Feature/custom cfn resource for storing cognito jkws ssm

.github/workflows/rootski-ci.yml

@@ -54,6 +54,16 @@ jobs:
     - name: install docker
       uses: docker-practice/[email protected]
 
+    - name: run lambda handler tests
+      run: |
+        cd infrastructure/iac/aws-cdk/cognito/cognito/resources/jwks_ssm_custom_resource_lambda/
+        make install
+        make test
+
+    #############################
+    # --- Backend API Tests --- #
+    #############################
+
     - name: install dependencies
       run: |
         # install global python dependencies

infrastructure/iac/aws-cdk/cognito/README.md

@@ -25,6 +25,7 @@ pip install -r requirements.txt
 AWS_DEFAULT_REGION="us-west-2" cdk deploy --profile personal
 ```
 
+
 **NOTE!!!** You need to hook this up with the front end. After running `cdk deploy ...`,
 you'll see several stack outputs. Copy/paste those into the correct JS variables in
 `rootski_frontend/src/aws-cognito/auth-utils.tsx`.

infrastructure/iac/aws-cdk/cognito/app.py

@@ -1,26 +1,22 @@
 #!/usr/bin/env python3
 
-# For consistency with TypeScript code, `cdk` is the preferred import name for
-# the CDK's core module.  The following line also imports it as `core` for use
-# with examples from the CDK Developer's Guide, which are in the process of
-# being updated to use `cdk`.  You may delete this import if you don't need it.
-from aws_cdk import core
+import aws_cdk as cdk
 from cognito.cognito_stack import CognitoStack
+from cognito.ssm_cognito_jwks_custom_resource import SSMParameterWithCognitoJWKsStack
 
-app = core.App()
-CognitoStack(
+app = cdk.App()
+
+cognito_stack = CognitoStack(
     app,
     "RootksiCognitoStack",
-    # If you don't specify 'env', this stack will be environment-agnostic.
-    # Account/Region-dependent features and context lookups will not work,
-    # but a single synthesized template can be deployed anywhere.
-    # Uncomment the next line to specialize this stack for the AWS Account
-    # and Region that are implied by the current CLI configuration.
-    # env=core.Environment(account=os.getenv('CDK_DEFAULT_ACCOUNT'), region=os.getenv('CDK_DEFAULT_REGION')),
-    # Uncomment the next line if you know exactly what Account and Region you
-    # want to deploy the stack to. */
-    # env=core.Environment(account='123456789012', region='us-east-1'),
-    # For more information, see https://docs.aws.amazon.com/cdk/latest/guide/environments.html
+)
+
+SSMParameterWithCognitoJWKsStack(
+    app,
+    "Cognito-JWKs-In-SSM-Parameter-Custom-Resource-CF",
+    cognito_user_pool_id=cognito_stack.cognito_user_pool.ref,
+    cognito_user_pool_region=cognito_stack.region,
+    cognito_jwks_ssm_parameter_path="/rootski/cognito/jwks.json",
 )
 
 app.synth()

infrastructure/iac/aws-cdk/cognito/cdk.json

@@ -2,7 +2,6 @@
   "app": "python3 app.py",
   "context": {
     "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
-    "@aws-cdk/core:enableStackNameDuplicates": "true",
     "aws-cdk:enableDiffNoFail": "true",
     "@aws-cdk/core:stackRelativeExports": "true",
     "@aws-cdk/aws-ecr-assets:dockerIgnoreSupport": true,

infrastructure/iac/aws-cdk/cognito/cognito/cognito_stack.py

@@ -8,21 +8,22 @@
 from pathlib import Path
 from typing import Dict
 
-import aws_cdk.aws_ssm as ssm
-import yaml
 # For consistency with other languages, `cdk` is the preferred import name for
 # the CDK's core module.  The following line also imports it as `core` for use
 # with examples from the CDK Developer's Guide, which are in the process of
 # being updated to use `cdk`.  You may delete this import if you don't need it.
-from aws_cdk import core as cdk
+import aws_cdk as cdk
+import aws_cdk.aws_ssm as ssm
+import yaml
+from aws_cdk import CfnOutput, Stack
 from aws_cdk.aws_cognito import (
     CfnUserPool,
     CfnUserPoolClient,
     CfnUserPoolDomain,
     CfnUserPoolIdentityProvider,
     PasswordPolicy,
 )
-from aws_cdk.core import CfnOutput, Stack
+from constructs import Construct
 
 THIS_DIR = Path(__file__).parent
