --arg logRetentionInDays "${{ inputs.LOG_RETENTION_IN_DAYS }}" \
           --arg epsDomainName "${epsDomainName}" \
           --arg epsHostedZoneId "${epsHostedZoneId}" \
-          --arg allowAutoDeleteObjects "true" \
+          --argjson allowAutoDeleteObjects "true" \
           --arg cloudfrontDistributionId "${cloudfrontDistributionId}" \
           --arg cloudfrontCertArn "${cloudfrontCertArn}" \
           --arg useMockOidc "${{ inputs.useMockOidc }}" \
@@ -159,7 +161,8 @@ jobs:
           --arg mockOidcjwksEndpoint "${{ inputs.mockOidcjwksEndpoint }}" \
           --arg shortCloudfrontDomain "${shortCloudfrontDomain}" \
           --arg fullCloudfrontDomain "${fullCloudfrontDomain}" \
-          --arg useLocalhostCallback "${{ inputs.useLocalhostCallback }}" \
+          --argjson useCustomCognitoDomain "${{ inputs.useCustomCognitoDomain }}" \
+          --argjson useLocalhostCallback "${{ inputs.useLocalhostCallback }}" \
           '.context += {
             "serviceName": $serviceName,
             "VERSION_NUMBER": $VERSION_NUMBER,
@@ -187,6 +190,7 @@ jobs:
             "mockOidcTokenEndpoint": $mockOidcTokenEndpoint,
             "mockOidcUserInfoEndpoint": $mockOidcUserInfoEndpoint,
             "mockOidcjwksEndpoint": $mockOidcjwksEndpoint,
+            "useCustomCognitoDomain": $useCustomCognitoDomain,
             "useLocalhostCallback": $useLocalhostCallback}' \
           .build/cdk.json > .build/cdk.new.json
           mv .build/cdk.new.json .build/cdk.json
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,7 +9,7 @@ env:
 
 jobs:
   quality_checks:
-    uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v3.0.0   
+    uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.4   
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
@@ -114,6 +114,7 @@ jobs:
       mockOidcUserInfoEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/userinfo"
       mockOidcjwksEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/certs"
       useLocalhostCallback: true
+      useCustomCognitoDomain: true
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.DEV_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -159,6 +160,7 @@ jobs:
       mockOidcUserInfoEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/userinfo"
       mockOidcjwksEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/certs"
       useLocalhostCallback: false
+      useCustomCognitoDomain: true
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.QA_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.QA_CLOUD_FORMATION_DEPLOY_ROLE }}
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -9,7 +9,7 @@ env:
 
 jobs:
   quality_checks:
-    uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v3.0.0
+    uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.4
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
@@ -79,6 +79,7 @@ jobs:
       mockOidcUserInfoEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/userinfo"
       mockOidcjwksEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/certs"
       useLocalhostCallback: true
+      useCustomCognitoDomain: false
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.DEV_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,7 +8,7 @@ env:
 
