├── LICENSE ├── README.md ├── assets ├── 00-Make-Help.png ├── 01-CreateUser.png ├── 02-CreateUser-Email.png ├── 03-ConfirmNewUser.png ├── 04-ConfirmMFA.png ├── 05-ForgotPassword.png ├── 06-ForgotPassword-Email.png ├── 07-SetForgottenPassword.png ├── 08-UserLogin.png ├── 09-MfaVerify.png ├── 10-RefreshToken.png ├── 11-Userinfo.png ├── 12-User-Logout.png └── CognitoApi.jpg ├── helper_scripts ├── Dockerfile ├── build_lambda_layer.sh ├── gen_graph.sh ├── prepare_backend.sh ├── terraform_remote_state.sh ├── terraform_state_bucket_policy.json.template └── test_validate.sh ├── postman └── CognitoApi.postman_collection.json └── terraform ├── Makefile ├── environments ├── dev │ └── terraform.tfvars.dev └── prod │ └── terraform.tfvars.prod ├── live └── services │ └── auth-microservice │ ├── Makefile │ ├── account.tf │ ├── api-gw.tf │ ├── backend.tf.template │ ├── build_layers_packages.sh │ ├── certificate.tf │ ├── change-password.tf │ ├── cognito-authorizer.tf │ ├── cognito-user-pool.tf │ ├── confirm-mfa.tf │ ├── confirm-password.tf │ ├── confirm-user.tf │ ├── cors.tf │ ├── create-user.tf │ ├── custom-message.tf │ ├── delete-user.tf │ ├── dns.tf │ ├── email_templates │ ├── user_invitation_email_dev.html │ └── user_invitation_email_prod.html │ ├── forgot-password.tf │ ├── lambdas-src │ ├── change-password │ │ ├── requirements.txt │ │ └── src │ │ │ ├── change_password.py │ │ │ ├── constants.py │ │ │ ├── log.py │ │ │ └── schemas │ │ │ └── change_password.json │ ├── confirm-mfa │ │ ├── requirements.txt │ │ └── src │ │ │ ├── confirm_mfa.py │ │ │ ├── constants.py │ │ │ ├── log.py │ │ │ └── schemas │ │ │ └── confirm_mfa.json │ ├── confirm-password │ │ ├── requirements.txt │ │ └── src │ │ │ ├── confirm_password.py │ │ │ ├── constants.py │ │ │ ├── log.py │ │ │ └── schemas │ │ │ └── confirm_password.json │ ├── confirm-user │ │ ├── requirements.txt │ │ └── src │ │ │ ├── confirm_user.py │ │ │ ├── constants.py │ │ │ ├── log.py │ │ │ └── schemas │ │ │ └── confirm_user.json │ ├── create-user │ │ ├── requirements.txt │ │ └── src │ │ │ ├── constants.py │ │ │ ├── create_user.py │ │ │ ├── log.py │ │ │ └── schemas │ │ │ └── new_user.json │ ├── custom-message │ │ └── src │ │ │ └── custom_message.js │ ├── delete-user │ │ ├── requirements.txt │ │ └── src │ │ │ ├── constants.py │ │ │ ├── delete_user.py │ │ │ └── log.py │ ├── forgot-password │ │ ├── requirements.txt │ │ └── src │ │ │ ├── constants.py │ │ │ ├── forgot_password.py │ │ │ ├── log.py │ │ │ └── schemas │ │ │ └── forgot_password.json │ ├── mfa-verify │ │ ├── requirements.txt │ │ └── src │ │ │ ├── constants.py │ │ │ ├── log.py │ │ │ ├── mfa_verify.py │ │ │ └── schemas │ │ │ └── mfa_verify.json │ ├── refresh-token │ │ ├── requirements.txt │ │ └── src │ │ │ ├── constants.py │ │ │ ├── log.py │ │ │ ├── refresh_token.py │ │ │ └── schemas │ │ │ └── refresh_token.json │ ├── resend-confirmation-code │ │ ├── requirements.txt │ │ └── src │ │ │ ├── constants.py │ │ │ ├── log.py │ │ │ ├── resend_confirmation_code.py │ │ │ └── schemas │ │ │ └── resend_confirmation_code.json │ ├── resend-mfa │ │ ├── requirements.txt │ │ └── src │ │ │ ├── constants.py │ │ │ ├── log.py │ │ │ ├── resend_mfa.py │ │ │ ├── schemas │ │ │ └── resend_mfa.json │ │ │ └── templates │ │ │ └── html_mail.html │ ├── reset-password │ │ ├── requirements.txt │ │ └── src │ │ │ ├── constants.py │ │ │ ├── log.py │ │ │ ├── reset_password.py │ │ │ └── schemas │ │ │ └── reset_password.json │ ├── user-login │ │ ├── requirements.txt │ │ └── src │ │ │ ├── constants.py │ │ │ ├── log.py │ │ │ ├── schemas │ │ │ └── user_login.json │ │ │ └── user_login.py │ ├── user-logout │ │ ├── requirements.txt │ │ └── src │ │ │ ├── constants.py │ │ │ ├── log.py │ │ │ ├── schemas │ │ │ └── user_logout.json │ │ │ └── user_logout.py │ └── userinfo │ │ ├── requirements.txt │ │ └── src │ │ ├── constants.py │ │ ├── log.py │ │ └── userinfo.py │ ├── lambdas-warmers.tf │ ├── layers-src │ ├── jsonschema │ │ └── requirements.txt │ ├── opencv │ │ └── requirements.txt │ ├── pillow │ │ └── requirements.txt │ ├── pyjwt │ │ └── requirements.txt │ ├── pyotp │ │ └── requirements.txt │ └── qrcode │ │ └── requirements.txt │ ├── layers.tf │ ├── locals.tf │ ├── logformat.json │ ├── mfa-verify.tf │ ├── policies │ ├── change-password-lambda-role-policy.json │ ├── cognito-sns-assume-policy.json │ ├── cognito-sns-role-policy.json │ ├── confirm-mfa-lambda-role-policy.json │ ├── confirm-password-lambda-role-policy.json │ ├── confirm-user-lambda-role-policy.json │ ├── create-user-lambda-role-policy.json │ ├── custom-message-lambda-role-policy.json │ ├── delete-user-lambda-role-policy.json │ ├── forgot-password-lambda-role-policy.json │ ├── lambda-assume-role-policy.json │ ├── mfa-verify-lambda-role-policy.json │ ├── refresh-token-lambda-role-policy.json │ ├── resend-confirmation-code-lambda-role-policy.json │ ├── resend-mfa-lambda-role-policy.json │ ├── reset-password-lambda-role-policy.json │ ├── user-login-lambda-role-policy.json │ ├── user-logout-lambda-role-policy.json │ └── userinfo-lambda-role-policy.json │ ├── provider.tf │ ├── refresh-token.tf │ ├── resend-confirmation-code.tf │ ├── resend-mfa.tf │ ├── reset-password.tf │ ├── resources.tf │ ├── s3.tf │ ├── user-login.tf │ ├── user-logout.tf │ ├── userinfo.tf │ └── variables.tf └── modules ├── README.md ├── images └── Terraform.png ├── tf-api-gw-cors ├── README.md ├── main.tf └── variables.tf ├── tf-api-gw-lambda-proxy-cognito-authorizer ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── tf-api-gw-lambda-proxy ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── tf-cognito-user-pool ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── tf-iam-role-no-file ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── tf-iam-role-policy ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── tf-iam-role ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── tf-lambda-cloudwatch-event-trigger ├── README.md ├── main.tf ├── outputs.tf └── variables.tf └── tf-s3-encrypted ├── README.md ├── main.tf ├── outputs.tf └── variables.tf /assets/00-Make-Help.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/assets/00-Make-Help.png -------------------------------------------------------------------------------- /assets/01-CreateUser.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/assets/01-CreateUser.png -------------------------------------------------------------------------------- /assets/02-CreateUser-Email.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/assets/02-CreateUser-Email.png -------------------------------------------------------------------------------- /assets/03-ConfirmNewUser.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/assets/03-ConfirmNewUser.png -------------------------------------------------------------------------------- /assets/04-ConfirmMFA.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/assets/04-ConfirmMFA.png -------------------------------------------------------------------------------- /assets/05-ForgotPassword.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/assets/05-ForgotPassword.png -------------------------------------------------------------------------------- /assets/06-ForgotPassword-Email.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/assets/06-ForgotPassword-Email.png -------------------------------------------------------------------------------- /assets/07-SetForgottenPassword.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/assets/07-SetForgottenPassword.png -------------------------------------------------------------------------------- /assets/08-UserLogin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/assets/08-UserLogin.png -------------------------------------------------------------------------------- /assets/09-MfaVerify.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/assets/09-MfaVerify.png -------------------------------------------------------------------------------- /assets/10-RefreshToken.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/assets/10-RefreshToken.png -------------------------------------------------------------------------------- /assets/11-Userinfo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/assets/11-Userinfo.png -------------------------------------------------------------------------------- /assets/12-User-Logout.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/assets/12-User-Logout.png -------------------------------------------------------------------------------- /assets/CognitoApi.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/assets/CognitoApi.jpg -------------------------------------------------------------------------------- /helper_scripts/Dockerfile: -------------------------------------------------------------------------------- 1 | # Amazon Linux docker image to build a Lambda package with a compiled dependency 2 | # https://docs.aws.amazon.com/lambda/latest/dg/current-supported-versions.html 3 | 4 | FROM public.ecr.aws/sam/build-python3.9 5 | 6 | WORKDIR /root 7 | 8 | COPY . . 9 | -------------------------------------------------------------------------------- /helper_scripts/build_lambda_layer.sh: -------------------------------------------------------------------------------- 1 | # ! /bin/bash 2 | # Prepare aws python lambda layer package - requirements.txt file is mandatory 3 | 4 | # Some colors 5 | BOLD=$(tput bold) 6 | RED=$(tput setaf 1) 7 | GREEN=$(tput setaf 2) 8 | BLUE=$(tput setaf 4) 9 | RESET=$(tput sgr0) 10 | 11 | RUNNING_INSIDE_DOCKER=0 12 | 13 | function running_inside_docker() { 14 | if grep -s docker /proc/1/cgroup; then 15 | echo -e "${BOLD}${GREEN}Running inside docker${RESET}" 16 | RUNNING_INSIDE_DOCKER=1 17 | fi 18 | } 19 | 20 | function create_deployment_package() { 21 | echo -e "${BOLD}${GREEN}Create lambda layer deployment package${RESET}" 22 | LAYER_SRC_PATH=`realpath $1` 23 | LAYER_SRC_PATH="$LAYER_SRC_PATH/" 24 | LAMBDA_DOCKER_IMAGE_TAG=$2 25 | DOCKER_FILE_PATH=`realpath $3` 26 | REQUIREMENTS_FILE_PATH="$LAYER_SRC_PATH/requirements.txt" 27 | PYTHON_RUNTIME=$4 28 | echo "${LAYER_SRC_PATH}" 29 | echo "${LAMBDA_DOCKER_IMAGE_TAG}" 30 | echo "${DOCKER_FILE_PATH}" 31 | echo "${REQUIREMENTS_FILE_PATH}" 32 | # We will build for X64 architectures 33 | # Just in case yoou are using a MacOs X on ARM architectures 34 | # Which can leads to some unhappy surprises like: 35 | # _rust.abi3.so: cannot open shared object file 36 | # When building cryptography libs 37 | export DOCKER_DEFAULT_PLATFORM=linux/amd64 38 | 39 | #if [[ -f "${LAYER_SRC_PATH}/${LAMBDA_DOCKER_IMAGE_TAG}.zip" ]] ; then 40 | # echo -e "${GREEN}Package ${LAYER_SRC_PATH}/${LAMBDA_DOCKER_IMAGE_TAG}.zip already exists, skip packaging.${RESET}" 41 | # return 42 | #fi 43 | 44 | if [ "$RUNNING_INSIDE_DOCKER" -eq "0" ]; then 45 | docker build -f $DOCKER_FILE_PATH -t $LAMBDA_DOCKER_IMAGE_TAG . 46 | echo "Run a new image" 47 | docker run --rm -v ${LAYER_SRC_PATH}:/root -v ${REQUIREMENTS_FILE_PATH}:/root/requirements.txt -i -t ${LAMBDA_DOCKER_IMAGE_TAG} \ 48 | sh -c " pip install -r /root/requirements.txt --root-user-action=ignore -t python/lib/python${PYTHON_RUNTIME}/site-packages/ && \ 49 | zip -r ${LAMBDA_DOCKER_IMAGE_TAG}.zip python && rm -rf python" 50 | # Remove the docker image 51 | docker rmi $LAMBDA_DOCKER_IMAGE_TAG 52 | # Remove the build directory 53 | rm -rf python 54 | else 55 | pip install -r /root/requirements.txt --root-user-action=ignore -t python/lib/python${PYTHON_RUNTIME}/site-packages/ && \ 56 | zip -r ${LAMBDA_DOCKER_IMAGE_TAG}.zip python 57 | # Remove the build directory 58 | rm -rf python 59 | fi 60 | } 61 | 62 | function check_dependencies() { 63 | if [ "$RUNNING_INSIDE_DOCKER" -eq "1" ]; then 64 | return 65 | fi 66 | 67 | # Check if docker is installed 68 | if [ $? -ne 0 ]; then 69 | echo -e "${BOLD}${RED}docker is not installed!${RESET}" 70 | echo -e "${BOLD}${RED}Please install docker and retry${RESET}" 71 | echo -e "${BOLD}${RED}For all systems, check this URL: https://docs.docker.com/install/${RESET}" 72 | else 73 | echo -e "${BOLD}${GREEN}docker is already installed${RESET}" 74 | return 75 | fi 76 | 77 | if [ $? -ne 0 ] 78 | then 79 | echo -e "${BOLD}${RED}Error check dependencies${RESET}" 80 | exit 1 81 | fi 82 | } 83 | 84 | function help() { 85 | echo -e "${BOLD}${RED}Illegal number of parameters " 86 | echo -e "Usage: $0 layer_src_path layer_name dockerfile_path python_runtime ${RESET}" 87 | exit 1 88 | } 89 | 90 | function validate_args() { 91 | LAYER_SRC_PATH=$1 92 | 93 | if [ ! -d "$LAYER_SRC_PATH" ]; then 94 | echo -e "${BOLD}${RED}Layer source path not found${RESET}" 95 | exit 1 96 | fi 97 | 98 | # TODO: Use Docker to build 99 | # Detect Windows OS :) 100 | if [[ "$OSTYPE" == "linux-gnu" ]]; then 101 | echo -e "${BOLD}${GREEN}OS OK, you can go further${RESET}" 102 | elif [[ "$OSTYPE" == "darwin"* ]]; then 103 | echo -e "${BOLD}${GREEN}OS OK, you can go further${RESET}" 104 | else 105 | echo -e "${BOLD}${RED}Are you using windows? Long life to the pinguin :)${RESET}" 106 | exit 1 107 | fi 108 | } 109 | 110 | # Script entry point 111 | # Check args 112 | if (( $# != 4 )); then 113 | help 114 | fi 115 | 116 | validate_args $1 117 | running_inside_docker 118 | check_dependencies 119 | create_deployment_package $1 $2 $3 $4 120 | -------------------------------------------------------------------------------- /helper_scripts/gen_graph.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | terraform graph | dot -Tpng > terraform_graph.png 4 | -------------------------------------------------------------------------------- /helper_scripts/prepare_backend.