changes to secure dbt docs using microsoft sso

Author: entechlog

dbt-docs/terraform/cloudfront-microsoft-sso/main.tf

@@ -0,0 +1,14 @@
+# main.tf
+module "sso_auth" {
+  source = "../modules/cloudfront-microsoft-sso"
+
+  env_code          = var.env_code
+  project_code      = var.project_code
+  app_code          = var.app_code
+  aws_region        = var.aws_region
+  use_env_code_flag = var.use_env_code_flag
+  enable_auth_flag  = var.enable_auth_flag
+
+  lambda_runtime = var.lambda_runtime
+  sso_config_arn = aws_secretsmanager_secret.sso_config.arn
+}

dbt-docs/terraform/cloudfront-microsoft-sso/output.tf

@@ -0,0 +1,12 @@
+output "dbt__cloudfront_distribution__domain_name" {
+  value = module.sso_auth.cloudfront_distribution__domain_name
+}
+
+output "dbt__aws_s3_bucket__arn" {
+  value = module.sso_auth.aws_s3_bucket__arn
+}
+
+output "dbt__secret_arn" {
+  description = "The ARN of the SSO secret"
+  value       = aws_secretsmanager_secret.sso_config.arn
+}

dbt-docs/terraform/cloudfront-microsoft-sso/providers.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "4.59.0"
+    }
+  }
+}
+
+provider "aws" {
+  region  = var.aws_region
+  profile = "terraform"
+
+  default_tags {
+    tags = {
+      "environment" = "${lower(var.env_code)}"
+      "created_by"  = "terraform"
+    }
+  }
+}

dbt-docs/terraform/cloudfront-microsoft-sso/secretsmanager.tf

@@ -0,0 +1,15 @@
+resource "aws_secretsmanager_secret" "sso_config" {
+  name                    = "dbt-sso-secret"
+  description             = "SSO config (tenant, client_id, client_secret, redirect_uri)"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "sso_config_version" {
+  secret_id = aws_secretsmanager_secret.sso_config.id
+  secret_string = jsonencode({
+    tenant        = var.sso_tenant_id
+    client_id     = var.sso_client_id
+    client_secret = var.sso_client_secret
+    redirect_uri  = var.sso_redirect_uri
+  })
+}

dbt-docs/terraform/cloudfront-microsoft-sso/terraform.tfvars.template

@@ -0,0 +1,13 @@
+env_code          = "dev"
+project_code      = "entechlog"
+app_code          = "dbt-docs"
+aws_region        = "us-east-1"
+use_env_code_flag = true
+enable_auth_flag  = true
+
+sso_tenant_id     = ""
+sso_client_id     = ""
+sso_client_secret = ""
+sso_redirect_uri  = ""
+
+lambda_runtime = "nodejs16.x"

dbt-docs/terraform/cloudfront-microsoft-sso/variables.tf

@@ -0,0 +1,64 @@
+variable "env_code" {
+  type        = string
+  description = "Environmental code to identify the target environment"
+  default     = "dev"
+}
+
+variable "project_code" {
+  type        = string
+  description = "Project code used as a prefix for resource names"
+  default     = "entechlog"
+}
+
+variable "app_code" {
+  type        = string
+  description = "Application code used as a prefix for resource names"
+  default     = "dbt-docs"
+}
+
+variable "aws_region" {
+  type        = string
+  description = "Primary region for all AWS resources"
+  default     = "us-east-1"
+}
+
+variable "use_env_code_flag" {
+  type        = bool
+  description = "Toggle on/off the env code in resource names"
+  default     = true
+}
+
+variable "enable_auth_flag" {
+  type        = bool
+  description = "Toggle on/off the SSO authentication"
+  default     = true
+}
+
+# -- SSO details: you will store these in Secrets Manager outside the module
+variable "sso_tenant_id" {
+  type        = string
+  description = "Tenant ID for the SSO config"
+}
+
+variable "sso_client_id" {
+  type        = string
+  description = "Client ID for the SSO config"
+}
+
+variable "sso_client_secret" {
+  type        = string
+  description = "Client Secret for the SSO config"
+  sensitive   = true
+}
+
+variable "sso_redirect_uri" {
+  type        = string
+  description = "Redirect URI for the SSO flow"
+}
+
+# Optional override for Node.js runtime (the module defaults to nodejs18.x if not specified)
+variable "lambda_runtime" {
+  type        = string
+  description = "Runtime for the Lambda functions"
+  default     = "nodejs18.x"
+}