 jobs:
   quality_checks:
-    uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v3.0.0
+    uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@v4.0.4
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
@@ -133,6 +133,7 @@ jobs:
       mockOidcUserInfoEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/userinfo"
       mockOidcjwksEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/certs"
       useLocalhostCallback: true
+      useCustomCognitoDomain: true
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.DEV_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -177,6 +178,7 @@ jobs:
       mockOidcUserInfoEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/userinfo"
       mockOidcjwksEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/certs"
       useLocalhostCallback: false
+      useCustomCognitoDomain: true
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.REF_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.REF_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -206,6 +208,7 @@ jobs:
       mockOidcUserInfoEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/userinfo"
       mockOidcjwksEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/certs"
       useLocalhostCallback: false
+      useCustomCognitoDomain: true
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.QA_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.QA_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -235,6 +238,7 @@ jobs:
       mockOidcUserInfoEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/userinfo"
       mockOidcjwksEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/certs"
       useLocalhostCallback: false
+      useCustomCognitoDomain: true
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.INT_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.INT_CLOUD_FORMATION_DEPLOY_ROLE }}
diff --git a/.github/workflows/release_all_stacks.yml b/.github/workflows/release_all_stacks.yml
@@ -40,6 +40,8 @@ on:
         type: string
       useLocalhostCallback:
         type: boolean
+      useCustomCognitoDomain:
+        type: boolean
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE:
         required: true
@@ -110,6 +112,7 @@ jobs:
       mockOidcUserInfoEndpoint: ${{ inputs.mockOidcUserInfoEndpoint }}
       mockOidcjwksEndpoint: ${{ inputs.mockOidcjwksEndpoint }}
       useLocalhostCallback: ${{ inputs.useLocalhostCallback }}
+      useCustomCognitoDomain: ${{ inputs.useCustomCognitoDomain }}
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -151,6 +154,7 @@ jobs:
       mockOidcUserInfoEndpoint: ${{ inputs.mockOidcUserInfoEndpoint }}
       mockOidcjwksEndpoint: ${{ inputs.mockOidcjwksEndpoint }}
       useLocalhostCallback: ${{ inputs.useLocalhostCallback }}
+      useCustomCognitoDomain: ${{ inputs.useCustomCognitoDomain }}
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -245,6 +249,7 @@ jobs:
       mockOidcUserInfoEndpoint: ${{ inputs.mockOidcUserInfoEndpoint }}
       mockOidcjwksEndpoint: ${{ inputs.mockOidcjwksEndpoint }}
       useLocalhostCallback: ${{ inputs.useLocalhostCallback }}
+      useCustomCognitoDomain: ${{ inputs.useCustomCognitoDomain }}
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -59,5 +59,14 @@ repos:
         types_or: [sh, shell]
         pass_filenames: false
 
+      - id: git-secrets
+        name: Git Secrets
+        description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
+        entry: bash
+        args:
+          - -c
+          - 'docker run -v "$LOCAL_WORKSPACE_FOLDER:/src" git-secrets --pre_commit_hook'
+        language: system
+
 fail_fast: true
 default_stages: [pre-commit]
diff --git a/packages/cdk/bin/StatefulResourcesApp.ts b/packages/cdk/bin/StatefulResourcesApp.ts
@@ -18,6 +18,7 @@ const app = new App()
 const serviceName = app.node.tryGetContext("serviceName")
 const version = app.node.tryGetContext("VERSION_NUMBER")
 const commit = app.node.tryGetContext("COMMIT_ID")
+const useCustomCognitoDomain = app.node.tryGetContext("useCustomCognitoDomain")
 
 // add cdk-nag to everything
 Aspects.of(app).add(new AwsSolutionsChecks({verbose: true}))
@@ -31,7 +32,12 @@ Tags.of(app).add("cdkApp", "StatefulApp")
 const shortCloudfrontDomain = serviceName
 const parentCognitoDomain = `auth.${serviceName}`
 // shortCognitoDomain must be a subdomain of parentCognitoDomain
-const shortCognitoDomain = `login.${parentCognitoDomain}`
+let shortCognitoDomain
+if (useCustomCognitoDomain) {
+  shortCognitoDomain = `login.${parentCognitoDomain}`
+} else {
+  shortCognitoDomain = serviceName
+}
 
 const UsCerts = new UsCertsStack(app, "UsCertsStack", {
   env: {
diff --git a/packages/cdk/resources/Cognito.ts b/packages/cdk/resources/Cognito.ts
@@ -44,6 +44,7 @@ export interface CognitoProps {
   readonly cognitoCertificate: ICertificate
   readonly hostedZone: IHostedZone
   readonly useLocalhostCallback: boolean
+  readonly useCustomCognitoDomain: boolean
 }
 
 /**
@@ -64,25 +65,35 @@ export class Cognito extends Construct {
       removalPolicy: RemovalPolicy.DESTROY
     })
 