 ROOTSKI_OAUTH_PROVIDERS_FPATH = THIS_DIR / "rootski-oauth-providers.yml"
@@ -38,11 +39,11 @@ def load_oauth_config(oauth_config_path: Path):
 
 
 class CognitoStack(Stack):
-    def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs) -> None:
+    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
         super().__init__(scope, construct_id, **kwargs)
 
         # The code that defines your stack goes here
-        cognito_user_pool = CfnUserPool(
+        self.cognito_user_pool = CfnUserPool(
             self,
             id="RootskiUserPool",
             auto_verified_attributes=["email"],
@@ -93,7 +94,7 @@ def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs) -> None:
             id="RootskiGoogleIdentityProvider",
             provider_name="Google",
             provider_type="Google",
-            user_pool_id=cognito_user_pool.ref,
+            user_pool_id=self.cognito_user_pool.ref,
             attribute_mapping={"email": "email"},
             provider_details={
                 "client_id": OAUTH_CONFIG["google"]["client_id"],
@@ -103,7 +104,7 @@ def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs) -> None:
         )
         # prevent race condition where it says that the rootski user pool
         # doesn't have a Google provider type
-        google_identity_provider.add_depends_on(cognito_user_pool)
+        google_identity_provider.add_depends_on(self.cognito_user_pool)
 
         # redirect users here when they log in from the Cognito hosted ui
         callback_ur_ls = ["https://www.rootski.io", "http://localhost:3000"]
@@ -119,7 +120,7 @@ def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs) -> None:
             self,
             id="RootskiCognitoUserPoolClient",
             client_name="rootski-io-cognito-client",
-            user_pool_id=cognito_user_pool.ref,
+            user_pool_id=self.cognito_user_pool.ref,
             generate_secret=False,
             supported_identity_providers=[
                 "COGNITO",
@@ -142,7 +143,7 @@ def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs) -> None:
             self,
             id="RootskiUserPoolDomain",
             domain="rootski",
-            user_pool_id=cognito_user_pool.ref,
+            user_pool_id=self.cognito_user_pool.ref,
         )
 
         # create SSM parameters that the backend API and other sources can read
@@ -162,7 +163,7 @@ def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs) -> None:
                 self,
                 id=f"RootskiCognitoUserPoolId{env}",
                 parameter_name=f"/rootski/{env}/cognito/cognito_user_pool_id",
-                string_value=cognito_user_pool.ref,
+                string_value=self.cognito_user_pool.ref,
                 type=ssm.ParameterType.STRING,
             )
 
@@ -179,7 +180,7 @@ def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs) -> None:
         CfnOutput(
             scope=self,
             id="user-pool-id",
-            value=cognito_user_pool.ref,
+            value=self.cognito_user_pool.ref,
             description="ID of the cognito user pool",
             export_name="user-pool-id",
         )

infrastructure/iac/aws-cdk/cognito/cognito/resources/jwks_ssm_custom_resource_lambda/.vscode/launch.json

@@ -0,0 +1,17 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Python: Current File",
+            "type": "python",
+            "request": "file",
+            "program": "${file}",
+            "purpose": ["debug-test"],
+            "console": "integratedTerminal",
+            "justMyCode": false
+        }
+    ]
+}

infrastructure/iac/aws-cdk/cognito/cognito/resources/jwks_ssm_custom_resource_lambda/.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+    "python.testing.pytestArgs": []
+}

infrastructure/iac/aws-cdk/cognito/cognito/resources/jwks_ssm_custom_resource_lambda/jwk_cognito_custom_resource/__init__.py

@@ -0,0 +1 @@
+"""AWS Lambda function to create a Cognito JWKs custom resource in an SSM parameter."""