updates to dbt sso modules

entechlog · entechlog · commit dccc14befea8 · 2025-03-30T14:51:26.000-07:00
diff --git a/.gitignore b/.gitignore
@@ -593,4 +593,8 @@ payload.zip
 *.crt
 *.cert
 *.key
-*.ovpn
+*.ovpn
+
+# NPM
+package-lock.json
+.node_install*
diff --git a/dbt-docs/terraform/cloudfront-microsoft-sso/locals.tf b/dbt-docs/terraform/cloudfront-microsoft-sso/locals.tf
@@ -0,0 +1,3 @@
+locals {
+  resource_name_prefix = var.use_env_code_flag ? "${lower(var.env_code)}-${lower(var.project_code)}-${lower(var.project_code)}" : "${lower(var.project_code)}-${lower(var.project_code)}"
+}
diff --git a/dbt-docs/terraform/cloudfront-microsoft-sso/main.tf b/dbt-docs/terraform/cloudfront-microsoft-sso/main.tf
@@ -2,13 +2,10 @@
 module "sso_auth" {
   source = "../modules/cloudfront-microsoft-sso"
 
-  env_code          = var.env_code
-  project_code      = var.project_code
-  app_code          = var.app_code
-  aws_region        = var.aws_region
-  use_env_code_flag = var.use_env_code_flag
-  enable_auth_flag  = var.enable_auth_flag
+  name_prefix      = local.resource_name_prefix
+  app_code         = "dbt-docs"
+  enable_auth_flag = true
 
-  lambda_runtime = var.lambda_runtime
+  lambda_runtime = "nodejs18.x"
   sso_config_arn = aws_secretsmanager_secret.sso_config.arn
-}
+}
diff --git a/dbt-docs/terraform/cloudfront-microsoft-sso/secretsmanager.tf b/dbt-docs/terraform/cloudfront-microsoft-sso/secretsmanager.tf
@@ -7,9 +7,9 @@ resource "aws_secretsmanager_secret" "sso_config" {
 resource "aws_secretsmanager_secret_version" "sso_config_version" {
   secret_id = aws_secretsmanager_secret.sso_config.id
   secret_string = jsonencode({
-    tenant        = var.sso_tenant_id
-    client_id     = var.sso_client_id
-    client_secret = var.sso_client_secret
-    redirect_uri  = var.sso_redirect_uri
+    tenant        = var.dbt_sso_tenant_id
+    client_id     = var.dbt_sso_client_id
+    client_secret = var.dbt_sso_client_secret
+    redirect_uri  = var.dbt_sso_redirect_uri
   })
 }
diff --git a/dbt-docs/terraform/cloudfront-microsoft-sso/terraform.tfvars.template b/dbt-docs/terraform/cloudfront-microsoft-sso/terraform.tfvars.template
@@ -1,13 +1,11 @@
 env_code          = "dev"
 project_code      = "entechlog"
-app_code          = "dbt-docs"
 aws_region        = "us-east-1"
 use_env_code_flag = true
-enable_auth_flag  = true
 
-sso_tenant_id     = ""
-sso_client_id     = ""
-sso_client_secret = ""
-sso_redirect_uri  = ""
+dbt_sso_tenant_id     = ""
+dbt_sso_client_id     = ""
+dbt_sso_client_secret = ""
+dbt_sso_redirect_uri  = ""
 
-lambda_runtime = "nodejs16.x"
+lambda_runtime = "nodejs18.x"
diff --git a/dbt-docs/terraform/cloudfront-microsoft-sso/variables.tf b/dbt-docs/terraform/cloudfront-microsoft-sso/variables.tf
@@ -10,12 +10,6 @@ variable "project_code" {
   default     = "entechlog"
 }
 
-variable "app_code" {
-  type        = string
-  description = "Application code used as a prefix for resource names"
-  default     = "dbt-docs"
-}
-
 variable "aws_region" {
   type        = string
   description = "Primary region for all AWS resources"
@@ -28,37 +22,24 @@ variable "use_env_code_flag" {
   default     = true
 }
 
-variable "enable_auth_flag" {
-  type        = bool
-  description = "Toggle on/off the SSO authentication"
-  default     = true
-}
-
 # -- SSO details: you will store these in Secrets Manager outside the module
-variable "sso_tenant_id" {
+variable "dbt_sso_tenant_id" {
   type        = string
   description = "Tenant ID for the SSO config"
 }
 
-variable "sso_client_id" {
+variable "dbt_sso_client_id" {
   type        = string
   description = "Client ID for the SSO config"
 }
 