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | # Prepare terraform states file backend by doing some subtitutions 3 | 4 | # Some colors 5 | export TERM=xterm 6 | BOLD=$(tput bold) 7 | RED=$(tput setaf 1) 8 | GREEN=$(tput setaf 2) 9 | BLUE=$(tput setaf 4) 10 | RESET=$(tput sgr0) 11 | 12 | function create_terraform_state_bucket() { 13 | TERRAFOM_STATE_BUCKET=$1 14 | 15 | if aws s3api head-bucket --bucket "$TERRAFOM_STATE_BUCKET" 2>/dev/null; then 16 | echo -e "${BOLD}${BLUE}Terraform state bucket already exists :-${RESET}" 17 | else 18 | echo -e "${BOLD}${GREEN}Create a new bucket for terraform state${RESET}" 19 | # Create a bucket 20 | aws s3api create-bucket --bucket $TERRAFOM_STATE_BUCKET \ 21 | --region eu-west-1 \ 22 | --create-bucket-configuration LocationConstraint=eu-west-1 23 | if [ $? -ne 0 ] 24 | then 25 | echo -e "${BOLD}${RED}Error when creating bucket${RESET}" 26 | exit 1 27 | fi 28 | # Encrypt the bucket using AES256 29 | aws s3api put-bucket-encryption --bucket $TERRAFOM_STATE_BUCKET \ 30 | --server-side-encryption-configuration \ 31 | '{ "Rules": [ { "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }' 32 | if [ $? -ne 0 ] 33 | then 34 | echo -e "${BOLD}${RED}Error when enabling bucket encryption${RESET}" 35 | exit 1 36 | fi 37 | # Enable versioning 38 | aws s3api put-bucket-versioning --bucket $TERRAFOM_STATE_BUCKET \ 39 | --versioning-configuration Status=Enabled 40 | if [ $? -ne 0 ] 41 | then 42 | echo -e "${BOLD}${RED}Error when setting bucket versioning${RESET}" 43 | exit 1 44 | fi 45 | # Set bucket policy 46 | cp ../../../../helper_scripts/terraform_state_bucket_policy.json.template ../../../../helper_scripts/terraform_state_bucket_policy.json 47 | if [[ "$OSTYPE" == "linux-gnu" ]]; then 48 | sed -i -e 's:{%BUCKET_NAME%}:'"$TERRAFOM_STATE_BUCKET"':g' ../../../../helper_scripts/terraform_state_bucket_policy.json 49 | elif [[ "$OSTYPE" == "darwin"* ]]; then 50 | sed -i '.bak' -e 's:{%BUCKET_NAME%}:'"$TERRAFOM_STATE_BUCKET"':g' ../../../../helper_scripts/terraform_state_bucket_policy.json 51 | else 52 | echo -e "${BOLD}${RED}Are you using windows?${RESET}" 53 | exit 1 54 | fi 55 | if [ $? -ne 0 ] 56 | then 57 | echo -e "${BOLD}${RED}Error when setting bucket policy${RESET}" 58 | exit 1 59 | fi 60 | fi 61 | } 62 | 63 | function prepare_backend() { 64 | TERRAFOM_STATE_BUCKET=$1 65 | TERRAFOM_STATE_FILE_KEY=$2 66 | echo -e "$BLUE Fix 'backend.tf' file" 67 | cp backend.tf.template backend.tf 68 | if [[ "$OSTYPE" == "linux-gnu" ]]; then 69 | sed -i -e 's:{%TERRAFOM_STATE_BUCKET%}:'"$TERRAFOM_STATE_BUCKET"':g' backend.tf 70 | sed -i -e 's:{%TERRAFOM_STATE_FILE_KEY%}:'"$TERRAFOM_STATE_FILE_KEY"':g' backend.tf 71 | elif [[ "$OSTYPE" == "darwin"* ]]; then 72 | sed -i '.bak' -e 's:{%TERRAFOM_STATE_BUCKET%}:'"$TERRAFOM_STATE_BUCKET"':g' backend.tf 73 | sed -i '.bak' -e 's:{%TERRAFOM_STATE_FILE_KEY%}:'"$TERRAFOM_STATE_FILE_KEY"':g' backend.tf 74 | else 75 | echo -e "${BOLD}${RED}Are you using windows?${RESET}" 76 | exit 1 77 | fi 78 | } 79 | 80 | # Script entry point 81 | # Check args 82 | if (( $# != 2 )); then 83 | echo -e "${BOLD}${RED}Illegal number of parameters " 84 | echo -e "Please a bucket name and " \ 85 | "a terraform state file key${RESET}" 86 | exit 1 87 | fi 88 | 89 | create_terraform_state_bucket $1 90 | prepare_backend $1 $2 91 | -------------------------------------------------------------------------------- /helper_scripts/terraform_remote_state.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | # Create a dynamodb table if needed in order to prevent concurent access 3 | # Init terraform 4 | 5 | # Some colors 6 | export TERM=xterm 7 | BOLD=$(tput bold) 8 | RED=$(tput setaf 1) 9 | GREEN=$(tput setaf 2) 10 | BLUE=$(tput setaf 4) 11 | RESET=$(tput sgr0) 12 | 13 | function create_dynamodb_lock_table() { 14 | # Ensure lock table exists, otherwise create it 15 | aws dynamodb list-tables --output text | grep terraform-lock-states 16 | if [ $? -eq 0 ]; then 17 | echo -e "${BOLD}${BLUE}Terraform states lock table exists${RESET}" 18 | else 19 | echo -e "${BOLD}${GREEN}Creating terraform states lock table${RESET}" 20 | aws dynamodb create-table \ 21 | --table-name terraform-lock-states \ 22 | --attribute-definitions AttributeName=LockID,AttributeType=S \ 23 | --key-schema AttributeName=LockID,KeyType=HASH \ 24 | --provisioned-throughput ReadCapacityUnits=1,WriteCapacityUnits=1 25 | fi 26 | # Sleep for dynamodb table to be ready 27 | sleep 5 28 | } 29 | 30 | function init_terraform() { 31 | # Now perform terraform init 32 | #yes yes | terraform init -upgrade 33 | yes yes | terraform init 34 | } 35 | 36 | # Script entry point 37 | 38 | create_dynamodb_lock_table 39 | init_terraform 40 | -------------------------------------------------------------------------------- /helper_scripts/terraform_state_bucket_policy.json.template: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Id": "PutObjPolicy", 4 | "Statement": [ 5 | { 6 | "Sid": "DenyIncorrectEncryptionHeader", 7 | "Effect": "Deny", 8 | "Principal": "*", 9 | "Action": "s3:PutObject", 10 | "Resource": "arn:aws:s3:::{%BUCKET_NAME%}/*", 11 | "Condition": { 12 | "StringNotEquals": { 13 | "s3:x-amz-server-side-encryption": "AES256" 14 | } 15 | } 16 | }, 17 | { 18 | "Sid": "DenyUnEncryptedObjectUploads", 19 | "Effect": "Deny", 20 | "Principal": "*", 21 | "Action": "s3:PutObject", 22 | "Resource": "arn:aws:s3:::{%BUCKET_NAME%}/*", 23 | "Condition": { 24 | "Null": { 25 | "s3:x-amz-server-side-encryption": "true" 26 | } 27 | } 28 | } 29 | ] 30 | } 31 | -------------------------------------------------------------------------------- /helper_scripts/test_validate.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | # Validate all the terraform files 3 | 4 | # Some colors 5 | export TERM=xterm 6 | BLUE="\033[0;34m" 7 | GREEN="\033[0;32m" 8 | RED="\033[0;31m" 9 | RESET="\033[0m" 10 | 11 | # $1 = exit code (will exit testing if non-zero) 12 | # $2 = description of the test 13 | # $3 = output of the test 14 | 15 | function validate_terraform() { 16 | # Pre-testing log_result 17 | rm -fR .terraform/modules/ 18 | 19 | desc="Can we find the terraform binary?" 20 | OUTPUT=$(which terraform) 21 | log_result "$?" "$desc" "Couldn't find terraform. Is it in your PATH?" 22 | 23 | terraform init 24 | desc="Does the validate ok?" 25 | OUTPUT=$(terraform validate) 26 | log_result "$?" "$desc" "$OUTPUT" 27 | 28 | # If we got here, all the tests passed 29 | echo -e "$BLUE All tests passed $RESET" 30 | exit 0 31 | } 32 | 33 | function log_result() { 34 | if [ $1 -ne 0 ]; then 35 | echo -e "$RED test '$2' failed: $RESET\n $3" 36 | exit $1 37 | fi 38 | } 39 | 40 | 41 | # Script entrypoint 42 | validate_terraform 43 | -------------------------------------------------------------------------------- /terraform/Makefile: -------------------------------------------------------------------------------- 1 | .SHELL := /bin/bash 2 | .PHONY: help configure-env plan apply clean format graph show 3 | TERRAFORM_TFVARS="environments/$(ENVIRONMENT)/terraform.tfvars.$(ENVIRONMENT)" 4 | BOLD=$(shell tput -Txterm bold) 5 | RED=$(shell tput -Txterm setaf 1) 6 | GREEN=$(shell tput -Txterm setaf 2) 7 | RESET=$(shell tput -Txterm sgr0) 8 | 9 | help: ## Print this help 10 | @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' 11 | 12 | list-envs: ## Get the list of possible environments 13 | @echo $(BOLD)$(GREEN) 14 | @find environments -type f | rev | cut -d. -f1 | rev 15 | 16 | configure-env: ## Prepare the target environment if needed 17 | @if [ -z $(ENVIRONMENT) ]; then\ 18 | echo "$(BOLD)$(RED)Plaese set ENVIRONMENT$(RESET)"; \ 19 | echo "$(BOLD)$(GREEN)Use it like this: ENVIRONMENT=dev make plan$(RESET)"; \ 20 | exit 1; \ 21 | fi 22 | @if [ ! -d "environments/$(ENVIRONMENT)" ]; then\ 23 | echo "$(BOLD)$(RED)Environment does not exist!$(RESET)"; \ 24 | echo "$(BOLD)$(GREEN)Use a valid one by listing all availables envs with: make list-envs$(RESET)"; \ 25 | exit 1; \ 26 | fi 27 | 28 | prepare-tf: 29 | @mkdir -p ~/.terraform.d/plugins 30 | @if [ `uname` = "Darwin" ]; then\ 31 | echo "$(BOLD)$(GREEN)Macos detected$(RESET)"; \ 32 | if [ `uname -m` = "arm64" ]; then\ 33 | echo "$(BOLD)$(GREEN)Arm arch detected$(RESET)"; \ 34 | curl -s https://releases.hashicorp.com/terraform-provider-aws/5.8.0/terraform-provider-aws_5.8.0_darwin_arm64.zip -o /tmp/terraform-aws.zip; \ 35 | unzip -qqo /tmp/terraform-aws.zip -d ~/.terraform.d/plugins; \ 36 | rm /tmp/terraform-aws.zip; \ 37 | elif [ `uname -m` = "x86_64" ]; then\ 38 | echo "$(BOLD)$(GREEN)X86 arch detected$(RESET)"; \ 39 | curl -s https://releases.hashicorp.com/terraform-provider-aws/5.8.0/terraform-provider-aws_5.8.0_darwin_amd64.zip -o /tmp/terraform-aws.zip; \ 40 | unzip -qqo /tmp/terraform-aws.zip -d ~/.terraform.d/plugins; \ 41 | rm /tmp/terraform-aws.zip; \ 42 | fi; \ 43 | elif [ `uname` = "Linux" ]; then\ 44 | echo "$(BOLD)$(GREEN)Linux detected$(RESET)"; \ 45 | if [ `uname -m` = "arm64" ]; then\ 46 | echo "$(BOLD)$(GREEN)Arm arch detected$(RESET)"; \ 47 | curl -s https://releases.hashicorp.com/terraform-provider-aws/5.8.0/terraform-provider-aws_5.8.0_linux_arm64.zip -o /tmp/terraform-aws.zip; \ 48 | unzip -qqo /tmp/terraform-aws.zip -d ~/.terraform.d/plugins; \ 49 | rm /tmp/terraform-aws.zip; \ 50 | elif [ `uname -m` = "x86_64" ]; then\ 51 | echo "$(BOLD)$(GREEN)X86 arch detected$(RESET)"; \ 52 | curl -s https://releases.hashicorp.com/terraform-provider-aws/5.8.0/terraform-provider-aws_5.8.0_linux_amd64.zip -o /tmp/terraform-aws.zip; \ 53 | unzip -qqo /tmp/terraform-aws.zip -d ~/.terraform.d/plugins; \ 54 | rm /tmp/terraform-aws.zip; \ 55 | fi; \ 56 | fi 57 | 58 | plan: configure-env #prepare-tf ## Perform a terraform plan after configuring the target environment 59 | @$(MAKE) -C live/services/auth-microservice plan TERRAFORM_TFVARS="$(CURDIR)/environments/$(ENVIRONMENT)/terraform.tfvars.$(ENVIRONMENT)" 60 | 61 | apply: configure-env prepare-tf ## Perform a terraform apply after configuring the target environment 'Be carefull!' 62 | @$(MAKE) -C live/services/auth-microservice apply TERRAFORM_TFVARS="$(CURDIR)/environments/$(ENVIRONMENT)/terraform.tfvars.$(ENVIRONMENT)" 63 | 64 | destroy: configure-env prepare-tf ## Perform a terraform destroy after configuring the target environment 'VERY DANGEROUS!' 65 | @$(MAKE) -C live/services/auth-microservice destroy TERRAFORM_TFVARS="$(CURDIR)/environments/$(ENVIRONMENT)/terraform.tfvars.$(ENVIRONMENT)" 66 | 67 | test: configure-env ## Unit Tests 68 | @$(MAKE) -C live/services/auth-microservice test TERRAFORM_TFVARS="$(CURDIR)/environments/$(ENVIRONMENT)/terraform.tfvars.$(ENVIRONMENT)" 69 | 70 | clean: ## Clean the stack from '*.log', '*.bak' and '.terraform' files/directories 71 | @$(MAKE) -C live/services/auth-microservice clean 72 | 73 | format: ## Format all terraform files: 'terraform fmt' 74 | @$(MAKE) -C live/services/auth-microservice format 75 | 76 | graph: ## Genarte a png graphs from terraform infra 'Needs graphviz to be installed' 77 | @$(MAKE) -C live/services/auth-microservice graph 78 | 79 | show: ## Perform a 'terraform show ' 80 | @$(MAKE) -C live/services/auth-microservice show 81 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: all plan apply 2 | SHELL := $(SHELL) -e 3 | TERRAFOM_STATE_BUCKET=$(shell grep terraform-state-bucket $(TERRAFORM_TFVARS) | cut -d "=" -f 2) 4 | TERRAFOM_STATE_FILE_KEY=$(shell grep auth-microservice-terraform-state-file-key $(TERRAFORM_TFVARS) | cut -d "=" -f 2) 5 | 6 | all: test plan apply 7 | 8 | version: 9 | terraform version 10 | 11 | check-terraform-tfvars: 12 | @if [ -z $(TERRAFORM_TFVARS) ]; then\ 13 | echo "Plaese provide terraform tfvars file"; \ 14 | exit 1; \ 15 | fi 16 | 17 | validate: 18 | terraform validate 19 | 20 | plan: check-terraform-tfvars 21 | ../../../../helper_scripts/prepare_backend.sh $(TERRAFOM_STATE_BUCKET) $(TERRAFOM_STATE_FILE_KEY) 22 | terraform get -update 23 | ../../../../helper_scripts/terraform_remote_state.sh 24 | ./build_layers_packages.sh 25 | terraform plan -var-file="$(TERRAFORM_TFVARS)" -compact-warnings 26 | 27 | apply: check-terraform-tfvars 28 | ../../../../helper_scripts/prepare_backend.sh $(TERRAFOM_STATE_BUCKET) $(TERRAFOM_STATE_FILE_KEY) 29 | terraform get -update 30 | ../../../../helper_scripts/terraform_remote_state.sh 31 | find . -name *.zip -print0 | xargs -0 rm -rf 32 | ./build_layers_packages.sh 33 | terraform apply -input=false -auto-approve -var-file="$(TERRAFORM_TFVARS)" -compact-warnings 34 | 35 | destroy: check-terraform-tfvars 36 | ../../../../helper_scripts/prepare_backend.sh $(TERRAFOM_STATE_BUCKET) $(TERRAFOM_STATE_FILE_KEY) 37 | terraform get -update 38 | ../../../../helper_scripts/terraform_remote_state.sh 39 | terraform destroy $(filter-out $@,$(MAKECMDGOALS)) -var-file="$(TERRAFORM_TFVARS)" 40 | 41 | taint: check-terraform-tfvars 42 | terraform taint $(filter-out $@,$(MAKECMDGOALS)) -var-file="$(TERRAFORM_TFVARS)" 43 | 44 | clean: 45 | rm -rf terraform.tfplan 46 | rm -rf terraform.tfstate 47 | rm -rf terraform.tfstate.backup 48 | rm -rf .terraform 49 | rm -rf *.log 50 | rm -rf *.png 51 | rm -rf *.bak 52 | find . -name *.zip -print0 | xargs -0 rm -rf 53 | find . -name python -print0 | xargs -0 rm -rf 54 | rm -rf .terraform.lock.hcl 55 | rm -rf venv 56 | find . -name *.cache -print0 | xargs -0 rm -rf 57 | 58 | test: 59 | ../../../../helper_scripts/prepare_backend.sh $(TERRAFOM_STATE_BUCKET) $(TERRAFOM_STATE_FILE_KEY) 60 | terraform get -update 61 | ../../../../helper_scripts/terraform_remote_state.sh 62 | ../../../../helper_scripts/test_validate.sh 63 | 64 | show: check-terraform-tfvars 65 | terraform show -var-file="$(TERRAFORM_TFVARS)" 66 | 67 | format: 68 | terraform fmt 69 | 70 | graph: 71 | ../../../../helper_scripts/gen_graph.sh 72 | 73 | %: 74 | @: # If you don't find any rule do nothing 75 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/account.tf: -------------------------------------------------------------------------------- 1 | data "aws_caller_identity" "current" {} 2 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/backend.tf.template: -------------------------------------------------------------------------------- 1 | # https://www.terraform.io/docs/configuration/terraform.html#description 2 | terraform { 3 | backend "s3" { 4 | bucket = "{%TERRAFOM_STATE_BUCKET%}" 5 | key = "{%TERRAFOM_STATE_FILE_KEY%}" 6 | encrypt = "true" 7 | region = "eu-west-1" 8 | dynamodb_table = "terraform-lock-states" 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/build_layers_packages.sh: -------------------------------------------------------------------------------- 1 | # ! /bin/bash 2 | # Build all lambda layers packages 3 | 4 | for layer in `ls layers-src/` 5 | do 6 | ../../../../helper_scripts/build_lambda_layer.sh