-    const userPoolDomain = new UserPoolDomain(this, "UserPoolDomain", {
-      userPool,
-      customDomain: {
-        domainName: props.fullCognitoDomain,
-        certificate: props.cognitoCertificate
-      }
-    })
+    let userPoolDomain: UserPoolDomain
+    if (props.useCustomCognitoDomain) {
+      userPoolDomain = new UserPoolDomain(this, "UserPoolDomain", {
+        userPool,
+        customDomain: {
+          domainName: props.fullCognitoDomain,
+          certificate: props.cognitoCertificate
+        }
+      })
 
-    new ARecord(this, "UserPoolCloudFrontAliasIpv4Record", {
-      zone: props.hostedZone,
-      recordName: props.shortCognitoDomain,
-      target: RecordTarget.fromAlias(new UserPoolDomainTarget(userPoolDomain))
-    })
+      new ARecord(this, "UserPoolCloudFrontAliasIpv4Record", {
+        zone: props.hostedZone,
+        recordName: props.shortCognitoDomain,
+        target: RecordTarget.fromAlias(new UserPoolDomainTarget(userPoolDomain))
+      })
 
-    new AaaaRecord(this, "UserPoolCloudFrontAliasIpv6Record", {
-      zone: props.hostedZone,
-      recordName: props.shortCognitoDomain,
-      target: RecordTarget.fromAlias(new UserPoolDomainTarget(userPoolDomain))
-    })
+      new AaaaRecord(this, "UserPoolCloudFrontAliasIpv6Record", {
+        zone: props.hostedZone,
+        recordName: props.shortCognitoDomain,
+        target: RecordTarget.fromAlias(new UserPoolDomainTarget(userPoolDomain))
+      })
+    } else {
+      userPoolDomain = new UserPoolDomain(this, "UserPoolDomain", {
+        userPool,
+        cognitoDomain: {
+          domainPrefix: props.shortCognitoDomain
+        }
+      })
+    }
 
     // these are the endpoints that are added to user pool identity provider
     // note we override the token endpoint to point back to our custom token
diff --git a/packages/cdk/stacks/StatefulResourcesStack.ts b/packages/cdk/stacks/StatefulResourcesStack.ts
@@ -53,15 +53,16 @@ export class StatefulResourcesStack extends Stack {
     const mockOidcjwksEndpoint = this.node.tryGetContext("mockOidcjwksEndpoint")
     const mockTokenEndpoint = this.node.tryGetContext("mockTokenEndpoint")
 
-    const useMockOidc = this.node.tryGetContext("useMockOidc")
+    const useMockOidc: boolean = this.node.tryGetContext("useMockOidc")
+    const useCustomCognitoDomain: boolean = this.node.tryGetContext("useCustomCognitoDomain")
 
     const epsDomainName: string = this.node.tryGetContext("epsDomainName")
     const epsHostedZoneId: string = this.node.tryGetContext("epsHostedZoneId")
 
-    const allowAutoDeleteObjects: boolean = this.node.tryGetContext("allowAutoDeleteObjects") === "true"
+    const allowAutoDeleteObjects: boolean = this.node.tryGetContext("allowAutoDeleteObjects")
     const cloudfrontDistributionId: string = this.node.tryGetContext("cloudfrontDistributionId")
 
-    const useLocalhostCallback = this.node.tryGetContext("useLocalhostCallback")
+    const useLocalhostCallback: boolean = this.node.tryGetContext("useLocalhostCallback")
 
     // Imports
     const auditLoggingBucketImport = Fn.importValue("account-resources:AuditLoggingBucket")
@@ -108,7 +109,8 @@ export class StatefulResourcesStack extends Stack {
       fullCloudfrontDomain: props.fullCloudfrontDomain,
       cognitoCertificate: props.cognitoCertificate,
       hostedZone: hostedZone,
-      useLocalhostCallback: useLocalhostCallback
+      useLocalhostCallback: useLocalhostCallback,
+      useCustomCognitoDomain: useCustomCognitoDomain
     })
 
