changes to secure dbt docs using microsoft sso (#31)

* changes to secure dbt docs using microsoft sso

* updates to dbt sso modules

* dynamic temp dir

* added support for multiple static sites

* changes to fix lambda deployment

Author: entechlog

.gitignore

@@ -593,4 +593,10 @@ payload.zip
 *.crt
 *.cert
 *.key
-*.ovpn
+*.ovpn
+
+# NPM
+package-lock.json
+.node_install*
+temp/
+artifacts/

dbt-docs/terraform/cloudfront-microsoft-sso/README.md

@@ -0,0 +1,111 @@
+# Microsoft Entra ID SSO for CloudFront
+
+A Terraform module to implement Microsoft Entra ID (Azure AD) authentication for CloudFront static websites using Lambda@Edge.
+
+## Architecture
+
+![Authentication Flow](auth-flow-diagram.svg)
+
+## How It Works
+
+1. User requests protected content from CloudFront
+2. Auth Lambda checks for valid session cookie
+3. If no valid session, user is redirected to Microsoft login
+4. User authenticates with Microsoft Entra ID
+5. Microsoft returns authorization code to callback URL
+6. Callback Lambda exchanges code for access and ID tokens
+7. Microsoft returns tokens to Callback Lambda
+8. Callback Lambda sets secure cookie and redirects to original URL
+9. Authenticated user receives protected content
+
+## Quick Start
+
+### 1. Register Microsoft Entra ID Application
+
+1. Create app registration in Microsoft Entra ID / Azure AD
+2. Set redirect URL to `https://your-domain.com/callback`
+3. Note the client ID, tenant ID, and create a client secret
+
+### 2. Store Credentials
+
+Create a secret in AWS Secrets Manager:
+
+```json
+{
+  "tenant": "your-tenant-id",
+  "client_id": "your-client-id",
+  "client_secret": "your-client-secret",
+  "redirect_uri": "https://your-domain.com/callback"
+}
+```
+
+### 3. Deploy Module
+
+```hcl
+module "sso_auth" {
+  source = "path/to/cloudfront-microsoft-sso"
+
+  name_prefix    = "example"
+  app_code       = "docs"
+  lambda_runtime = "nodejs18.x"
+  sso_config_arn = aws_secretsmanager_secret.sso_config.arn
+}
+```
+
+### 4. Configure CloudFront
+
+```hcl
+resource "aws_cloudfront_distribution" "distribution" {
+  # ... other configuration ...
+  
+  default_cache_behavior {
+    # ... other settings ...
+    
+    lambda_function_association {
+      event_type = "viewer-request"
+      lambda_arn = module.sso_auth.authenticator_lambda_arn
+      include_body = false
+    }
+  }
+  
+  ordered_cache_behavior {
+    path_pattern = "/callback*"
+    # ... other settings ...
+    
+    lambda_function_association {
+      event_type = "viewer-request"
+      lambda_arn = module.sso_auth.callback_lambda_arn
+      include_body = false
+    }
+  }
+}
+```
+
+## Module Inputs
+
+| Name | Description | Type | Required |
+|------|-------------|------|----------|
+| name_prefix | Prefix for resource names | string | Yes |
+| app_code | Application identifier | string | Yes |
+| lambda_runtime | Node.js runtime | string | Yes |
+| sso_config_arn | Secret ARN | string | Yes |
+
+## Module Outputs
+
+| Name | Description |
+|------|-------------|
+| authenticator_lambda_arn | Authenticator Lambda ARN |
+| callback_lambda_arn | Callback Lambda ARN |
+
+## Troubleshooting
+
+- **403 Errors**: Check IAM permissions and Lambda execution role
+- **Redirect Issues**: Verify redirect URI matches exactly across all configurations
+- **Cookie Problems**: Ensure CloudFront distribution and cookie domain match
+
+## Security Features
+
+- HTTP-only secure cookies
+- Credentials stored in AWS Secrets Manager
+- Edge authentication with Lambda@Edge
+- No client-side credential exposure

dbt-docs/terraform/cloudfront-microsoft-sso/auth-flow-diagram.svg

@@ -0,0 +1,3 @@
+locals {
+  resource_name_prefix = var.use_env_code_flag ? "${lower(var.env_code)}-${lower(var.project_code)}" : "${lower(var.project_code)}"
+}