layers-src/${layer} ${layer} ../../../../helper_scripts/Dockerfile 3.9 7 | done 8 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/certificate.tf: -------------------------------------------------------------------------------- 1 | resource "aws_acm_certificate" "cert" { 2 | domain_name = var.auth-api-acm-certificate-name 3 | validation_method = "DNS" 4 | 5 | tags = { 6 | Name = var.certificate-name-tag 7 | } 8 | 9 | lifecycle { 10 | create_before_destroy = true 11 | } 12 | } 13 | 14 | data "aws_route53_zone" "zone" { 15 | name = var.route53-zone-name 16 | private_zone = false 17 | } 18 | 19 | resource "aws_route53_record" "record" { 20 | for_each = { 21 | for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => { 22 | name = dvo.resource_record_name 23 | record = dvo.resource_record_value 24 | type = dvo.resource_record_type 25 | } 26 | } 27 | 28 | allow_overwrite = true 29 | name = each.value.name 30 | records = [each.value.record] 31 | ttl = 60 32 | type = each.value.type 33 | zone_id = data.aws_route53_zone.zone.zone_id 34 | } 35 | 36 | resource "aws_acm_certificate_validation" "cert-validation" { 37 | certificate_arn = aws_acm_certificate.cert.arn 38 | validation_record_fqdns = [for record in aws_route53_record.record : record.fqdn] 39 | } 40 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/change-password.tf: -------------------------------------------------------------------------------- 1 | module "change-password-lambda-role-policy" { 2 | source = "../../../modules/tf-iam-role-policy" 3 | role-policy-name = "${var.change-password-lambda-function-name}-role-policy" 4 | role-policy-json-file = "${local.auth_microservice_path}/policies/change-password-lambda-role-policy.json" 5 | role-name = module.change-password-lambda-role.iam-role-name 6 | } 7 | 8 | module "change-password-lambda-role" { 9 | source = "../../../modules/tf-iam-role" 10 | iam-role-name = "${var.change-password-lambda-function-name}-role" 11 | iam-role-path = "/" 12 | iam-assume-role-policy-file = "${local.auth_microservice_path}/policies/lambda-assume-role-policy.json" 13 | } 14 | 15 | data "archive_file" "change-password-zip" { 16 | type = "zip" 17 | excludes = ["lambda.zip"] 18 | source_dir = var.change-password-lambda-zip-src-path 19 | output_path = join("", ["${local.auth_microservice_path}/", "${var.change-password-lambda-zip-src-path}/lambda.zip"]) 20 | } 21 | 22 | resource "aws_lambda_function" "change-password-lambda" { 23 | filename = join("", ["${local.auth_microservice_path}/", "${var.change-password-lambda-zip-src-path}/lambda.zip"]) 24 | function_name = var.change-password-lambda-function-name 25 | handler = var.change-password-lambda-entrypoint 26 | role = module.change-password-lambda-role.iam-role-arn 27 | description = var.change-password-lambda-function-desc 28 | memory_size = var.auth-lambdas-memory-size 29 | runtime = var.auth-lambdas-runtime 30 | timeout = var.auth-lambdas-timeout 31 | layers = [aws_lambda_layer_version.jsonschema.arn] 32 | 33 | environment { 34 | variables = { 35 | COGNITO_USER_POOL_ID = module.user-pool.user-pool-id 36 | } 37 | } 38 | 39 | source_code_hash = data.archive_file.change-password-zip.output_base64sha256 40 | } 41 | 42 | resource "aws_cloudwatch_log_group" "change-password-lambda-log-group" { 43 | name = "/aws/lambda/${var.change-password-lambda-function-name}" 44 | retention_in_days = "1" 45 | } 46 | 47 | module "change-password-lambda-endpoint" { 48 | source = "../../../modules/tf-api-gw-lambda-proxy" 49 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 50 | api-resource-path = aws_api_gateway_resource.change-password.path 51 | api-resource-id = aws_api_gateway_resource.change-password.id 52 | api-http-method = "POST" 53 | authorization-type = "NONE" 54 | authorizer-id = "" 55 | is-api-key-required = "true" 56 | lambda-function-name = aws_lambda_function.change-password-lambda.function_name 57 | lambda-function-arn = aws_lambda_function.change-password-lambda.arn 58 | } 59 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/cognito-authorizer.tf: -------------------------------------------------------------------------------- 1 | resource "aws_api_gateway_authorizer" "cognito-authorizer" { 2 | name = var.cognito-authorizer-name 3 | type = "COGNITO_USER_POOLS" 4 | rest_api_id = aws_api_gateway_rest_api.api-gw.id 5 | provider_arns = ["arn:aws:cognito-idp:${var.aws-region}:${data.aws_caller_identity.current.account_id}:userpool/${module.user-pool.user-pool-id}"] 6 | } 7 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/cognito-user-pool.tf: -------------------------------------------------------------------------------- 1 | module "user-pool" { 2 | source = "../../../modules/tf-cognito-user-pool" 3 | user-pool-name = var.user-pool-name 4 | user-pool-client-name = var.user-pool-client-name 5 | cognito-sns-role-arn = module.sns-role.iam-role-arn 6 | mfa-configuration = var.mfa-configuration 7 | custom-message-lambda-arn = aws_lambda_function.custom-message-lambda.arn 8 | cognito-reply-to-email-address = var.cognito-reply-to-email-address 9 | cognito-from-email-address = var.cognito-from-email-address 10 | cognito-ses-email-arn = var.cognito-ses-email-arn 11 | new-user-email-message = file(join("", ["${local.auth_microservice_path}/", var.new-user-email-message-template-file])) 12 | } 13 | 14 | data "template_file" "sns-assume-role-policy" { 15 | template = file("${local.auth_microservice_path}/policies/cognito-sns-assume-policy.json") 16 | } 17 | 18 | module "sns-role" { 19 | source = "../../../modules/tf-iam-role-no-file" 20 | iam-role-name = var.cognito-sns-role-name 21 | iam-role-path = "/" 22 | iam-assume-role-policy = data.template_file.sns-assume-role-policy.rendered 23 | } 24 | 25 | module "sns-role-policy" { 26 | source = "../../../modules/tf-iam-role-policy" 27 | role-policy-name = "${var.cognito-sns-role-name}-policy" 28 | role-policy-json-file = "${local.auth_microservice_path}/policies/cognito-sns-role-policy.json" 29 | role-name = module.sns-role.iam-role-name 30 | } 31 | 32 | resource "aws_cognito_identity_pool" "user-pool-idp" { 33 | identity_pool_name = var.identity-pool-name 34 | allow_unauthenticated_identities = false 35 | 36 | cognito_identity_providers { 37 | client_id = module.user-pool.user-pool-client-id 38 | provider_name = "cognito-idp.eu-west-1.amazonaws.com/${module.user-pool.user-pool-id}" 39 | server_side_token_check = true 40 | } 41 | } 42 | 43 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/confirm-mfa.tf: -------------------------------------------------------------------------------- 1 | module "confirm-mfa-lambda-role-policy" { 2 | source = "../../../modules/tf-iam-role-policy" 3 | role-policy-name = "${var.confirm-mfa-lambda-function-name}-role-policy" 4 | role-policy-json-file = "${local.auth_microservice_path}/policies/confirm-mfa-lambda-role-policy.json" 5 | role-name = module.confirm-mfa-lambda-role.iam-role-name 6 | } 7 | 8 | module "confirm-mfa-lambda-role" { 9 | source = "../../../modules/tf-iam-role" 10 | iam-role-name = "${var.confirm-mfa-lambda-function-name}-role" 11 | iam-role-path = "/" 12 | iam-assume-role-policy-file = "${local.auth_microservice_path}/policies/lambda-assume-role-policy.json" 13 | } 14 | 15 | data "archive_file" "confirm-mfa-zip" { 16 | type = "zip" 17 | excludes = ["lambda.zip"] 18 | source_dir = var.confirm-mfa-lambda-zip-src-path 19 | output_path = join("", ["${local.auth_microservice_path}/", "${var.confirm-mfa-lambda-zip-src-path}/lambda.zip"]) 20 | } 21 | 22 | resource "aws_lambda_function" "confirm-mfa-lambda" { 23 | filename = join("", ["${local.auth_microservice_path}/", "${var.confirm-mfa-lambda-zip-src-path}/lambda.zip"]) 24 | function_name = var.confirm-mfa-lambda-function-name 25 | handler = var.confirm-mfa-lambda-entrypoint 26 | role = module.confirm-mfa-lambda-role.iam-role-arn 27 | description = var.confirm-mfa-lambda-function-desc 28 | memory_size = var.auth-lambdas-memory-size 29 | runtime = var.auth-lambdas-runtime 30 | timeout = var.auth-lambdas-timeout 31 | layers = [aws_lambda_layer_version.jsonschema.arn, aws_lambda_layer_version.pillow.arn, aws_lambda_layer_version.pyotp.arn, aws_lambda_layer_version.qrcode.arn, aws_lambda_layer_version.opencv.arn] 32 | 33 | environment { 34 | variables = { 35 | COGNITO_USER_POOL_ID = module.user-pool.user-pool-id 36 | COGNITO_APP_CLIENT_ID = module.user-pool.user-pool-client-id 37 | S3_BUCKET_MFA_BUCKET = "${module.auth-mfa.s3-id}" 38 | } 39 | } 40 | 41 | source_code_hash = data.archive_file.confirm-mfa-zip.output_base64sha256 42 | } 43 | 44 | resource "aws_cloudwatch_log_group" "confirm-mfa-lambda-log-group" { 45 | name = "/aws/lambda/${var.confirm-mfa-lambda-function-name}" 46 | retention_in_days = "1" 47 | } 48 | 49 | module "confirm-mfa-lambda-endpoint" { 50 | source = "../../../modules/tf-api-gw-lambda-proxy" 51 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 52 | api-resource-path = aws_api_gateway_resource.confirm-mfa.path 53 | api-resource-id = aws_api_gateway_resource.confirm-mfa.id 54 | api-http-method = "POST" 55 | authorization-type = "NONE" 56 | authorizer-id = "" 57 | is-api-key-required = "true" 58 | lambda-function-name = aws_lambda_function.confirm-mfa-lambda.function_name 59 | lambda-function-arn = aws_lambda_function.confirm-mfa-lambda.arn 60 | } 61 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/confirm-password.tf: -------------------------------------------------------------------------------- 1 | module "confirm-password-lambda-role-policy" { 2 | source = "../../../modules/tf-iam-role-policy" 3 | role-policy-name = "${var.confirm-password-lambda-function-name}-role-policy" 4 | role-policy-json-file = "${local.auth_microservice_path}/policies/confirm-password-lambda-role-policy.json" 5 | role-name = module.confirm-password-lambda-role.iam-role-name 6 | } 7 | 8 | module "confirm-password-lambda-role" { 9 | source = "../../../modules/tf-iam-role" 10 | iam-role-name = "${var.confirm-password-lambda-function-name}-role" 11 | iam-role-path = "/" 12 | iam-assume-role-policy-file = "${local.auth_microservice_path}/policies/lambda-assume-role-policy.json" 13 | } 14 | 15 | data "archive_file" "confirm-password-zip" { 16 | type = "zip" 17 | excludes = ["lambda.zip"] 18 | source_dir = var.confirm-password-lambda-zip-src-path 19 | output_path = join("", ["${local.auth_microservice_path}/", "${var.confirm-password-lambda-zip-src-path}/lambda.zip"]) 20 | } 21 | 22 | resource "aws_lambda_function" "confirm-password-lambda" { 23 | filename = join("", ["${local.auth_microservice_path}/", "${var.confirm-password-lambda-zip-src-path}/lambda.zip"]) 24 | function_name = var.confirm-password-lambda-function-name 25 | handler = var.confirm-password-lambda-entrypoint 26 | role = module.confirm-password-lambda-role.iam-role-arn 27 | description = var.confirm-password-lambda-function-desc 28 | memory_size = var.auth-lambdas-memory-size 29 | runtime = var.auth-lambdas-runtime 30 | timeout = var.auth-lambdas-timeout 31 | layers = [aws_lambda_layer_version.jsonschema.arn] 32 | 33 | environment { 34 | variables = { 35 | COGNITO_USER_POOL_ID = module.user-pool.user-pool-id 36 | COGNITO_APP_CLIENT_ID = module.user-pool.user-pool-client-id 37 | } 38 | } 39 | 40 | source_code_hash = data.archive_file.confirm-password-zip.output_base64sha256 41 | } 42 | 43 | resource "aws_cloudwatch_log_group" "confirm-password-lambda-log-group" { 44 | name = "/aws/lambda/${var.confirm-password-lambda-function-name}" 45 | retention_in_days = "1" 46 | } 47 | 48 | module "confirm-password-lambda-endpoint" { 49 | source = "../../../modules/tf-api-gw-lambda-proxy" 50 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 51 | api-resource-path = aws_api_gateway_resource.confirm-password.path 52 | api-resource-id = aws_api_gateway_resource.confirm-password.id 53 | api-http-method = "POST" 54 | authorization-type = "NONE" 55 | authorizer-id = "" 56 | is-api-key-required = "true" 57 | lambda-function-name = aws_lambda_function.confirm-password-lambda.function_name 58 | lambda-function-arn = aws_lambda_function.confirm-password-lambda.arn 59 | } 60 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/confirm-user.tf: -------------------------------------------------------------------------------- 1 | module "confirm-user-lambda-role-policy" { 2 | source = "../../../modules/tf-iam-role-policy" 3 | role-policy-name = "${var.confirm-user-lambda-function-name}-role-policy" 4 | role-policy-json-file = "${local.auth_microservice_path}/policies/confirm-user-lambda-role-policy.json" 5 | role-name = module.confirm-user-lambda-role.iam-role-name 6 | } 7 | 8 | module "confirm-user-lambda-role" { 9 | source = "../../../modules/tf-iam-role" 10 | iam-role-name = "${var.confirm-user-lambda-function-name}-role" 11 | iam-role-path = "/" 12 | iam-assume-role-policy-file = "${local.auth_microservice_path}/policies/lambda-assume-role-policy.json" 13 | } 14 | 15 | data "archive_file" "confirm-user-zip" { 16 | type = "zip" 17 | excludes = ["lambda.zip"] 18 | source_dir = var.confirm-user-lambda-zip-src-path 19 | output_path = join("", ["${local.auth_microservice_path}/", "${var.confirm-user-lambda-zip-src-path}/lambda.zip"]) 20 | } 21 | 22 | resource "aws_lambda_function" "confirm-user-lambda" { 23 | filename = join("", ["${local.auth_microservice_path}/", "${var.confirm-user-lambda-zip-src-path}/lambda.zip"]) 24 | function_name = var.confirm-user-lambda-function-name 25 | handler = var.confirm-user-lambda-entrypoint 26 | role = module.confirm-user-lambda-role.iam-role-arn 27 | description = var.confirm-user-lambda-function-desc 28 | memory_size = var.auth-lambdas-memory-size 29 | runtime = var.auth-lambdas-runtime 30 | timeout = var.auth-lambdas-timeout 31 | layers = [aws_lambda_layer_version.jsonschema.arn, aws_lambda_layer_version.pillow.arn, aws_lambda_layer_version.pyotp.arn, aws_lambda_layer_version.qrcode.arn] 32 | 33 | environment { 34 | variables = { 35 | COGNITO_USER_POOL_ID = module.user-pool.user-pool-id 36 | COGNITO_APP_CLIENT_ID = module.user-pool.user-pool-client-id 37 | S3_BUCKET_MFA_BUCKET = "${module.auth-mfa.s3-id}" 38 | } 39 | } 