-variable "sso_client_secret" {
+variable "dbt_sso_client_secret" {
   type        = string
   description = "Client Secret for the SSO config"
   sensitive   = true
 }
 
-variable "sso_redirect_uri" {
+variable "dbt_sso_redirect_uri" {
   type        = string
   description = "Redirect URI for the SSO flow"
 }
-
-# Optional override for Node.js runtime (the module defaults to nodejs18.x if not specified)
-variable "lambda_runtime" {
-  type        = string
-  description = "Runtime for the Lambda functions"
-  default     = "nodejs18.x"
-}
diff --git a/dbt-docs/terraform/modules/cloudfront-microsoft-sso/iam.tf b/dbt-docs/terraform/modules/cloudfront-microsoft-sso/iam.tf
@@ -8,7 +8,7 @@ data "aws_iam_policy_document" "lambda_edge_assume_role" {
     effect  = "Allow"
     actions = ["sts:AssumeRole"]
     principals {
-      type        = "Service"
+      type = "Service"
       identifiers = [
         "lambda.amazonaws.com",
         "edgelambda.amazonaws.com"
@@ -50,7 +50,7 @@ data "aws_iam_policy_document" "lambda_edge_secrets_access" {
 ###############################
 
 resource "aws_iam_role" "lambda_edge" {
-  name               = "${local.resource_name_prefix}-lambda-edge-role"
+  name               = "${lower(var.name_prefix)}-${var.app_code}-lambda-edge-role"
   assume_role_policy = data.aws_iam_policy_document.lambda_edge_assume_role.json
 }
 
@@ -68,7 +68,7 @@ resource "aws_iam_role_policy_attachment" "lambda_edge_logs" {
 ###############################
 
 resource "aws_iam_role_policy" "lambda_edge_secrets_access" {
-  name   = "${local.resource_name_prefix}-edge-secrets-policy"
+  name   = "${lower(var.name_prefix)}-${var.app_code}-edge-secrets-policy"
   role   = aws_iam_role.lambda_edge.id
   policy = data.aws_iam_policy_document.lambda_edge_secrets_access.json
 }
diff --git a/dbt-docs/terraform/modules/cloudfront-microsoft-sso/lambda.tf b/dbt-docs/terraform/modules/cloudfront-microsoft-sso/lambda.tf
@@ -1,29 +1,24 @@
 locals {
-  # If you want to track code changes in .js/.json:
   sso_authenticator_files = fileset(local.sso_authenticator_dir, "*.{js,json}")
-  sso_authenticator_sha   = sha256(join(",", [
+  sso_authenticator_sha = sha256(join(",", [
     for file in local.sso_authenticator_files : filesha256("${local.sso_authenticator_dir}/${file}")
   ]))
 
   sso_callback_files = fileset(local.sso_callback_dir, "*.{js,json}")
-  sso_callback_sha   = sha256(join(",", [
+  sso_callback_sha = sha256(join(",", [
     for file in local.sso_callback_files : filesha256("${local.sso_callback_dir}/${file}")
   ]))
 }
 
-###############################
-# Package & deploy SSO Authenticator
-###############################
-
-resource "null_resource" "sso_authenticator" {
-  # No local-exec block here anymore
+resource "null_resource" "prepare_lambda_dirs" {
   triggers = {
-    deployable_dir = local.sso_authenticator_sha
+    authenticator_dir_sha = local.sso_authenticator_sha
+    callback_dir_sha      = local.sso_callback_sha
   }
 }
 
 data "archive_file" "sso_authenticator" {
-  depends_on       = [null_resource.sso_authenticator]
+  depends_on       = [null_resource.prepare_lambda_dirs]
   type             = "zip"
   source_dir       = local.sso_authenticator_dir
   output_path      = "${local.sso_authenticator_dir}/payload.zip"
@@ -32,7 +27,7 @@ data "archive_file" "sso_authenticator" {
 }
 
 resource "aws_lambda_function" "sso_authenticator" {
-  function_name    = "${lower(var.project_code)}-sso-authenticator"
+  function_name    = "${lower(var.name_prefix)}-${lower(var.app_code)}-sso-authenticator"
   role             = aws_iam_role.lambda_edge.arn
   filename         = data.archive_file.sso_authenticator.output_path
   runtime          = var.lambda_runtime
@@ -41,19 +36,8 @@ resource "aws_lambda_function" "sso_authenticator" {
   publish          = true
 }
 