     // - Dynamodb table for user state
diff --git a/packages/cdk/stacks/StatelessResourcesStack.ts b/packages/cdk/stacks/StatelessResourcesStack.ts
@@ -68,7 +68,7 @@ export class StatelessResourcesStack extends Stack {
     const mockOidcUserInfoEndpoint = this.node.tryGetContext("mockOidcUserInfoEndpoint")
     const mockOidcjwksEndpoint = this.node.tryGetContext("mockOidcjwksEndpoint")
 
-    const useMockOidc = this.node.tryGetContext("useMockOidc")
+    const useMockOidc: boolean = this.node.tryGetContext("useMockOidc")
 
     // Imports
     const baseImportPath = `${props.serviceName}-stateful-resources`
diff --git a/packages/cdk/stacks/UsCertsStack.ts b/packages/cdk/stacks/UsCertsStack.ts
@@ -36,6 +36,7 @@ export class UsCertsStack extends Stack {
     /* context values passed as --context cli arguments are passed as strings so coerce them to expected types*/
     const epsDomainName: string = this.node.tryGetContext("epsDomainName")
     const epsHostedZoneId: string = this.node.tryGetContext("epsHostedZoneId")
+    const useCustomCognitoDomain: boolean = this.node.tryGetContext("useCustomCognitoDomain")
 
     // Coerce context and imports to relevant types
     const hostedZone = HostedZone.fromHostedZoneAttributes(this, "hostedZone", {
@@ -45,7 +46,7 @@ export class UsCertsStack extends Stack {
 
     // calculate full domain names
     const fullCloudfrontDomain = `${props.shortCloudfrontDomain}.${epsDomainName}`
-    const fullCognitoDomain = `${props.shortCognitoDomain}.${epsDomainName}`
+    let fullCognitoDomain
 
     // Resources
     // - Cloudfront Cert
@@ -54,18 +55,26 @@ export class UsCertsStack extends Stack {
       validation: CertificateValidation.fromDns(hostedZone)
     })
 
-    // - cognito cert
-    const cognitoCertificate = new Certificate(this, "CogniteCertificate", {
-      domainName: fullCognitoDomain,
-      validation: CertificateValidation.fromDns(hostedZone)
-    })
+    if (useCustomCognitoDomain) {
+      fullCognitoDomain = `${props.shortCognitoDomain}.${epsDomainName}`
 
-    // we need an DNS A record for custom cognito domain to work
-    new ARecord(this, "CognitoARecord", {
-      zone: hostedZone,
-      target: RecordTarget.fromIpAddresses("127.0.0.1"),
-      recordName:  `${props.parentCognitoDomain}.${epsDomainName}`
-    })
+      // - cognito cert
+      const cognitoCertificate = new Certificate(this, "CognitoCertificate", {
+        domainName: fullCognitoDomain,
+        validation: CertificateValidation.fromDns(hostedZone)
+      })
+
+      // we need an DNS A record for custom cognito domain to work
+      new ARecord(this, "CognitoARecord", {
+        zone: hostedZone,
+        target: RecordTarget.fromIpAddresses("127.0.0.1"),
+        recordName:  `${props.parentCognitoDomain}.${epsDomainName}`
+      })
+
+      this.cognitoCertificate = cognitoCertificate
+    } else {
+      fullCognitoDomain = `${props.shortCognitoDomain}.auth.eu-west-2.amazoncognito.com`
+    }
 
     // Outputs
 
@@ -82,6 +91,7 @@ export class UsCertsStack extends Stack {
       value: fullCloudfrontDomain,
       exportName: `${props.stackName}:fullCloudfrontDomain:Name`
     })
+
     new CfnOutput(this, "shortCognitoDomain", {
       value: props.shortCognitoDomain,
       exportName: `${props.stackName}:shortCognitoDomain:Name`
@@ -90,8 +100,8 @@ export class UsCertsStack extends Stack {
       value: fullCognitoDomain,
       exportName: `${props.stackName}:fullCognitoDomain:Name`
     })
+
     this.fullCloudfrontDomain = fullCloudfrontDomain
-    this.cognitoCertificate = cognitoCertificate
     this.fullCognitoDomain = fullCognitoDomain
   }
 }