40 | 41 | source_code_hash = data.archive_file.confirm-user-zip.output_base64sha256 42 | } 43 | 44 | resource "aws_cloudwatch_log_group" "confirm-user-lambda-log-group" { 45 | name = "/aws/lambda/${var.confirm-user-lambda-function-name}" 46 | retention_in_days = "1" 47 | } 48 | 49 | module "confirm-user-lambda-endpoint" { 50 | source = "../../../modules/tf-api-gw-lambda-proxy" 51 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 52 | api-resource-path = aws_api_gateway_resource.confirm.path 53 | api-resource-id = aws_api_gateway_resource.confirm.id 54 | api-http-method = "POST" 55 | authorization-type = "NONE" 56 | authorizer-id = "" 57 | is-api-key-required = "true" 58 | lambda-function-name = aws_lambda_function.confirm-user-lambda.function_name 59 | lambda-function-arn = aws_lambda_function.confirm-user-lambda.arn 60 | } 61 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/cors.tf: -------------------------------------------------------------------------------- 1 | module "login-endpoint" { 2 | source = "../../../modules/tf-api-gw-cors" 3 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 4 | api-resource-id = aws_api_gateway_resource.login.id 5 | api-http-methods = ["POST"] 6 | } 7 | 8 | module "logout-endpoint" { 9 | source = "../../../modules/tf-api-gw-cors" 10 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 11 | api-resource-id = aws_api_gateway_resource.logout.id 12 | api-http-methods = ["POST"] 13 | } 14 | 15 | module "mfa-verify-endpoint" { 16 | source = "../../../modules/tf-api-gw-cors" 17 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 18 | api-resource-id = aws_api_gateway_resource.mfa-verify.id 19 | api-http-methods = ["POST"] 20 | } 21 | 22 | module "refresh-token-endpoint" { 23 | source = "../../../modules/tf-api-gw-cors" 24 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 25 | api-resource-id = aws_api_gateway_resource.refresh-token.id 26 | api-http-methods = ["POST"] 27 | } 28 | 29 | module "resend-confirmation-code-endpoint" { 30 | source = "../../../modules/tf-api-gw-cors" 31 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 32 | api-resource-id = aws_api_gateway_resource.resend-confirmation-code.id 33 | api-http-methods = ["POST"] 34 | } 35 | 36 | module "resend-mfa-endpoint" { 37 | source = "../../../modules/tf-api-gw-cors" 38 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 39 | api-resource-id = aws_api_gateway_resource.resend-mfa.id 40 | api-http-methods = ["POST"] 41 | } 42 | 43 | module "change-password-endpoint" { 44 | source = "../../../modules/tf-api-gw-cors" 45 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 46 | api-resource-id = aws_api_gateway_resource.change-password.id 47 | api-http-methods = ["POST"] 48 | } 49 | 50 | module "create-user-endpoint" { 51 | source = "../../../modules/tf-api-gw-cors" 52 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 53 | api-resource-id = aws_api_gateway_resource.users.id 54 | api-http-methods = ["POST"] 55 | } 56 | 57 | module "confirm-user-endpoint" { 58 | source = "../../../modules/tf-api-gw-cors" 59 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 60 | api-resource-id = aws_api_gateway_resource.confirm.id 61 | api-http-methods = ["POST"] 62 | } 63 | 64 | module "confirm-mfa-endpoint" { 65 | source = "../../../modules/tf-api-gw-cors" 66 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 67 | api-resource-id = aws_api_gateway_resource.confirm-mfa.id 68 | api-http-methods = ["POST"] 69 | } 70 | 71 | module "reset-password-endpoint" { 72 | source = "../../../modules/tf-api-gw-cors" 73 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 74 | api-resource-id = aws_api_gateway_resource.reset-password.id 75 | api-http-methods = ["POST"] 76 | } 77 | 78 | module "forgot-password-endpoint" { 79 | source = "../../../modules/tf-api-gw-cors" 80 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 81 | api-resource-id = aws_api_gateway_resource.forgot-password.id 82 | api-http-methods = ["POST"] 83 | } 84 | 85 | module "confirm-password-endpoint" { 86 | source = "../../../modules/tf-api-gw-cors" 87 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 88 | api-resource-id = aws_api_gateway_resource.confirm-password.id 89 | api-http-methods = ["POST"] 90 | } 91 | 92 | module "userinfo-endpoint" { 93 | source = "../../../modules/tf-api-gw-cors" 94 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 95 | api-resource-id = aws_api_gateway_resource.userinfo.id 96 | api-http-methods = ["GET"] 97 | } 98 | 99 | module "delete-user-endpoint" { 100 | source = "../../../modules/tf-api-gw-cors" 101 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 102 | api-resource-id = aws_api_gateway_resource.user-id.id 103 | api-http-methods = ["DELETE"] 104 | } 105 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/create-user.tf: -------------------------------------------------------------------------------- 1 | module "create-user-lambda-role-policy" { 2 | source = "../../../modules/tf-iam-role-policy" 3 | role-policy-name = "${var.create-user-lambda-function-name}-role-policy" 4 | role-policy-json-file = "${local.auth_microservice_path}/policies/create-user-lambda-role-policy.json" 5 | role-name = module.create-user-lambda-role.iam-role-name 6 | } 7 | 8 | module "create-user-lambda-role" { 9 | source = "../../../modules/tf-iam-role" 10 | iam-role-name = "${var.create-user-lambda-function-name}-role" 11 | iam-role-path = "/" 12 | iam-assume-role-policy-file = "${local.auth_microservice_path}/policies/lambda-assume-role-policy.json" 13 | } 14 | 15 | data "archive_file" "create-user-zip" { 16 | type = "zip" 17 | excludes = ["lambda.zip"] 18 | source_dir = var.create-user-lambda-zip-src-path 19 | output_path = join("", ["${local.auth_microservice_path}/", "${var.create-user-lambda-zip-src-path}/lambda.zip"]) 20 | } 21 | 22 | resource "aws_lambda_function" "create-user-lambda" { 23 | filename = join("", ["${local.auth_microservice_path}/", "${var.create-user-lambda-zip-src-path}/lambda.zip"]) 24 | function_name = var.create-user-lambda-function-name 25 | handler = var.create-user-lambda-entrypoint 26 | role = module.create-user-lambda-role.iam-role-arn 27 | description = var.create-user-lambda-function-desc 28 | memory_size = var.auth-lambdas-memory-size 29 | runtime = var.auth-lambdas-runtime 30 | timeout = var.auth-lambdas-timeout 31 | layers = [aws_lambda_layer_version.jsonschema.arn] 32 | 33 | environment { 34 | variables = { 35 | COGNITO_USER_POOL_ID = module.user-pool.user-pool-id 36 | } 37 | } 38 | 39 | source_code_hash = data.archive_file.create-user-zip.output_base64sha256 40 | } 41 | 42 | resource "aws_cloudwatch_log_group" "create-user-lambda-log-group" { 43 | name = "/aws/lambda/${var.create-user-lambda-function-name}" 44 | retention_in_days = "1" 45 | } 46 | 47 | module "create-user-lambda-endpoint" { 48 | source = "../../../modules/tf-api-gw-lambda-proxy" 49 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 50 | api-resource-path = aws_api_gateway_resource.users.path 51 | api-resource-id = aws_api_gateway_resource.users.id 52 | api-http-method = "POST" 53 | authorization-type = "NONE" 54 | authorizer-id = "" 55 | is-api-key-required = "true" 56 | lambda-function-name = aws_lambda_function.create-user-lambda.function_name 57 | lambda-function-arn = aws_lambda_function.create-user-lambda.arn 58 | } 59 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/custom-message.tf: -------------------------------------------------------------------------------- 1 | # Use this link: 2 | # https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-message.html 3 | # To customize: lambdas-src/custom-message/src/custom_message.js 4 | 5 | module "custom-message-lambda-role-policy" { 6 | source = "../../../modules/tf-iam-role-policy" 7 | role-policy-name = "${var.custom-message-lambda-function-name}-role-policy" 8 | role-policy-json-file = "${local.auth_microservice_path}/policies/custom-message-lambda-role-policy.json" 9 | role-name = module.custom-message-lambda-role.iam-role-name 10 | } 11 | 12 | module "custom-message-lambda-role" { 13 | source = "../../../modules/tf-iam-role" 14 | iam-role-name = "${var.custom-message-lambda-function-name}-role" 15 | iam-role-path = "/" 16 | iam-assume-role-policy-file = "${local.auth_microservice_path}/policies/lambda-assume-role-policy.json" 17 | } 18 | 19 | data "archive_file" "custom-message-zip" { 20 | type = "zip" 21 | excludes = ["lambda.zip"] 22 | #source_dir = var.custom-message-lambda-zip-src-path 23 | source_dir = join("", ["${local.auth_microservice_path}/", "${var.custom-message-lambda-zip-src-path}"]) 24 | output_path = join("", ["${local.auth_microservice_path}/", "${var.custom-message-lambda-zip-src-path}/lambda.zip"]) 25 | } 26 | 27 | resource "aws_lambda_function" "custom-message-lambda" { 28 | filename = join("", ["${local.auth_microservice_path}/", "${var.custom-message-lambda-zip-src-path}/lambda.zip"]) 29 | function_name = var.custom-message-lambda-function-name 30 | handler = var.custom-message-lambda-entrypoint 31 | role = module.custom-message-lambda-role.iam-role-arn 32 | description = var.custom-message-lambda-function-desc 33 | memory_size = var.custom-message-lambda-memory-size 34 | runtime = var.custom-message-lambda-runtime 35 | timeout = var.custom-message-lambda-timeout 36 | 37 | source_code_hash = data.archive_file.custom-message-zip.output_base64sha256 38 | } 39 | 40 | resource "aws_cloudwatch_log_group" "custom-message-lambda-log-group" { 41 | name = "/aws/lambda/${var.custom-message-lambda-function-name}" 42 | retention_in_days = "1" 43 | } 44 | 45 | resource "aws_lambda_permission" "allow_execution_from_user_pool" { 46 | statement_id = "AllowExecutionFromUserPool" 47 | action = "lambda:InvokeFunction" 48 | function_name = aws_lambda_function.custom-message-lambda.function_name 49 | principal = "cognito-idp.amazonaws.com" 50 | source_arn = module.user-pool.user-pool-arn 51 | } 52 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/delete-user.tf: -------------------------------------------------------------------------------- 1 | module "delete-user-lambda-role-policy" { 2 | source = "../../../modules/tf-iam-role-policy" 3 | role-policy-name = "${var.delete-user-lambda-function-name}-role-policy" 4 | role-policy-json-file = "${local.auth_microservice_path}/policies/delete-user-lambda-role-policy.json" 5 | role-name = module.delete-user-lambda-role.iam-role-name 6 | } 7 | 8 | module "delete-user-lambda-role" { 9 | source = "../../../modules/tf-iam-role" 10 | iam-role-name = "${var.delete-user-lambda-function-name}-role" 11 | iam-role-path = "/" 12 | iam-assume-role-policy-file = "${local.auth_microservice_path}/policies/lambda-assume-role-policy.json" 13 | } 14 | 15 | data "archive_file" "delete-user-zip" { 16 | type = "zip" 17 | excludes = ["lambda.zip"] 18 | source_dir = var.delete-user-lambda-zip-src-path 19 | output_path = join("", ["${local.auth_microservice_path}/", "${var.delete-user-lambda-zip-src-path}/lambda.zip"]) 20 | } 21 | 22 | resource "aws_lambda_function" "delete-user-lambda" { 23 | filename = join("", ["${local.auth_microservice_path}/", "${var.delete-user-lambda-zip-src-path}/lambda.zip"]) 24 | function_name = var.delete-user-lambda-function-name 25 | handler = var.delete-user-lambda-entrypoint 26 | role = module.delete-user-lambda-role.iam-role-arn 27 | description = var.delete-user-lambda-function-desc 28 | memory_size = var.auth-lambdas-memory-size 29 | runtime = var.auth-lambdas-runtime 30 | timeout = var.auth-lambdas-timeout 31 | layers = [aws_lambda_layer_version.jsonschema.arn, aws_lambda_layer_version.pyjwt.arn] 32 | 33 | environment { 34 | variables = { 35 | COGNITO_USER_POOL_ID = module.user-pool.user-pool-id 36 | } 37 | } 38 | 39 | source_code_hash = data.archive_file.delete-user-zip.output_base64sha256 40 | } 41 | 42 | resource "aws_cloudwatch_log_group" "delete-user-lambda-log-group" { 43 | name = "/aws/lambda/${var.delete-user-lambda-function-name}" 44 | retention_in_days = "1" 45 | } 46 | 47 | module "delete-user-lambda-endpoint" { 48 | source = "../../../modules/tf-api-gw-lambda-proxy-cognito-authorizer" 49 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 50 | api-resource-path = aws_api_gateway_resource.user-id.path 51 | api-resource-id = aws_api_gateway_resource.user-id.id 52 | api-http-method = "DELETE" 53 | cognito-authorizer-id = aws_api_gateway_authorizer.cognito-authorizer.id 54 | is-api-key-required = "true" 55 | lambda-function-name = aws_lambda_function.delete-user-lambda.function_name 56 | lambda-function-arn = aws_lambda_function.delete-user-lambda.arn 57 | } 58 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/dns.tf: -------------------------------------------------------------------------------- 1 | resource "aws_route53_record" "api-gw-r53" { 2 | zone_id = var.auth-api-r53-zone-id 3 | 4 | name = aws_api_gateway_domain_name.api-gw-dns.domain_name 5 | type = "CNAME" 6 | ttl = "60" 7 | records = ["${aws_api_gateway_domain_name.api-gw-dns.regional_domain_name}"] 8 | } 9 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/email_templates/user_invitation_email_dev.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 8 | 9 | 17 |
25 |

35 | Welcome to The CognitoApi 36 |

37 | 38 |

48 | Hi dear user! 49 |

50 |
Thank you for choosing our service.
51 | 52 |
To complete your registration:
53 |
54 | 1. Download Google Authenticator for 55 | Android 62 | or 63 | iOS 70 |
71 |
72 | 2. Use this one-time password: {####} to confirm your user 73 |
74 |
75 | 3. Your login is: {username} to confirm your user 76 |
77 | 78 |
79 | If you think this email cames to you by mistake, you don't have to do 80 | anything. 81 |
82 | 83 |
92 | 93 |
94 | Have questions or need help? Email us at 95 | tarek@tocconsulting.fr 98 |
99 | 100 |
108 | TheCognitoApi team 109 |
110 |
111 | 112 | 113 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/email_templates/user_invitation_email_prod.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 8 | 9 | 17 |
25 |

35 | Welcome to The CognitoApi 36 |

37 | 38 |

48 | Hi dear user! 49 |

50 |
Thank you for choosing our service.