dbt-docs/terraform/cloudfront-microsoft-sso/locals.tf

@@ -0,0 +1,23 @@
+# dbt docs
+module "dbt_sso_auth" {
+  source = "../modules/cloudfront-microsoft-sso"
+
+  name_prefix      = local.resource_name_prefix
+  app_code         = "dbt-docs"
+  enable_auth_flag = true
+
+  lambda_runtime = "nodejs18.x"
+  sso_config_arn = aws_secretsmanager_secret.dbt_sso_config.arn
+}
+
+# elementary data
+module "elementary_sso_auth" {
+  source = "../modules/cloudfront-microsoft-sso"
+
+  name_prefix      = local.resource_name_prefix
+  app_code         = "elementary-data"
+  enable_auth_flag = true
+
+  lambda_runtime = "nodejs18.x"
+  sso_config_arn = aws_secretsmanager_secret.elementary_sso_config.arn
+}

dbt-docs/terraform/cloudfront-microsoft-sso/main.tf

@@ -0,0 +1,25 @@
+output "dbt__cloudfront_distribution__domain_name" {
+  value = module.dbt_sso_auth.cloudfront_distribution__domain_name
+}
+
+output "dbt__aws_s3_bucket__arn" {
+  value = module.dbt_sso_auth.aws_s3_bucket__arn
+}
+
+output "dbt__secret_arn" {
+  description = "The ARN of the SSO secret"
+  value       = aws_secretsmanager_secret.dbt_sso_config.arn
+}
+
+output "elementary__cloudfront_distribution__domain_name" {
+  value = module.elementary_sso_auth.cloudfront_distribution__domain_name
+}
+
+output "elementary__aws_s3_bucket__arn" {
+  value = module.elementary_sso_auth.aws_s3_bucket__arn
+}
+
+output "elementary__secret_arn" {
+  description = "The ARN of the SSO secret"
+  value       = aws_secretsmanager_secret.elementary_sso_config.arn
+}

dbt-docs/terraform/cloudfront-microsoft-sso/output.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "4.59.0"
+    }
+  }
+}
+
+provider "aws" {
+  region  = var.aws_region
+  profile = "terraform"
+
+  default_tags {
+    tags = {
+      "environment" = "${lower(var.env_code)}"
+      "created_by"  = "terraform"
+    }
+  }
+}

dbt-docs/terraform/cloudfront-microsoft-sso/providers.tf

@@ -0,0 +1,31 @@
+resource "aws_secretsmanager_secret" "dbt_sso_config" {
+  name                    = "dbt-sso-secret"
+  description             = "SSO config (tenant, client_id, client_secret, redirect_uri)"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "dbt_sso_config_version" {
+  secret_id = aws_secretsmanager_secret.dbt_sso_config.id
+  secret_string = jsonencode({
+    tenant        = var.dbt_sso_tenant_id
+    client_id     = var.dbt_sso_client_id
+    client_secret = var.dbt_sso_client_secret
+    redirect_uri  = var.dbt_sso_redirect_uri
+  })
+}
+
+resource "aws_secretsmanager_secret" "elementary_sso_config" {
+  name                    = "elementary-sso-secret"
+  description             = "SSO config (tenant, client_id, client_secret, redirect_uri)"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "elementary_sso_config_version" {
+  secret_id = aws_secretsmanager_secret.elementary_sso_config.id
+  secret_string = jsonencode({
+    tenant        = var.dbt_sso_tenant_id
+    client_id     = var.dbt_sso_client_id
+    client_secret = var.dbt_sso_client_secret
+    redirect_uri  = var.elementary_sso_redirect_uri
+  })
+}

dbt-docs/terraform/cloudfront-microsoft-sso/secretsmanager.tf

@@ -0,0 +1,12 @@
+env_code          = "dev"
+project_code      = "entechlog"
+aws_region        = "us-east-1"
+use_env_code_flag = true
+
+dbt_sso_tenant_id     = ""
+dbt_sso_client_id     = ""
+dbt_sso_client_secret = ""
+dbt_sso_redirect_uri  = ""
+elementary_sso_redirect_uri = ""
+
+lambda_runtime = "nodejs18.x"