dbt-docs/terraform/modules/cloudfront-microsoft-sso/cloudfront.tf

@@ -0,0 +1,80 @@
+resource "aws_cloudfront_origin_access_identity" "app" {
+  comment = "${var.app_code} CloudFront origin access identity"
+}
+
+resource "aws_cloudfront_distribution" "app" {
+  origin {
+    domain_name = aws_s3_bucket.app.bucket_regional_domain_name
+    origin_id   = "s3"
+
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.app.cloudfront_access_identity_path
+    }
+  }
+
+  enabled             = true
+  is_ipv6_enabled     = true
+  comment             = "${var.app_code} CloudFront distribution"
+  default_root_object = "index.html"
+
+  # Behavior for SSO callback handling – triggered on SSO provider redirect.
+  ordered_cache_behavior {
+    path_pattern           = "callback*"
+    target_origin_id       = "s3"
+    viewer_protocol_policy = "redirect-to-https"
+    allowed_methods        = ["GET", "HEAD", "OPTIONS"]
+    cached_methods         = ["GET", "HEAD"]
+    forwarded_values {
+      query_string = true
+      cookies {
+        forward = "all"
+      }
+    }
+    dynamic "lambda_function_association" {
+      for_each = var.enable_auth_flag ? [1] : []
+      content {
+        # viewer-request (same as your original)
+        event_type   = "viewer-request"
+        lambda_arn   = aws_lambda_function.sso_callback.qualified_arn
+        include_body = false
+      }
+    }
+  }
+
+  # Default behavior – all other requests go through the SSO authenticator Lambda
+  default_cache_behavior {
+    target_origin_id       = "s3"
+    viewer_protocol_policy = "redirect-to-https"
+    allowed_methods        = ["GET", "HEAD", "OPTIONS"]
+    cached_methods         = ["GET", "HEAD"]
+    forwarded_values {
+      query_string = false
+      cookies {
+        forward = "none"
+      }
+    }
+    dynamic "lambda_function_association" {
+      for_each = var.enable_auth_flag ? [1] : []
+      content {
+        event_type   = "viewer-request"
+        lambda_arn   = aws_lambda_function.sso_authenticator.qualified_arn
+        include_body = false
+      }
+    }
+    min_ttl     = 0
+    default_ttl = 3600
+    max_ttl     = 86400
+  }
+
+  price_class = "PriceClass_100"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = true
+  }
+}