51 | 52 |
To complete your registration:
53 |
54 | 1. Download Google Authenticator for 55 | Android 62 | or 63 | iOS 70 |
71 |
72 | 2. Use this one-time password: {####} to confirm your user 73 |
74 |
75 | 3. Your login is: {username} to confirm your user 76 |
77 | 78 |
79 | If you think this email cames to you by mistake, you don't have to do 80 | anything. 81 |
82 | 83 |
92 | 93 |
94 | Have questions or need help? Email us at 95 | tarek@tocconsulting.fr 98 |
99 | 100 |
108 | TheCognitoApi team 109 |
110 |
111 | 112 | 113 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/forgot-password.tf: -------------------------------------------------------------------------------- 1 | module "forgot-password-lambda-role-policy" { 2 | source = "../../../modules/tf-iam-role-policy" 3 | role-policy-name = "${var.forgot-password-lambda-function-name}-role-policy" 4 | role-policy-json-file = "${local.auth_microservice_path}/policies/forgot-password-lambda-role-policy.json" 5 | role-name = module.forgot-password-lambda-role.iam-role-name 6 | } 7 | 8 | module "forgot-password-lambda-role" { 9 | source = "../../../modules/tf-iam-role" 10 | iam-role-name = "${var.forgot-password-lambda-function-name}-role" 11 | iam-role-path = "/" 12 | iam-assume-role-policy-file = "${local.auth_microservice_path}/policies/lambda-assume-role-policy.json" 13 | } 14 | 15 | data "archive_file" "forgot-password-zip" { 16 | type = "zip" 17 | excludes = ["lambda.zip"] 18 | source_dir = var.forgot-password-lambda-zip-src-path 19 | output_path = join("", ["${local.auth_microservice_path}/", "${var.forgot-password-lambda-zip-src-path}/lambda.zip"]) 20 | } 21 | 22 | resource "aws_lambda_function" "forgot-password-lambda" { 23 | filename = join("", ["${local.auth_microservice_path}/", "${var.forgot-password-lambda-zip-src-path}/lambda.zip"]) 24 | function_name = var.forgot-password-lambda-function-name 25 | handler = var.forgot-password-lambda-entrypoint 26 | role = module.forgot-password-lambda-role.iam-role-arn 27 | description = var.forgot-password-lambda-function-desc 28 | memory_size = var.auth-lambdas-memory-size 29 | runtime = var.auth-lambdas-runtime 30 | timeout = var.auth-lambdas-timeout 31 | layers = [aws_lambda_layer_version.jsonschema.arn] 32 | 33 | environment { 34 | variables = { 35 | COGNITO_APP_CLIENT_ID = module.user-pool.user-pool-client-id 36 | COGNITO_USER_POOL_ID = module.user-pool.user-pool-id 37 | } 38 | } 39 | 40 | source_code_hash = data.archive_file.forgot-password-zip.output_base64sha256 41 | } 42 | 43 | resource "aws_cloudwatch_log_group" "forgot-password-lambda-log-group" { 44 | name = "/aws/lambda/${var.forgot-password-lambda-function-name}" 45 | retention_in_days = "1" 46 | } 47 | 48 | module "forgot-password-lambda-endpoint" { 49 | source = "../../../modules/tf-api-gw-lambda-proxy" 50 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 51 | api-resource-path = aws_api_gateway_resource.forgot-password.path 52 | api-resource-id = aws_api_gateway_resource.forgot-password.id 53 | api-http-method = "POST" 54 | authorization-type = "NONE" 55 | authorizer-id = "" 56 | is-api-key-required = "true" 57 | lambda-function-name = aws_lambda_function.forgot-password-lambda.function_name 58 | lambda-function-arn = aws_lambda_function.forgot-password-lambda.arn 59 | } 60 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/change-password/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/terraform/live/services/auth-microservice/lambdas-src/change-password/requirements.txt -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/change-password/src/constants.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # coding:utf-8 3 | '''Just a constants values''' 4 | 5 | REGION = 'eu-west-1' 6 | SCHEMAS_FOLDER = 'schemas' 7 | CHANGE_PASSWORD_JSON_SCHEMA = 'change_password.json' 8 | COGNITO_USER_POOL_ID = 'COGNITO_USER_POOL_ID' 9 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/change-password/src/log.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | '''Just a simple logger''' 4 | 5 | import logging 6 | 7 | 8 | def setup_logging(): 9 | '''Hmmm setup logging''' 10 | logger = logging.getLogger() 11 | for handler in logger.handlers: 12 | logger.removeHandler(handler) 13 | 14 | handler = logging.StreamHandler() 15 | 16 | log_format = '%(asctime)s - %(funcName)s - %(levelname)s - %(message)s' 17 | handler.setFormatter(logging.Formatter(log_format)) 18 | logger.addHandler(handler) 19 | logger.setLevel(logging.INFO) 20 | 21 | return logger 22 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/change-password/src/schemas/change_password.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": {}, 3 | "$schema": "http://json-schema.org/draft-07/schema#", 4 | "type": "object", 5 | "title": "Change User Password Schema", 6 | "required": [ 7 | "email", 8 | "old_password", 9 | "new_password", 10 | "access_token" 11 | ], 12 | "properties": { 13 | "email": { 14 | "$id": "#/properties/email", 15 | "type": "string", 16 | "title": "The user email", 17 | "examples": [ 18 | "my-email@mail42.com" 19 | ] 20 | }, 21 | "old_password": { 22 | "$id": "#/properties/old_password", 23 | "type": "string", 24 | "title": "The user old password", 25 | "examples": [ 26 | "myOldOrCurrentPassW0rd" 27 | ] 28 | }, 29 | "new_password": { 30 | "$id": "#/properties/new_password", 31 | "type": "string", 32 | "title": "The user new password", 33 | "examples": [ 34 | "mySecureNewPassw0Rd" 35 | ] 36 | }, 37 | "access_token": { 38 | "$id": "#/properties/access_token", 39 | "type": "string", 40 | "title": "The user access token", 41 | "examples": [ 42 | "eyJraWQiOiJTdEhEc2Z2dHdIT0RHaTF3dDM4bVkxZjlSb1BVYmFlOHdDNUsxNGNSRW9vPSIsImFsZyI6IlJTMjU2In0." 43 | ] 44 | } 45 | }, 46 | "additionalProperties": false 47 | } 48 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/confirm-mfa/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/terraform/live/services/auth-microservice/lambdas-src/confirm-mfa/requirements.txt -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/confirm-mfa/src/constants.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # coding:utf-8 3 | '''Just a constants values''' 4 | 5 | REGION = 'eu-west-1' 6 | SCHEMAS_FOLDER = 'schemas' 7 | CONFIRM_MFA_JSON_SCHEMA = 'confirm_mfa.json' 8 | COGNITO_USER_POOL_ID = 'COGNITO_USER_POOL_ID' 9 | COGNITO_APP_CLIENT_ID = 'COGNITO_APP_CLIENT_ID' 10 | S3_BUCKET_MFA_BUCKET = 'S3_BUCKET_MFA_BUCKET' 11 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/confirm-mfa/src/log.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | '''Just a simple logger''' 4 | 5 | import logging 6 | 7 | 8 | def setup_logging(): 9 | '''Hmmm setup logging''' 10 | logger = logging.getLogger() 11 | for handler in logger.handlers: 12 | logger.removeHandler(handler) 13 | 14 | handler = logging.StreamHandler() 15 | 16 | log_format = '%(asctime)s - %(funcName)s - %(levelname)s - %(message)s' 17 | handler.setFormatter(logging.Formatter(log_format)) 18 | logger.addHandler(handler) 19 | logger.setLevel(logging.INFO) 20 | 21 | return logger 22 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/confirm-mfa/src/schemas/confirm_mfa.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": {}, 3 | "$schema": "http://json-schema.org/draft-07/schema#", 4 | "type": "object", 5 | "title": "New MFA confirmation Schema", 6 | "required": [ 7 | "email", 8 | "otp" 9 | ], 10 | "properties": { 11 | "email": { 12 | "$id": "#/properties/email", 13 | "type": "string", 14 | "title": "The user name", 15 | "examples": [ 16 | "tarek@lostinmac.com" 17 | ] 18 | }, 19 | "otp": { 20 | "$id": "#/properties/otp", 21 | "type": "string", 22 | "pattern": "^[0-9]{6}$", 23 | "title": "The MFA otp", 24 | "examples": [ 25 | "123456" 26 | ] 27 | } 28 | }, 29 | "additionalProperties": false 30 | } 31 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/confirm-password/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/terraform/live/services/auth-microservice/lambdas-src/confirm-password/requirements.txt -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/confirm-password/src/constants.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # coding:utf-8 3 | '''Just a constants values''' 4 | 5 | REGION = 'eu-west-1' 6 | SCHEMAS_FOLDER = 'schemas' 7 | CONFIRM_PASSWORD_JSON_SCHEMA = 'confirm_password.json' 8 | COGNITO_USER_POOL_ID = 'COGNITO_USER_POOL_ID' 9 | COGNITO_APP_CLIENT_ID = 'COGNITO_APP_CLIENT_ID' 10 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/confirm-password/src/log.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | '''Just a simple logger''' 4 | 5 | import logging 6 | 7 | 8 | def setup_logging(): 9 | '''Hmmm setup logging''' 10 | logger = logging.getLogger() 11 | for handler in logger.handlers: 12 | logger.removeHandler(handler) 13 | 14 | handler = logging.StreamHandler() 15 | 16 | log_format = '%(asctime)s - %(funcName)s - %(levelname)s - %(message)s' 17 | handler.setFormatter(logging.Formatter(log_format)) 18 | logger.addHandler(handler) 19 | logger.setLevel(logging.INFO) 20 | 21 | return logger 22 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/confirm-password/src/schemas/confirm_password.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": {}, 3 | "$schema": "http://json-schema.org/draft-07/schema#", 4 | "type": "object", 5 | "title": "Set user new password Schema", 6 | "required": [ 7 | "email", 8 | "new_password", 9 | "verification_code" 10 | ], 11 | "properties": { 12 | "email": { 13 | "$id": "#/properties/email", 14 | "type": "string", 15 | "title": "The user name", 16 | "examples": [ 17 | "tarek@lostinmac.com" 18 | ] 19 | }, 20 | "new_password": { 21 | "$id": "#/properties/new_password", 22 | "type": "string", 23 | "title": "The user password", 24 | "examples": [ 25 | "Il0veThis!Password?" 26 | ] 27 | }, 28 | "verification_code": { 29 | "$id": "#/properties/verification_code", 30 | "type": "string", 31 | "title": "The verification code", 32 | "examples": [ 33 | "728243" 34 | ] 35 | } 36 | }, 37 | "additionalProperties": false 38 | } 39 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/confirm-user/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/terraform/live/services/auth-microservice/lambdas-src/confirm-user/requirements.txt -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/confirm-user/src/constants.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # coding:utf-8 3 | '''Just a constants values''' 4 | 5 | REGION = 'eu-west-1' 6 | SCHEMAS_FOLDER = 'schemas' 7 | CONFIRM_USER_JSON_SCHEMA = 'confirm_user.json' 8 | COGNITO_USER_POOL_ID = 'COGNITO_USER_POOL_ID' 9 | COGNITO_APP_CLIENT_ID = 'COGNITO_APP_CLIENT_ID' 10 | S3_BUCKET_MFA_BUCKET = 'S3_BUCKET_MFA_BUCKET' 11 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/confirm-user/src/log.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | '''Just a simple logger''' 4 | 5 | import logging 6 | 7 | 8 | def setup_logging(): 9 | '''Hmmm setup logging''' 10 | logger = logging.getLogger() 11 | for handler in logger.handlers: 12 | logger.removeHandler(handler) 13 | 14 | handler = logging.StreamHandler() 15 | 16 | log_format = '%(asctime)s - %(funcName)s - %(levelname)s - %(message)s' 17 | handler.setFormatter(logging.Formatter(log_format)) 18 | logger.addHandler(handler) 19 | logger.setLevel(logging.INFO) 20 | 21 | return logger 22 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/confirm-user/src/schemas/confirm_user.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": {}, 3 | "$schema": "http://json-schema.org/draft-07/schema#", 4 | "type": "object", 5 | "title": "New user confirmation Schema", 6 | "required": [ 7 | "email", 8 | "temporary_password", 9 | "new_password" 10 | ], 11 | "properties": { 12 | "email": { 13 | "$id": "#/properties/email", 14 | "type": "string", 15 | "title": "The user name", 16 | "examples": [ 17 | "tarek@lostinmac.com" 18 | ] 19 | }, 20 | "temporary_password": { 21 | "$id": "#/properties/temporary_password", 22 | "type": "string", 23 | "title": "The user temporary password", 24 | "examples": [ 25 | "My!TempPass1?" 26 | ] 27 | }, 28 | "new_password": { 29 | "$id": "#/properties/new_password", 30 | "type": "string", 31 | "title": "The user password", 32 | "examples": [ 33 | "Il0veThis!Password?" 34 | ] 35 | } 36 | }, 37 | "additionalProperties": false 38 | } 39 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/create-user/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/terraform/live/services/auth-microservice/lambdas-src/create-user/requirements.txt -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/create-user/src/constants.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # coding:utf-8 3 | '''Just a constants values''' 4 | 5 | REGION = 'eu-west-1' 6 | SCHEMAS_FOLDER = 'schemas' 7 | NEW_USER_JSON_SCHEMA = 'new_user.json' 8 | COGNITO_USER_POOL_ID = 'COGNITO_USER_POOL_ID' 9 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/create-user/src/log.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | '''Just a simple logger''' 4 | 5 | import logging 6 | 7 | 8 | def setup_logging(): 9 | '''Hmmm setup logging''' 10 | logger = logging.getLogger() 11 | for handler in logger.handlers: 12 | logger.removeHandler(handler) 13 | 14 | handler = logging.StreamHandler() 15 | 16 | log_format = '%(asctime)s - %(funcName)s - %(levelname)s - %(message)s' 17 | handler.setFormatter(logging.Formatter(log_format)) 18 | logger.addHandler(handler) 19 | logger.setLevel(logging.INFO) 20 | 21 | return logger 22 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/create-user/src/schemas/new_user.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": {}, 3 | "$schema": "http://json-schema.org/draft-07/schema#", 4 | "type": "object", 5 | "title": "New User Schema", 6 | "required": [ 7 | "full_name", 8 | "email", 9 | "mobile_phone_number" 10 | ], 11 | "properties": { 12 | "full_name": { 13 | "$id": "#/properties/full_name", 14 | "type": "string", 15 | "title": "The user full name", 16 | "examples": [ 17 | "42 Son of 42" 18 | ] 19 | }, 20 | "email": { 21 | "$id": "#/properties/email", 22 | "type": "string", 23 | "title": "The user email", 24 | "examples": [ 25 | "my-email@mail42.com" 26 | ] 27 | }, 28 | "mobile_phone_number": { 29 | "$id": "#/properties/mobile_phone_number", 30 | "type": "string", 31 | "title": "The user mobile phone number", 32 | "pattern": "^\\+[0-9]{1,14}$", 33 | "examples": [ 34 | "+33612345678" 35 | ] 36 | } 37 | }, 38 | "additionalProperties": false 39 | } 40 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/delete-user/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/terraform/live/services/auth-microservice/lambdas-src/delete-user/requirements.txt -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/delete-user/src/constants.