CCM-10333: save clientId on templates (#529)

Author: alexnuttall

infrastructure/terraform/components/sandbox/README.md

@@ -25,6 +25,7 @@ No requirements.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_backend_api"></a> [backend\_api](#module\_backend\_api) | ../../modules/backend-api | n/a |
+| <a name="module_cognito_triggers"></a> [cognito\_triggers](#module\_cognito\_triggers) | ../../modules/cognito-triggers | n/a |
 ## Outputs
 
 | Name | Description |

infrastructure/terraform/components/sandbox/aws_cognito_user_pool_sandbox.tf

@@ -1,3 +1,18 @@
 resource "aws_cognito_user_pool" "sandbox" {
   name = local.csi
+
+  lambda_config {
+    pre_token_generation_config {
+      lambda_arn     = module.cognito_triggers.pre_token_generation_lambda_function_arn
+      lambda_version = "V2_0"
+    }
+  }
+
+  schema {
+    name                = "sbx_client_id"
+    attribute_data_type = "String"
+    mutable             = true
+    required            = false
+    string_attribute_constraints {}
+  }
 }

infrastructure/terraform/components/sandbox/module_cognito_triggers.tf

@@ -0,0 +1,15 @@
+module "cognito_triggers" {
+  source = "../../modules/cognito-triggers"
+
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = var.region
+  group          = var.group
+
+  function_s3_bucket    = local.acct.s3_buckets["artefacts"]["id"]
+  kms_key_arn           = data.aws_kms_key.sandbox.arn
+  log_retention_in_days = var.log_retention_in_days
+  user_pool_id          = aws_cognito_user_pool.sandbox.id
+}

infrastructure/terraform/modules/backend-api/spec.tmpl.json

@@ -8,10 +8,16 @@
           },
           {
             "properties": {
+              "clientId": {
+                "type": "string"
+              },
               "createdAt": {
                 "format": "date-time",
                 "type": "string"
               },
+              "createdBy": {
+                "type": "string"
+              },
               "id": {
                 "type": "string"
               },
@@ -21,12 +27,15 @@
               "updatedAt": {
                 "format": "date-time",
                 "type": "string"
+              },
+              "updatedBy": {
+                "type": "string"
               }
             },
             "required": [
+              "createdAt",
               "id",
               "templateStatus",
-              "createdAt",
               "updatedAt"
             ],
             "type": "object"

infrastructure/terraform/modules/cognito-triggers/README.md

@@ -0,0 +1,34 @@
+<!-- BEGIN_TF_DOCS -->
+<!-- markdownlint-disable -->
+<!-- vale off -->
+
+## Requirements
+
+No requirements.
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
+| <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"cog"` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
+| <a name="input_function_s3_bucket"></a> [function\_s3\_bucket](#input\_function\_s3\_bucket) | Name of S3 bucket to upload lambda artefacts to | `string` | n/a | yes |
+| <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
+| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key ARN | `string` | n/a | yes |
+| <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
+| <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
+| <a name="input_user_pool_id"></a> [user\_pool\_id](#input\_user\_pool\_id) | ID of the Cognito user pool the triggers should be applied to | `string` | n/a | yes |
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_pre_token_generation_lambda"></a> [pre\_token\_generation\_lambda](#module\_pre\_token\_generation\_lambda) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.11 |
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_pre_token_generation_lambda_function_arn"></a> [pre\_token\_generation\_lambda\_function\_arn](#output\_pre\_token\_generation\_lambda\_function\_arn) | n/a |
+<!-- vale on -->
+<!-- markdownlint-enable -->
+<!-- END_TF_DOCS -->

infrastructure/terraform/modules/cognito-triggers/locals.tf

@@ -0,0 +1,3 @@
+locals {
+  lambdas_dir = "../../../../lambdas"
+}

infrastructure/terraform/modules/cognito-triggers/module_pre_token_generation_lambda.tf

@@ -0,0 +1,33 @@
+module "pre_token_generation_lambda" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda?ref=v2.0.11"
+
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+  aws_account_id = var.aws_account_id
+  region         = var.region
+
+  function_name = "pre-token-generation"
+  description   = "Pre token generation handler for Cognito user pool"
+
+  function_s3_bucket      = var.function_s3_bucket
+  function_code_base_path = local.lambdas_dir
+  function_code_dir       = "cognito-triggers/dist"
+  function_module_name    = "pre-token-generation"
+  handler_function_name   = "handler"
+
+  memory  = 512
+  timeout = 3
+  runtime = "nodejs20.x"
+
+  kms_key_arn           = var.kms_key_arn
+  log_retention_in_days = var.log_retention_in_days
+
+  permission_statements = [{
+    statement_id   = "AllowCognitoInvoke"
+    principal      = "cognito-idp.amazonaws.com"
+    action         = "lambda:InvokeFunction"
+    source_arn     = "arn:aws:cognito-idp:${var.region}:${var.aws_account_id}:userpool/${var.user_pool_id}"
+    source_account = var.aws_account_id
+  }]
+}

infrastructure/terraform/modules/cognito-triggers/outputs.tf

@@ -0,0 +1,3 @@
+output "pre_token_generation_lambda_function_arn" {
+  value = module.pre_token_generation_lambda.function_arn
+}

infrastructure/terraform/modules/cognito-triggers/variables.tf

@@ -0,0 +1,64 @@
+##
+# Basic Required Variables for tfscaffold Components
+##
+
+variable "project" {
+  type        = string
+  description = "The name of the tfscaffold project"
+}
+
+variable "environment" {
+  type        = string
+  description = "The name of the tfscaffold environment"
+}
+
+variable "aws_account_id" {
+  type        = string
+  description = "The AWS Account ID (numeric)"
+}
+
+variable "region" {
+  type        = string
+  description = "The AWS Region"
+}
+
+variable "group" {
+  type        = string
+  description = "The group variables are being inherited from (often synonmous with account short-name)"
+}
+
+
+##
+# tfscaffold variables specific to this component
+##
+
+variable "component" {
+  type        = string
+  description = "The variable encapsulating the name of this component"
+  default     = "cog"
+}
+
+##
+# Variables specific to this component
+##
+
+variable "log_retention_in_days" {
+  type        = number
+  description = "The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite"
+  default     = 0
+}
+
+variable "kms_key_arn" {
+  type        = string
+  description = "KMS key ARN"
+}
+
+variable "function_s3_bucket" {
+  type        = string
+  description = "Name of S3 bucket to upload lambda artefacts to"
+}
+
+variable "user_pool_id" {
+  type        = string
+  description = "ID of the Cognito user pool the triggers should be applied to"
+}

lambdas/authorizer/src/index.ts

@@ -20,7 +20,7 @@ const generateMethodArn = (
 const generatePolicy = (
   Resource: string,
   Effect: 'Allow' | 'Deny',
-  context?: { user: string }
+  context?: { user: string; clientId?: string }
 ) => ({
   principalId: 'api-caller',
   policyDocument: {
@@ -36,10 +36,8 @@ const generatePolicy = (
   context,
 });
 
-export const handler: APIGatewayRequestAuthorizerHandler = async ({
-  headers,
-  requestContext,
-}) => {
+export const handler: APIGatewayRequestAuthorizerHandler = async (event) => {
+  const { headers, requestContext } = event;
   const methodArn = generateMethodArn(requestContext);
 
   if (!headers?.Authorization) {
@@ -69,6 +67,7 @@ export const handler: APIGatewayRequestAuthorizerHandler = async ({
   if (authResult.success) {
     return generatePolicy(methodArn, 'Allow', {
       user: authResult.subject,
+      clientId: authResult.clientId,
     });
   }