-###############################
-# Package & deploy SSO Callback
-###############################
-
-resource "null_resource" "sso_callback" {
-  # No local-exec block here anymore
-  triggers = {
-    deployable_dir = local.sso_callback_sha
-  }
-}
-
 data "archive_file" "sso_callback" {
-  depends_on       = [null_resource.sso_callback]
+  depends_on       = [null_resource.prepare_lambda_dirs]
   type             = "zip"
   source_dir       = local.sso_callback_dir
   output_path      = "${local.sso_callback_dir}/payload.zip"
@@ -62,11 +46,11 @@ data "archive_file" "sso_callback" {
 }
 
 resource "aws_lambda_function" "sso_callback" {
-  function_name    = "${lower(var.project_code)}-sso-callback"
+  function_name    = "${lower(var.name_prefix)}-${lower(var.app_code)}-sso-callback"
   role             = aws_iam_role.lambda_edge.arn
   filename         = data.archive_file.sso_callback.output_path
   runtime          = var.lambda_runtime
   handler          = "callback-handler.handler"
   source_code_hash = data.archive_file.sso_callback.output_base64sha256
   publish          = true
-}
+}
diff --git a/dbt-docs/terraform/modules/cloudfront-microsoft-sso/locals.tf b/dbt-docs/terraform/modules/cloudfront-microsoft-sso/locals.tf
@@ -1,8 +1,6 @@
 locals {
   account_id = data.aws_caller_identity.current.account_id
 
-  resource_name_prefix = var.use_env_code_flag ? "${lower(var.env_code)}-${lower(var.project_code)}-${lower(var.app_code)}" : "${lower(var.project_code)}-${lower(var.app_code)}"
-
   # Hard-coded directories for Lambda code
   sso_authenticator_dir = "../uploads/lambda/sso_authenticator"
   sso_callback_dir      = "../uploads/lambda/sso_callback"
diff --git a/dbt-docs/terraform/modules/cloudfront-microsoft-sso/s3.tf b/dbt-docs/terraform/modules/cloudfront-microsoft-sso/s3.tf
@@ -14,7 +14,7 @@ data "aws_iam_policy_document" "s3_read_only_access" {
 }
 
 resource "aws_s3_bucket" "app" {
-  bucket        = local.resource_name_prefix
+  bucket        = "${var.name_prefix}-${var.app_code}"
   force_destroy = true
 }
 
diff --git a/dbt-docs/terraform/modules/cloudfront-microsoft-sso/variables.tf b/dbt-docs/terraform/modules/cloudfront-microsoft-sso/variables.tf
@@ -1,13 +1,6 @@
-variable "env_code" {
+variable "name_prefix" {
   type        = string
-  description = "Environmental code to identify the target environment"
-  default     = "dev"
-}
-
-variable "project_code" {
-  type        = string
-  description = "Project code used as prefix for resource names"
-  default     = "entechlog"
+  description = "Resource name prefix"
 }
 
 variable "app_code" {
@@ -16,18 +9,6 @@ variable "app_code" {
   default     = "dbt-docs"
 }
 
-variable "aws_region" {
-  type        = string
-  description = "Primary region for AWS resources"
-  default     = "us-east-1"
-}
-
-variable "use_env_code_flag" {
-  type        = bool
-  description = "Toggle on/off env code in resource names"
-  default     = true
-}
-
 variable "enable_auth_flag" {
   type        = bool
   description = "Toggle on/off the SSO auth"
diff --git a/dbt-docs/terraform/uploads/lambda/sso_authenticator/authenticator.js b/dbt-docs/terraform/uploads/lambda/sso_authenticator/authenticator.js
diff --git a/dbt-docs/terraform/uploads/lambda/sso_authenticator/package.json b/dbt-docs/terraform/uploads/lambda/sso_authenticator/package.json
diff --git a/dbt-docs/terraform/uploads/lambda/sso_callback/callback-handler.js b/dbt-docs/terraform/uploads/lambda/sso_callback/callback-handler.js
diff --git a/dbt-docs/terraform/uploads/lambda/sso_callback/package.json b/dbt-docs/terraform/uploads/lambda/sso_callback/package.json

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+locals {`
	`2`	`+ resource_name_prefix = var.use_env_code_flag ? "${lower(var.env_code)}-${lower(var.project_code)}-${lower(var.project_code)}" : "${lower(var.project_code)}-${lower(var.project_code)}"`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ data "aws_iam_policy_document" "s3_read_only_access" {`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`resource "aws_s3_bucket" "app" {`
`17`		`- bucket = local.resource_name_prefix`
	`17`	`+ bucket = "${var.name_prefix}-${var.app_code}"`
`18`	`18`	`force_destroy = true`
`19`	`19`	`}`
`20`	`20`