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # coding:utf-8 3 | '''Just a constants values''' 4 | 5 | REGION = 'eu-west-1' 6 | COGNITO_USER_POOL_ID = 'COGNITO_USER_POOL_ID' 7 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/delete-user/src/log.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | '''Just a simple logger''' 4 | 5 | import logging 6 | 7 | 8 | def setup_logging(): 9 | '''Hmmm setup logging''' 10 | logger = logging.getLogger() 11 | for handler in logger.handlers: 12 | logger.removeHandler(handler) 13 | 14 | handler = logging.StreamHandler() 15 | 16 | log_format = '%(asctime)s - %(funcName)s - %(levelname)s - %(message)s' 17 | handler.setFormatter(logging.Formatter(log_format)) 18 | logger.addHandler(handler) 19 | logger.setLevel(logging.INFO) 20 | 21 | return logger 22 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/forgot-password/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/terraform/live/services/auth-microservice/lambdas-src/forgot-password/requirements.txt -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/forgot-password/src/constants.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # coding:utf-8 3 | '''Just a constants values''' 4 | 5 | REGION = 'eu-west-1' 6 | SCHEMAS_FOLDER = 'schemas' 7 | FORGOT_PASSWORD_JSON_SCHEMA = 'forgot_password.json' 8 | COGNITO_APP_CLIENT_ID = 'COGNITO_APP_CLIENT_ID' 9 | COGNITO_USER_POOL_ID = 'COGNITO_USER_POOL_ID' 10 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/forgot-password/src/log.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | '''Just a simple logger''' 4 | 5 | import logging 6 | 7 | 8 | def setup_logging(): 9 | '''Hmmm setup logging''' 10 | logger = logging.getLogger() 11 | for handler in logger.handlers: 12 | logger.removeHandler(handler) 13 | 14 | handler = logging.StreamHandler() 15 | 16 | log_format = '%(asctime)s - %(funcName)s - %(levelname)s - %(message)s' 17 | handler.setFormatter(logging.Formatter(log_format)) 18 | logger.addHandler(handler) 19 | logger.setLevel(logging.INFO) 20 | 21 | return logger 22 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/forgot-password/src/schemas/forgot_password.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": {}, 3 | "$schema": "http://json-schema.org/draft-07/schema#", 4 | "type": "object", 5 | "title": "Forgot User Password Schema", 6 | "required": [ 7 | "email" 8 | ], 9 | "properties": { 10 | "email": { 11 | "$id": "#/properties/email", 12 | "type": "string", 13 | "title": "The user email", 14 | "examples": [ 15 | "my-email@mail42.com" 16 | ] 17 | } 18 | }, 19 | "additionalProperties": false 20 | } 21 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/mfa-verify/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/terraform/live/services/auth-microservice/lambdas-src/mfa-verify/requirements.txt -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/mfa-verify/src/constants.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # coding:utf-8 3 | '''Just a constants values''' 4 | 5 | REGION = 'eu-west-1' 6 | SCHEMAS_FOLDER = 'schemas' 7 | MFA_VERIFY_JSON_SCHEMA = 'mfa_verify.json' 8 | COGNITO_USER_POOL_ID = 'COGNITO_USER_POOL_ID' 9 | COGNITO_APP_CLIENT_ID = 'COGNITO_APP_CLIENT_ID' 10 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/mfa-verify/src/log.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | '''Just a simple logger''' 4 | 5 | import logging 6 | 7 | 8 | def setup_logging(): 9 | '''Hmmm setup logging''' 10 | logger = logging.getLogger() 11 | for handler in logger.handlers: 12 | logger.removeHandler(handler) 13 | 14 | handler = logging.StreamHandler() 15 | 16 | log_format = '%(asctime)s - %(funcName)s - %(levelname)s - %(message)s' 17 | handler.setFormatter(logging.Formatter(log_format)) 18 | logger.addHandler(handler) 19 | logger.setLevel(logging.INFO) 20 | 21 | return logger 22 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/mfa-verify/src/schemas/mfa_verify.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": {}, 3 | "$schema": "http://json-schema.org/draft-07/schema#", 4 | "type": "object", 5 | "title": "MFA Verification Schema", 6 | "required": [ 7 | "email", 8 | "verification_type", 9 | "verification_session", 10 | "otp_code" 11 | ], 12 | "properties": { 13 | "email": { 14 | "$id": "#/properties/email", 15 | "type": "string", 16 | "title": "User Email", 17 | "examples": [ 18 | "the-42-user@42mail.com" 19 | ] 20 | }, 21 | "verification_type": { 22 | "$id": "#/properties/verification_type", 23 | "type": "string", 24 | "title": "MFA Verification type", 25 | "examples": [ 26 | "SOFTWARE_TOKEN_MFA" 27 | ], 28 | "enum": ["SOFTWARE_TOKEN_MFA", "SMS_MFA"] 29 | }, 30 | "otp_code": { 31 | "$id": "#/properties/otp_code", 32 | "type": "string", 33 | "title": "MFA One Time Password", 34 | "examples": [ 35 | "424242" 36 | ] 37 | }, 38 | "verification_session": { 39 | "$id": "#/properties/verification_session", 40 | "type": "string", 41 | "title": "MFA verification session", 42 | "examples": [ 43 | "yrKeh0tDL6JCBju4KUGfZdMbjjRP8VC0V9ZH9bWaAplM1TzJ3cO7boUG__" 44 | ] 45 | } 46 | }, 47 | "additionalProperties": false 48 | } 49 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/refresh-token/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/terraform/live/services/auth-microservice/lambdas-src/refresh-token/requirements.txt -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/refresh-token/src/constants.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # coding:utf-8 3 | '''Just a constants values''' 4 | 5 | REGION = 'eu-west-1' 6 | SCHEMAS_FOLDER = 'schemas' 7 | REFRESH_TOKEN_JSON_SCHEMA = 'refresh_token.json' 8 | COGNITO_USER_POOL_ID = 'COGNITO_USER_POOL_ID' 9 | COGNITO_APP_CLIENT_ID = 'COGNITO_APP_CLIENT_ID' 10 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/refresh-token/src/log.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | '''Just a simple logger''' 4 | 5 | import logging 6 | 7 | 8 | def setup_logging(): 9 | '''Hmmm setup logging''' 10 | logger = logging.getLogger() 11 | for handler in logger.handlers: 12 | logger.removeHandler(handler) 13 | 14 | handler = logging.StreamHandler() 15 | 16 | log_format = '%(asctime)s - %(funcName)s - %(levelname)s - %(message)s' 17 | handler.setFormatter(logging.Formatter(log_format)) 18 | logger.addHandler(handler) 19 | logger.setLevel(logging.INFO) 20 | 21 | return logger 22 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/refresh-token/src/schemas/refresh_token.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": {}, 3 | "$schema": "http://json-schema.org/draft-07/schema#", 4 | "type": "object", 5 | "title": "User Login With Refresh Token Schema", 6 | "required": [ 7 | "email", 8 | "refresh_token" 9 | ], 10 | "properties": { 11 | "email": { 12 | "$id": "#/properties/email", 13 | "type": "string", 14 | "title": "The user email", 15 | "examples": [ 16 | "tarek@lostinmac.com" 17 | ] 18 | }, 19 | "refresh_token": { 20 | "$id": "#/properties/refresh_token", 21 | "type": "string", 22 | "title": "The user refresh token", 23 | "examples": [ 24 | "eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAifQ" 25 | ] 26 | } 27 | }, 28 | "additionalProperties": false 29 | } 30 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/resend-confirmation-code/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/terraform/live/services/auth-microservice/lambdas-src/resend-confirmation-code/requirements.txt -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/resend-confirmation-code/src/constants.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # coding:utf-8 3 | '''Just a constants values''' 4 | 5 | REGION = 'eu-west-1' 6 | SCHEMAS_FOLDER = 'schemas' 7 | RESEND_CONFIRMATION_CODE_JSON_SCHEMA = 'resend_confirmation_code.json' 8 | COGNITO_USER_POOL_ID = 'COGNITO_USER_POOL_ID' 9 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/resend-confirmation-code/src/log.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | '''Just a simple logger''' 4 | 5 | import logging 6 | 7 | 8 | def setup_logging(): 9 | '''Hmmm setup logging''' 10 | logger = logging.getLogger() 11 | for handler in logger.handlers: 12 | logger.removeHandler(handler) 13 | 14 | handler = logging.StreamHandler() 15 | 16 | log_format = '%(asctime)s - %(funcName)s - %(levelname)s - %(message)s' 17 | handler.setFormatter(logging.Formatter(log_format)) 18 | logger.addHandler(handler) 19 | logger.setLevel(logging.INFO) 20 | 21 | return logger 22 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/resend-confirmation-code/src/schemas/resend_confirmation_code.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": {}, 3 | "$schema": "http://json-schema.org/draft-07/schema#", 4 | "type": "object", 5 | "title": "Resend New User Confirmation Code Schema", 6 | "required": [ 7 | "email" 8 | ], 9 | "properties": { 10 | "email": { 11 | "$id": "#/properties/email", 12 | "type": "string", 13 | "title": "The user email", 14 | "examples": [ 15 | "my-email@mail42.com" 16 | ] 17 | } 18 | }, 19 | "additionalProperties": false 20 | } 21 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/resend-mfa/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/terraform/live/services/auth-microservice/lambdas-src/resend-mfa/requirements.txt -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/resend-mfa/src/constants.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # coding:utf-8 3 | '''Just a constants values''' 4 | 5 | REGION = 'eu-west-1' 6 | SCHEMAS_FOLDER = 'schemas' 7 | RESEND_MFA_JSON_SCHEMA = 'resend_mfa.json' 8 | S3_BUCKET_MFA_BUCKET = 'S3_BUCKET_MFA_BUCKET' 9 | USERS_MFA_FOLDER = 'USERS_MFA_FOLDER' 10 | FROM_EMAIL = 'FROM_EMAIL' 11 | COGNITO_USER_POOL_ID = 'COGNITO_USER_POOL_ID' 12 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/resend-mfa/src/log.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | '''Just a simple logger''' 4 | 5 | import logging 6 | 7 | 8 | def setup_logging(): 9 | '''Hmmm setup logging''' 10 | logger = logging.getLogger() 11 | for handler in logger.handlers: 12 | logger.removeHandler(handler) 13 | 14 | handler = logging.StreamHandler() 15 | 16 | log_format = '%(asctime)s - %(funcName)s - %(levelname)s - %(message)s' 17 | handler.setFormatter(logging.Formatter(log_format)) 18 | logger.addHandler(handler) 19 | logger.setLevel(logging.INFO) 20 | 21 | return logger 22 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/resend-mfa/src/schemas/resend_mfa.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": {}, 3 | "$schema": "http://json-schema.org/draft-07/schema#", 4 | "type": "object", 5 | "title": "Resend user MFA Schema", 6 | "required": [ 7 | "email" 8 | ], 9 | "properties": { 10 | "email": { 11 | "$id": "#/properties/email", 12 | "type": "string", 13 | "title": "The user email", 14 | "examples": [ 15 | "tarek@lostinmac.com" 16 | ] 17 | } 18 | }, 19 | "additionalProperties": false 20 | } 21 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/resend-mfa/src/templates/html_mail.html: -------------------------------------------------------------------------------- 1 |

2 | Hi from the CognitoApi team 3 |

4 |

5 | Please go to the attached link to find your QR Code Qr Code Link.  6 |

7 |

8 | Sincerly The CognitoApi Team 9 |

10 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/reset-password/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/terraform/live/services/auth-microservice/lambdas-src/reset-password/requirements.txt -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/reset-password/src/constants.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # coding:utf-8 3 | '''Just a constants values''' 4 | 5 | REGION = 'eu-west-1' 6 | SCHEMAS_FOLDER = 'schemas' 7 | RESET_PASSWORD_JSON_SCHEMA = 'reset_password.json' 8 | COGNITO_USER_POOL_ID = 'COGNITO_USER_POOL_ID' 9 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/reset-password/src/log.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | '''Just a simple logger''' 4 | 5 | import logging 6 | 7 | 8 | def setup_logging(): 9 | '''Hmmm setup logging''' 10 | logger = logging.getLogger() 11 | for handler in logger.handlers: 12 | logger.removeHandler(handler) 13 | 14 | handler = logging.StreamHandler() 15 | 16 | log_format = '%(asctime)s - %(funcName)s - %(levelname)s - %(message)s' 17 | handler.setFormatter(logging.Formatter(log_format)) 18 | logger.addHandler(handler) 19 | logger.setLevel(logging.INFO) 20 | 21 | return logger 22 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/reset-password/src/schemas/reset_password.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": {}, 3 | "$schema": "http://json-schema.org/draft-07/schema#", 4 | "type": "object", 5 | "title": "Reset User Password Schema", 6 | "required": [ 7 | "email" 8 | ], 9 | "properties": { 10 | "email": { 11 | "$id": "#/properties/email", 12 | "type": "string", 13 | "title": "The user email", 14 | "examples": [ 15 | "my-email@mail42.com" 16 | ] 17 | } 18 | }, 19 | "additionalProperties": false 20 | } 21 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/user-login/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/terraform/live/services/auth-microservice/lambdas-src/user-login/requirements.txt -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/user-login/src/constants.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # coding:utf-8 3 | '''Just a constants values''' 4 | 5 | REGION = 'eu-west-1' 6 | SCHEMAS_FOLDER = 'schemas' 7 | USER_LOGIN_JSON_SCHEMA = 'user_login.json' 8 | COGNITO_USER_POOL_ID = 'COGNITO_USER_POOL_ID' 9 | COGNITO_APP_CLIENT_ID = 'COGNITO_APP_CLIENT_ID' 10 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/user-login/src/log.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | '''Just a simple logger''' 4 | 5 | import logging 6 | 7 | 8 | def setup_logging(): 9 | '''Hmmm setup logging''' 10 | logger = logging.getLogger() 11 | for handler in logger.handlers: 12 | logger.removeHandler(handler) 13 | 14 | handler = logging.StreamHandler() 15 | 16 | log_format = '%(asctime)s - %(funcName)s - %(levelname)s - %(message)s' 17 | handler.setFormatter(logging.Formatter(log_format)) 18 | logger.addHandler(handler) 19 | logger.setLevel(logging.INFO) 20 | 21 | return logger 22 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/user-login/src/schemas/user_login.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": {}, 3 | "$schema": "http://json-schema.org/draft-07/schema#", 4 | "type": "object", 5 | "title": "User Login Schema", 6 | "required": [ 7 | "email", 8 | "password" 9 | ], 10 | "properties": { 11 | "email": { 12 | "$id": "#/properties/email", 13 | "type": "string", 14 | "title": "The user email", 15 | "examples": [ 16 | "tarek@lostinmac.com" 17 | ] 18 | }, 19 | "password": { 20 | "$id": "#/properties/password", 21 | "type": "string", 22 | "title": "The user password", 23 | "examples": [ 24 | "pASSW0rds7r:" 25 | ] 26 | } 27 | }, 28 | "additionalProperties": false 29 | } 30 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/user-logout/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/terraform/live/services/auth-microservice/lambdas-src/user-logout/requirements.txt -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/user-logout/src/constants.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # coding:utf-8 3 | '''Just a constants values''' 4 | 5 | REGION = 'eu-west-1' 6 | SCHEMAS_FOLDER = 'schemas' 7 | USER_LOGOUT_JSON_SCHEMA = 'user_logout.json' 8 | COGNITO_USER_POOL_ID = 'COGNITO_USER_POOL_ID' 9 | COGNITO_APP_CLIENT_ID = 'COGNITO_APP_CLIENT_ID' 10 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/user-logout/src/log.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | '''Just a simple logger''' 4 | 5 | import logging 6 | 7 | 8 | def setup_logging(): 9 | '''Hmmm setup logging''' 10 | logger = logging.getLogger() 11 | for handler in logger.handlers: 12 | logger.removeHandler(handler) 13 | 14 | handler = logging.StreamHandler() 15 | 16 | log_format = '%(asctime)s - %(funcName)s - %(levelname)s - %(message)s' 17 | handler.setFormatter(logging.Formatter(log_format)) 18 | logger.addHandler(handler) 19 | logger.setLevel(logging.INFO) 20 | 21 | return logger 22 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/user-logout/src/schemas/user_logout.json: -------------------------------------------------------------------------------- 1 | { 2 | "definitions": {}, 3 | "$schema": "http://json-schema.org/draft-07/schema#", 4 | "type": "object", 5 | "title": "User Logout Schema", 6 | "required": [ 7 | "email", 8 | "access_token" 9 | ], 10 | "properties": { 11 | "email": { 12 | "$id": "#/properties/email", 13 | "type": "string", 14 | "title": "The user email", 15 | "examples": [ 16 | "tarek@lostinmac.com" 17 | ] 18 | }, 19 | "access_token": { 20 | "$id": "#/properties/access_token", 21 | "type": "string", 22 | "title": "The user access token", 23 | "examples": [ 24 | "eyJraWQiOiJBSUMzcVwvaGwzTmhQWTJqZzF" 25 | ] 26 | } 27 | }, 28 | "additionalProperties": false 29 | } 30 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/user-logout/src/user_logout.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | '''User logout''' 3 | 4 | import os 5 | import json 6 | import collections 7 | from os.path import join, dirname 8 | from jsonschema import validate 9 | import jsonschema 10 | import boto3 11 | import botocore 12 | import constants 13 | import log 14 | 15 | 16 | LOGGER = log.setup_logging() 17 | 18 | 19 | def is_invoked_by_lambda_warmer(event): 20 | '''If the event is a scheduled warmer just say ok''' 21 | # We can be more precise by using: {context.invoked_function_name}-warmer 22 | # as a event name 23 | if 'detail-type' in event and event['detail-type'] == 'Scheduled Event': 24 | if event['resources'][0].endswith('warmer'): 25 | return True 26 | else: 27 | return False 28 | 29 | 30 | def _load_json_schema(filename): 31 | ''' Loads the given schema file ''' 32 | 33 | relative_path = join(constants.SCHEMAS_FOLDER, filename) 34 | absolute_path = join(dirname(__file__), relative_path) 35 | 36 | with open(absolute_path) as schema_file: 37 | return json.loads(schema_file.read()) 38 | 39 | 40 | def assert_valid_schema(data, schema_file): 41 | ''' Checks whether the given data matches the schema ''' 42 | 43 | schema = _load_json_schema(schema_file) 44 | try: 45 | validate(data, schema) 46 | return True, None 47 | except jsonschema.exceptions.ValidationError as error: 48 | return False, error.message 49 | 50 | 51 | def check_inputs(req_body): 52 | '''Validate inputs''' 53 | return assert_valid_schema(req_body, constants.USER_LOGOUT_JSON_SCHEMA) 54 | 55 | 56 | def user_logout(email, access_token, conf_values): 57 | '''Perform the user logout''' 58 | try: 59 | cup_client = boto3.client('cognito-idp', constants.REGION) 60 | response = cup_client.global_sign_out(AccessToken=access_token) 61 | return 'OK' 62 | except Exception as error: 63 | print('User: %s has trouble to logout' %email) 64 | print('Error - {0}'.format(error)) 65 | return 'KO' 66 | 67 | 68 | def init_env_vars(): 69 | '''Get all environment variables''' 70 | conf_values = {} 71 | conf_values['REGION'] = os.getenv(constants.REGION) 72 | conf_values['COGNITO_USER_POOL_ID'] = os.getenv(constants.COGNITO_USER_POOL_ID) 73 | conf_values['COGNITO_APP_CLIENT_ID'] = os.getenv(constants.COGNITO_APP_CLIENT_ID) 74 | return conf_values 75 | 76 | 77 | def lambda_handler(event, _): 78 | '''Lambda entrypoint''' 79 | if is_invoked_by_lambda_warmer(event): 80 | return { 81 | 'statusCode': 200, 82 | 'body': json.dumps({'message':'Lambda warmer check OK!'}), 83 | } 84 | try: 85 | req_body = json.loads(event['body']) 86 | LOGGER.info(req_body) 87 | is_payload_data_valid, error_msg = check_inputs(req_body) 88 | if not is_payload_data_valid: 89 | return { 90 | 'statusCode': 400, 91 | 'body': json.dumps({'message':error_msg}), 92 | 'headers': { 93 | 'Content-Type' : 'application/json', 94 | 'Access-Control-Allow-Origin' : '*', 95 | 'Allow' : 'POST, OPTIONS', 96 | 'Access-Control-Allow-Methods' : 'POST, OPTIONS', 97 | 'Access-Control-Allow-Headers' : '*' 98 | } 99 | } 100 | conf_values = init_env_vars() 101 | user_logout_session = user_logout(req_body['email'], req_body['access_token'], conf_values) 102 | if user_logout_session == 'KO': 103 | return { 104 | 'statusCode': 401, 105 | 'body': json.dumps({'error_message': 'Logout error'}), 106 | 'headers': { 107 | 'Content-Type' : 'application/json', 108 | 'Access-Control-Allow-Origin' : '*', 109 | 'Allow' : 'POST, OPTIONS', 110 | 'Access-Control-Allow-Methods' : 'POST, OPTIONS', 111 | 'Access-Control-Allow-Headers' : '*' 112 | }, 113 | 'isBase64Encoded': False, 114 | } 115 | 116 | return { 117 | 'statusCode': 200, 118 | 'body': json.dumps({'user_status': 'logout'}), 119 | 'headers': { 120 | 'Content-Type' : 'application/json', 121 | 'Access-Control-Allow-Origin' : '*', 122 | 'Allow' : 'POST, OPTIONS', 123 | 'Access-Control-Allow-Methods' : 'POST, OPTIONS', 124 | 'Access-Control-Allow-Headers' : '*' 125 | }, 126 | 'isBase64Encoded': False, 127 | } 128 | except Exception as error: 129 | err_msg = {'error_message': '{}'.format(error)} 130 | LOGGER.error(err_msg) 131 | return { 132 | 'statusCode': 400, 133 | 'body': json.dumps(err_msg), 134 | 'headers': { 135 | 'Content-Type' : 'application/json', 136 | 'Access-Control-Allow-Origin' : '*', 137 | 'Allow' : 'POST, OPTIONS', 138 | 'Access-Control-Allow-Methods' : 'POST, OPTIONS', 139 | 'Access-Control-Allow-Headers' : '*' 140 | }, 141 | 'isBase64Encoded': False, 142 | } 143 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/userinfo/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/terraform/live/services/auth-microservice/lambdas-src/userinfo/requirements.txt -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/userinfo/src/constants.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # coding:utf-8 3 | '''Just a constants values''' 4 | 5 | REGION = 'eu-west-1' 6 | COGNITO_USER_POOL_ID = 'COGNITO_USER_POOL_ID' 7 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/userinfo/src/log.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | '''Just a simple logger''' 4 | 5 | import logging 6 | 7 | 8 | def setup_logging(): 9 | '''Hmmm setup logging''' 10 | logger = logging.getLogger() 11 | for handler in logger.handlers: 12 | logger.removeHandler(handler) 13 | 14 | handler = logging.StreamHandler() 15 | 16 | log_format = '%(asctime)s - %(funcName)s - %(levelname)s - %(message)s' 17 | handler.setFormatter(logging.Formatter(log_format)) 18 | logger.addHandler(handler) 19 | logger.setLevel(logging.INFO) 20 | 21 | return logger 22 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/lambdas-src/userinfo/src/userinfo.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | '''Get user infos''' 3 | 4 | import os 5 | import json 6 | import collections 7 | import jwt 8 | import constants 9 | import log 10 | 11 | 12 | LOGGER = log.setup_logging() 13 | 14 | 15 | def is_invoked_by_lambda_warmer(event): 16 | '''If the event is a scheduled warmer just say ok''' 17 | # We can be more precise by using: {context.invoked_function_name}-warmer 18 | # as a event name 19 | if 'detail-type' in event and event['detail-type'] == 'Scheduled Event': 20 | if event['resources'][0].endswith('warmer'): 21 | return True 22 | else: 23 | return False 24 | 25 | 26 | def get_claims(jwt_token): 27 | '''Extract claims from the JWT token''' 28 | try: 29 | decode = jwt.decode( 30 | jwt_token.split(' ')[1], 31 | algorithms=['RS256'], 32 | options={"verify_signature": False} 33 | ) 34 | except Exception as error: 35 | LOGGER.error(error) 36 | return decode 37 | 38 | 39 | def build_api_response(claims): 40 | '''Build the API response''' 41 | response_body = collections.OrderedDict() 42 | if 'name' in claims: 43 | response_body['name'] = claims['name'] 44 | else: 45 | response_body['name'] = None 46 | if 'sub' in claims: 47 | response_body['user_id'] = claims['sub'] 48 | else: 49 | response_body['user_id'] = None 50 | if 'email' in claims: 51 | response_body['email'] = claims['email'] 52 | else: 53 | response_body['email'] = None 54 | if 'phone_number' in claims: 55 | response_body['phone_number'] = claims['phone_number'] 56 | else: 57 | response_body['phone_number'] = None 58 | if 'cognito:groups' in claims: 59 | response_body['groups'] = claims['cognito:groups'] 60 | else: 61 | response_body['groups'] = [] 62 | 63 | return response_body 64 | 65 | 66 | def init_env_vars(): 67 | '''Get all environment variables''' 68 | conf_values = {} 69 | conf_values['REGION'] = os.getenv(constants.REGION) 70 | conf_values['COGNITO_USER_POOL_ID'] = os.getenv(constants.COGNITO_USER_POOL_ID) 71 | return conf_values 72 | 73 | 74 | def lambda_handler(event, context): 75 | '''Lambda entrypoint''' 76 | if is_invoked_by_lambda_warmer(event): 77 | return { 78 | 'statusCode': 200, 79 | 'body': json.dumps({'message':'Lambda warmer check OK!'}), 80 | } 81 | try: 82 | conf_values = init_env_vars() 83 | claims = get_claims(event['headers']['Authorization']) 84 | response_body = build_api_response( 85 | claims 86 | ) 87 | return { 88 | 'statusCode': 200, 89 | 'body': json.dumps(response_body), 90 | 'headers': { 91 | 'Content-Type' : 'application/json', 92 | 'Access-Control-Allow-Origin' : '*', 93 | 'Allow' : 'GET, OPTIONS', 94 | 'Access-Control-Allow-Methods' : 'GET, OPTIONS', 95 | 'Access-Control-Allow-Headers' : '*' 96 | }, 97 | 'isBase64Encoded': False, 98 | } 99 | except Exception as error: 100 | err_msg = {'error_message': '{}'.format(error)} 101 | LOGGER.error(err_msg) 102 | # TODO: Add dynamic error status code support 103 | return { 104 | 'statusCode': 400, 105 | 'body': json.dumps(err_msg), 106 | 'headers': { 107 | 'Content-Type' : 'application/json', 108 | 'Access-Control-Allow-Origin' : '*', 109 | 'Allow' : 'GET, OPTIONS', 110 | 'Access-Control-Allow-Methods' : 'GET, OPTIONS', 111 | 'Access-Control-Allow-Headers' : '*' 112 | }, 113 | 'isBase64Encoded': False, 114 | } 115 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/layers-src/jsonschema/requirements.txt: -------------------------------------------------------------------------------- 1 | jsonschema==4.17.3 2 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/layers-src/opencv/requirements.txt: -------------------------------------------------------------------------------- 1 | opencv-python-headless 2 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/layers-src/pillow/requirements.txt: -------------------------------------------------------------------------------- 1 | pillow 2 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/layers-src/pyjwt/requirements.txt: -------------------------------------------------------------------------------- 1 | pyjwt 2 | cryptography 3 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/layers-src/pyotp/requirements.txt: -------------------------------------------------------------------------------- 1 | pyotp 2 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/layers-src/qrcode/requirements.txt: -------------------------------------------------------------------------------- 1 | qrcode 2 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/layers.tf: -------------------------------------------------------------------------------- 1 | resource "aws_lambda_layer_version" "jsonschema" { 2 | filename = "${local.auth_microservice_path}/layers-src/jsonschema/jsonschema.zip" 3 | layer_name = "jsonschema" 4 | 5 | compatible_runtimes = [var.auth-lambdas-runtime] 6 | compatible_architectures = ["x86_64"] 7 | } 8 | 9 | resource "aws_lambda_layer_version" "pyjwt" { 10 | filename = "${local.auth_microservice_path}/layers-src/pyjwt/pyjwt.zip" 11 | layer_name = "pyjwt" 12 | 13 | compatible_runtimes = [var.auth-lambdas-runtime] 14 | compatible_architectures = ["x86_64"] 15 | } 16 | 17 | resource "aws_lambda_layer_version" "pillow" { 18 | filename = "${local.auth_microservice_path}/layers-src/pillow/pillow.zip" 19 | layer_name = "pillow" 20 | 21 | compatible_runtimes = [var.auth-lambdas-runtime] 22 | compatible_architectures = ["x86_64"] 23 | } 24 | 25 | resource "aws_lambda_layer_version" "pyotp" { 26 | filename = "${local.auth_microservice_path}/layers-src/pyotp/pyotp.zip" 27 | layer_name = "pyotp" 28 | 29 | compatible_runtimes = [var.auth-lambdas-runtime] 30 | compatible_architectures = ["x86_64"] 31 | } 32 | 33 | resource "aws_lambda_layer_version" "qrcode" { 34 | filename = "${local.auth_microservice_path}/layers-src/qrcode/qrcode.zip" 35 | layer_name = "qrcode" 36 | 37 | compatible_runtimes = [var.auth-lambdas-runtime] 38 | compatible_architectures = ["x86_64"] 39 | } 40 | 41 | # OpenCV headless is too large 42 | resource "aws_s3_object" "opencv-zip" { 43 | bucket = var.layers-packages-bucket-name 44 | key = "layers/opencv.zip" 45 | source = "${local.auth_microservice_path}/layers-src/opencv/opencv.zip" 46 | server_side_encryption = "AES256" 47 | depends_on = [module.layers-packages.s3-id] 48 | } 49 | 50 | resource "aws_lambda_layer_version" "opencv" { 51 | s3_bucket = var.layers-packages-bucket-name 52 | s3_key = aws_s3_object.opencv-zip.key 53 | layer_name = "opencv" 54 | 55 | compatible_runtimes = [var.auth-lambdas-runtime] 56 | compatible_architectures = ["x86_64"] 57 | } 58 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | auth_microservice_path = abspath("${path.module}/") 3 | } 4 | 5 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/logformat.json: -------------------------------------------------------------------------------- 1 | { "requestId":"$context.requestId", 2 | "ip": "$context.identity.sourceIp", 3 | "caller":"$context.identity.caller", 4 | "user":"$context.identity.user", 5 | "requestTime":"$context.requestTime", 6 | "httpMethod":"$context.httpMethod", 7 | "resourcePath":"$context.resourcePath", 8 | "status":"$context.status", 9 | "protocol":"$context.protocol", 10 | "responseLength":"$context.responseLength" 11 | } 12 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/mfa-verify.tf: -------------------------------------------------------------------------------- 1 | module "mfa-verify-lambda-role-policy" { 2 | source = "../../../modules/tf-iam-role-policy" 3 | role-policy-name = "${var.mfa-verify-lambda-function-name}-role-policy" 4 | role-policy-json-file = "${local.auth_microservice_path}/policies/mfa-verify-lambda-role-policy.json" 5 | role-name = module.mfa-verify-lambda-role.iam-role-name 6 | } 7 | 8 | module "mfa-verify-lambda-role" { 9 | source = "../../../modules/tf-iam-role" 10 | iam-role-name = "${var.mfa-verify-lambda-function-name}-role" 11 | iam-role-path = "/" 12 | iam-assume-role-policy-file = "${local.auth_microservice_path}/policies/lambda-assume-role-policy.json" 13 | } 14 | 15 | data "archive_file" "mfa-verify-zip" { 16 | type = "zip" 17 | excludes = ["lambda.zip"] 18 | source_dir = var.mfa-verify-lambda-zip-src-path 19 | output_path = join("", ["${local.auth_microservice_path}/", "${var.mfa-verify-lambda-zip-src-path}/lambda.zip"]) 20 | } 21 | 22 | resource "aws_lambda_function" "mfa-verify-lambda" { 23 | filename = join("", ["${local.auth_microservice_path}/", "${var.mfa-verify-lambda-zip-src-path}/lambda.zip"]) 24 | function_name = var.mfa-verify-lambda-function-name 25 | handler = var.mfa-verify-lambda-entrypoint 26 | role = module.mfa-verify-lambda-role.iam-role-arn 27 | description = var.mfa-verify-lambda-function-desc 28 | memory_size = var.auth-lambdas-memory-size 29 | runtime = var.auth-lambdas-runtime 30 | timeout = var.auth-lambdas-timeout 31 | layers = [aws_lambda_layer_version.jsonschema.arn] 32 | 33 | environment { 34 | variables = { 35 | COGNITO_USER_POOL_ID = module.user-pool.user-pool-id 36 | COGNITO_APP_CLIENT_ID = module.user-pool.user-pool-client-id 37 | } 38 | } 39 | 40 | source_code_hash = data.archive_file.mfa-verify-zip.output_base64sha256 41 | } 42 | 43 | resource "aws_cloudwatch_log_group" "mfa-verify-lambda-log-group" { 44 | name = "/aws/lambda/${var.mfa-verify-lambda-function-name}" 45 | retention_in_days = "1" 46 | } 47 | 48 | module "mfa-verify-lambda-endpoint" { 49 | source = "../../../modules/tf-api-gw-lambda-proxy" 50 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 51 | api-resource-path = aws_api_gateway_resource.mfa-verify.path 52 | api-resource-id = aws_api_gateway_resource.mfa-verify.id 53 | api-http-method = "POST" 54 | authorization-type = "NONE" 55 | authorizer-id = "" 56 | is-api-key-required = "true" 57 | lambda-function-name = aws_lambda_function.mfa-verify-lambda.function_name 58 | lambda-function-arn = aws_lambda_function.mfa-verify-lambda.arn 59 | } 60 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/policies/cognito-sns-assume-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "", 6 | "Effect": "Allow", 7 | "Principal": { 8 | "Service": "cognito-idp.amazonaws.com" 9 | }, 10 | "Action": "sts:AssumeRole" 11 | } 12 | ] 13 | } 14 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/policies/cognito-sns-role-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Action": [ 7 | "sns:publish" 8 | ], 9 | "Resource": [ 10 | "*" 11 | ] 12 | } 13 | ] 14 | } 15 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/policies/create-user-lambda-role-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Action": "logs:CreateLogGroup", 7 | "Resource": "*" 8 | }, 9 | { 10 | "Effect": "Allow", 11 | "Action": [ 12 | "logs:CreateLogStream", 13 | "logs:PutLogEvents" 14 | ], 15 | "Resource": [ 16 | "*" 17 | ] 18 | }, 19 | { 20 | "Action": [ 21 | "dynamodb:*", 22 | "dax:*", 23 | "application-autoscaling:DeleteScalingPolicy", 24 | "application-autoscaling:DeregisterScalableTarget", 25 | "application-autoscaling:DescribeScalableTargets", 26 | "application-autoscaling:DescribeScalingActivities", 27 | "application-autoscaling:DescribeScalingPolicies", 28 | "application-autoscaling:PutScalingPolicy", 29 | "application-autoscaling:RegisterScalableTarget", 30 | "cloudwatch:DeleteAlarms", 31 | "cloudwatch:DescribeAlarmHistory", 32 | "cloudwatch:DescribeAlarms", 33 | "cloudwatch:DescribeAlarmsForMetric", 34 | "cloudwatch:GetMetricStatistics", 35 | "cloudwatch:ListMetrics", 36 | "cloudwatch:PutMetricAlarm", 37 | "datapipeline:ActivatePipeline", 38 | "datapipeline:CreatePipeline", 39 | "datapipeline:DeletePipeline", 40 | "datapipeline:DescribeObjects", 41 | "datapipeline:DescribePipelines", 42 | "datapipeline:GetPipelineDefinition", 43 | "datapipeline:ListPipelines", 44 | "datapipeline:PutPipelineDefinition", 45 | "datapipeline:QueryObjects", 46 | "ec2:DescribeVpcs", 47 | "ec2:DescribeSubnets", 48 | "ec2:DescribeSecurityGroups", 49 | "iam:GetRole", 50 | "iam:ListRoles", 51 | "sns:CreateTopic", 52 | "sns:DeleteTopic", 53 | "sns:ListSubscriptions", 54 | "sns:ListSubscriptionsByTopic", 55 | "sns:ListTopics", 56 | "sns:Subscribe", 57 | "sns:Unsubscribe", 58 | "sns:SetTopicAttributes", 59 | "lambda:CreateFunction", 60 | "lambda:ListFunctions", 61 | "lambda:ListEventSourceMappings", 62 | "lambda:CreateEventSourceMapping", 63 | "lambda:DeleteEventSourceMapping", 64 | "lambda:GetFunctionConfiguration", 65 | "lambda:DeleteFunction", 66 | "resource-groups:ListGroups", 67 | "resource-groups:ListGroupResources", 68 | "resource-groups:GetGroup", 69 | "resource-groups:GetGroupQuery", 70 | "resource-groups:DeleteGroup", 71 | "resource-groups:CreateGroup", 72 | "tag:GetResources" 73 | ], 74 | "Effect": "Allow", 75 | "Resource": "*" 76 | }, 77 | { 78 | "Action": [ 79 | "iam:PassRole" 80 | ], 81 | "Effect": "Allow", 82 | "Resource": "*", 83 | "Condition": { 84 | "StringLike": { 85 | "iam:PassedToService": [ 86 | "application-autoscaling.amazonaws.com", 87 | "dax.amazonaws.com" 88 | ] 89 | } 90 | } 91 | }, 92 | { 93 | "Effect": "Allow", 94 | "Action": [ 95 | "iam:CreateServiceLinkedRole" 96 | ], 97 | "Resource": "*", 98 | "Condition": { 99 | "StringEquals": { 100 | "iam:AWSServiceName": [ 101 | "replication.dynamodb.amazonaws.com", 102 | "dax.amazonaws.com", 103 | "dynamodb.application-autoscaling.amazonaws.com" 104 | ] 105 | } 106 | } 107 | }, 108 | { 109 | "Effect": "Allow", 110 | "Action": [ 111 | "cognito-identity:*", 112 | "cognito-idp:*", 113 | "cognito-sync:*", 114 | "iam:ListRoles", 115 | "iam:ListOpenIdConnectProviders", 116 | "sns:ListPlatformApplications" 117 | ], 118 | "Resource": "*" 119 | }, 120 | { 121 | "Effect": "Allow", 122 | "Action": "iam:CreateServiceLinkedRole", 123 | "Resource": "*", 124 | "Condition": { 125 | "StringEquals": { 126 | "iam:AWSServiceName": "email.cognito-idp.amazonaws.com" 127 | } 128 | } 129 | }, 130 | { 131 | "Effect": "Allow", 132 | "Action": [ 133 | "iam:DeleteServiceLinkedRole", 134 | "iam:GetServiceLinkedRoleDeletionStatus" 135 | ], 136 | "Resource": "arn:aws:iam::*:role/aws-service-role/email.cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdpEmail*" 137 | } 138 | ] 139 | } 140 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/policies/delete-user-lambda-role-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Action": "logs:CreateLogGroup", 7 | "Resource": "*" 8 | }, 9 | { 10 | "Effect": "Allow", 11 | "Action": [ 12 | "logs:CreateLogStream", 13 | "logs:PutLogEvents" 14 | ], 15 | "Resource": [ 16 | "*" 17 | ] 18 | }, 19 | { 20 | "Action": [ 21 | "dynamodb:*", 22 | "dax:*", 23 | "application-autoscaling:DeleteScalingPolicy", 24 | "application-autoscaling:DeregisterScalableTarget", 25 | "application-autoscaling:DescribeScalableTargets", 26 | "application-autoscaling:DescribeScalingActivities", 27 | "application-autoscaling:DescribeScalingPolicies", 28 | "application-autoscaling:PutScalingPolicy", 29 | "application-autoscaling:RegisterScalableTarget", 30 | "cloudwatch:DeleteAlarms", 31 | "cloudwatch:DescribeAlarmHistory", 32 | "cloudwatch:DescribeAlarms", 33 | "cloudwatch:DescribeAlarmsForMetric", 34 | "cloudwatch:GetMetricStatistics", 35 | "cloudwatch:ListMetrics", 36 | "cloudwatch:PutMetricAlarm", 37 | "datapipeline:ActivatePipeline", 38 | "datapipeline:CreatePipeline", 39 | "datapipeline:DeletePipeline", 40 | "datapipeline:DescribeObjects", 41 | "datapipeline:DescribePipelines", 42 | "datapipeline:GetPipelineDefinition", 43 | "datapipeline:ListPipelines", 44 | "datapipeline:PutPipelineDefinition", 45 | "datapipeline:QueryObjects", 46 | "ec2:DescribeVpcs", 47 | "ec2:DescribeSubnets", 48 | "ec2:DescribeSecurityGroups", 49 | "iam:GetRole", 50 | "iam:ListRoles", 51 | "sns:CreateTopic", 52 | "sns:DeleteTopic", 53 | "sns:ListSubscriptions", 54 | "sns:ListSubscriptionsByTopic", 55 | "sns:ListTopics", 56 | "sns:Subscribe", 57 | "sns:Unsubscribe", 58 | "sns:SetTopicAttributes", 59 | "lambda:CreateFunction", 60 | "lambda:ListFunctions", 61 | "lambda:ListEventSourceMappings", 62 | "lambda:CreateEventSourceMapping", 63 | "lambda:DeleteEventSourceMapping", 64 | "lambda:GetFunctionConfiguration", 65 | "lambda:DeleteFunction", 66 | "resource-groups:ListGroups", 67 | "resource-groups:ListGroupResources", 68 | "resource-groups:GetGroup", 69 | "resource-groups:GetGroupQuery", 70 | "resource-groups:DeleteGroup", 71 | "resource-groups:CreateGroup", 72 | "tag:GetResources" 73 | ], 74 | "Effect": "Allow", 75 | "Resource": "*" 76 | }, 77 | { 78 | "Action": [ 79 | "iam:PassRole" 80 | ], 81 | "Effect": "Allow", 82 | "Resource": "*", 83 | "Condition": { 84 | "StringLike": { 85 | "iam:PassedToService": [ 86 | "application-autoscaling.amazonaws.com", 87 | "dax.amazonaws.com" 88 | ] 89 | } 90 | } 91 | }, 92 | { 93 | "Effect": "Allow", 94 | "Action": [ 95 | "iam:CreateServiceLinkedRole" 96 | ], 97 | "Resource": "*", 98 | "Condition": { 99 | "StringEquals": { 100 | "iam:AWSServiceName": [ 101 | "replication.dynamodb.amazonaws.com", 102 | "dax.amazonaws.com", 103 | "dynamodb.application-autoscaling.amazonaws.com" 104 | ] 105 | } 106 | } 107 | }, 108 | { 109 | "Effect": "Allow", 110 | "Action": [ 111 | "cognito-identity:*", 112 | "cognito-idp:*", 113 | "cognito-sync:*", 114 | "iam:ListRoles", 115 | "iam:ListOpenIdConnectProviders", 116 | "sns:ListPlatformApplications" 117 | ], 118 | "Resource": "*" 119 | }, 120 | { 121 | "Effect": "Allow", 122 | "Action": "iam:CreateServiceLinkedRole", 123 | "Resource": "*", 124 | "Condition": { 125 | "StringEquals": { 126 | "iam:AWSServiceName": "email.cognito-idp.amazonaws.com" 127 | } 128 | } 129 | }, 130 | { 131 | "Effect": "Allow", 132 | "Action": [ 133 | "iam:DeleteServiceLinkedRole", 134 | "iam:GetServiceLinkedRoleDeletionStatus" 135 | ], 136 | "Resource": "arn:aws:iam::*:role/aws-service-role/email.cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdpEmail*" 137 | } 138 | ] 139 | } 140 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/policies/lambda-assume-role-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Action": "sts:AssumeRole", 6 | "Principal": { 7 | "Service": "lambda.amazonaws.com" 8 | }, 9 | "Effect": "Allow", 10 | "Sid": "" 11 | } 12 | ] 13 | } -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/policies/mfa-verify-lambda-role-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Action": "logs:CreateLogGroup", 7 | "Resource": "*" 8 | }, 9 | { 10 | "Effect": "Allow", 11 | "Action": [ 12 | "logs:CreateLogStream", 13 | "logs:PutLogEvents" 14 | ], 15 | "Resource": [ 16 | "*" 17 | ] 18 | }, 19 | { 20 | "Action": [ 21 | "dynamodb:*", 22 | "dax:*", 23 | "application-autoscaling:DeleteScalingPolicy", 24 | "application-autoscaling:DeregisterScalableTarget", 25 | "application-autoscaling:DescribeScalableTargets", 26 | "application-autoscaling:DescribeScalingActivities", 27 | "application-autoscaling:DescribeScalingPolicies", 28 | "application-autoscaling:PutScalingPolicy", 29 | "application-autoscaling:RegisterScalableTarget", 30 | "cloudwatch:DeleteAlarms", 31 | "cloudwatch:DescribeAlarmHistory", 32 | "cloudwatch:DescribeAlarms", 33 | "cloudwatch:DescribeAlarmsForMetric", 34 | "cloudwatch:GetMetricStatistics", 35 | "cloudwatch:ListMetrics", 36 | "cloudwatch:PutMetricAlarm", 37 | "datapipeline:ActivatePipeline", 38 | "datapipeline:CreatePipeline", 39 | "datapipeline:DeletePipeline", 40 | "datapipeline:DescribeObjects", 41 | "datapipeline:DescribePipelines", 42 | "datapipeline:GetPipelineDefinition", 43 | "datapipeline:ListPipelines", 44 | "datapipeline:PutPipelineDefinition", 45 | "datapipeline:QueryObjects", 46 | "ec2:DescribeVpcs", 47 | "ec2:DescribeSubnets", 48 | "ec2:DescribeSecurityGroups", 49 | "iam:GetRole", 50 | "iam:ListRoles", 51 | "sns:CreateTopic", 52 | "sns:DeleteTopic", 53 | "sns:ListSubscriptions", 54 | "sns:ListSubscriptionsByTopic", 55 | "sns:ListTopics", 56 | "sns:Subscribe", 57 | "sns:Unsubscribe", 58 | "sns:SetTopicAttributes", 59 | "lambda:CreateFunction", 60 | "lambda:ListFunctions", 61 | "lambda:ListEventSourceMappings", 62 | "lambda:CreateEventSourceMapping", 63 | "lambda:DeleteEventSourceMapping", 64 | "lambda:GetFunctionConfiguration", 65 | "lambda:DeleteFunction", 66 | "resource-groups:ListGroups", 67 | "resource-groups:ListGroupResources", 68 | "resource-groups:GetGroup", 69 | "resource-groups:GetGroupQuery", 70 | "resource-groups:DeleteGroup", 71 | "resource-groups:CreateGroup", 72 | "tag:GetResources" 73 | ], 74 | "Effect": "Allow", 75 | "Resource": "*" 76 | }, 77 | { 78 | "Action": [ 79 | "iam:PassRole" 80 | ], 81 | "Effect": "Allow", 82 | "Resource": "*", 83 | "Condition": { 84 | "StringLike": { 85 | "iam:PassedToService": [ 86 | "application-autoscaling.amazonaws.com", 87 | "dax.amazonaws.com" 88 | ] 89 | } 90 | } 91 | }, 92 | { 93 | "Effect": "Allow", 94 | "Action": [ 95 | "iam:CreateServiceLinkedRole" 96 | ], 97 | "Resource": "*", 98 | "Condition": { 99 | "StringEquals": { 100 | "iam:AWSServiceName": [ 101 | "replication.dynamodb.amazonaws.com", 102 | "dax.amazonaws.com", 103 | "dynamodb.application-autoscaling.amazonaws.com" 104 | ] 105 | } 106 | } 107 | }, 108 | { 109 | "Effect": "Allow", 110 | "Action": [ 111 | "cognito-identity:*", 112 | "cognito-idp:*", 113 | "cognito-sync:*", 114 | "iam:ListRoles", 115 | "iam:