dbt-docs/terraform/modules/cloudfront-microsoft-sso/data.tf

@@ -0,0 +1,3 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}

dbt-docs/terraform/modules/cloudfront-microsoft-sso/iam.tf

@@ -0,0 +1,74 @@
+###############################
+# Data blocks: IAM policy docs
+###############################
+
+# 1) Trust policy for Lambda@Edge
+data "aws_iam_policy_document" "lambda_edge_assume_role" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = [
+        "lambda.amazonaws.com",
+        "edgelambda.amazonaws.com"
+      ]
+    }
+  }
+}
+
+# 2) Secrets access policy if your Lambda needs to read from Secrets Manager
+data "aws_iam_policy_document" "lambda_edge_secrets_access" {
+  statement {
+    effect = "Allow"
+    actions = [
+      # Secrets Manager
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret",
+      # CloudWatch Logs
+      "logs:PutLogEvents",
+      "logs:CreateLogStream",
+      "logs:CreateLogGroup",
+      # KMS
+      "kms:Decrypt"
+    ]
+    resources = [
+      # Secrets in the same account/region
+      "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*",
+
+      # CloudWatch log groups for Lambda
+      "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*",
+
+      # KMS keys in the same account/region
+      "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"
+    ]
+  }
+}
+
+###############################
+# IAM Role for Lambda@Edge
+###############################
+
+resource "aws_iam_role" "lambda_edge" {
+  name               = "${local.resource_name_prefix}-lambda-edge-role"
+  assume_role_policy = data.aws_iam_policy_document.lambda_edge_assume_role.json
+}
+
+###############################
+# Attach Logging Policy
+###############################
+
+resource "aws_iam_role_policy_attachment" "lambda_edge_logs" {
+  role       = aws_iam_role.lambda_edge.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+###############################
+# Attach Secrets Access Policy
+###############################
+
+resource "aws_iam_role_policy" "lambda_edge_secrets_access" {
+  name   = "${local.resource_name_prefix}-edge-secrets-policy"
+  role   = aws_iam_role.lambda_edge.id
+  policy = data.aws_iam_policy_document.lambda_edge_secrets_access.json
+}

dbt-docs/terraform/modules/cloudfront-microsoft-sso/lambda.tf

@@ -0,0 +1,72 @@
+locals {
+  # If you want to track code changes in .js/.json:
+  sso_authenticator_files = fileset(local.sso_authenticator_dir, "*.{js,json}")
+  sso_authenticator_sha   = sha256(join(",", [
+    for file in local.sso_authenticator_files : filesha256("${local.sso_authenticator_dir}/${file}")
+  ]))
+
+  sso_callback_files = fileset(local.sso_callback_dir, "*.{js,json}")
+  sso_callback_sha   = sha256(join(",", [
+    for file in local.sso_callback_files : filesha256("${local.sso_callback_dir}/${file}")
+  ]))
+}
+
+###############################
+# Package & deploy SSO Authenticator
+###############################
+
+resource "null_resource" "sso_authenticator" {
+  # No local-exec block here anymore
+  triggers = {
+    deployable_dir = local.sso_authenticator_sha
+  }
+}
+
+data "archive_file" "sso_authenticator" {
+  depends_on       = [null_resource.sso_authenticator]
+  type             = "zip"
+  source_dir       = local.sso_authenticator_dir
+  output_path      = "${local.sso_authenticator_dir}/payload.zip"
+  excludes         = ["payload.zip"]
+  output_file_mode = "0666"
+}
+
+resource "aws_lambda_function" "sso_authenticator" {
+  function_name    = "${lower(var.project_code)}-sso-authenticator"
+  role             = aws_iam_role.lambda_edge.arn
+  filename         = data.archive_file.sso_authenticator.output_path
+  runtime          = var.lambda_runtime
+  handler          = "authenticator.handler"
+  source_code_hash = data.archive_file.sso_authenticator.output_base64sha256
+  publish          = true
+}
+
+###############################
+# Package & deploy SSO Callback
+###############################
+
+resource "null_resource" "sso_callback" {
+  # No local-exec block here anymore
+  triggers = {
+    deployable_dir = local.sso_callback_sha
+  }
+}
+
+data "archive_file" "sso_callback" {
+  depends_on       = [null_resource.sso_callback]
+  type             = "zip"
+  source_dir       = local.sso_callback_dir
+  output_path      = "${local.sso_callback_dir}/payload.zip"
+  excludes         = ["payload.zip"]
+  output_file_mode = "0666"
+}
+
+resource "aws_lambda_function" "sso_callback" {
+  function_name    = "${lower(var.project_code)}-sso-callback"
+  role             = aws_iam_role.lambda_edge.arn
+  filename         = data.archive_file.sso_callback.output_path
+  runtime          = var.lambda_runtime
+  handler          = "callback-handler.handler"
+  source_code_hash = data.archive_file.sso_callback.output_base64sha256
+  publish          = true
+}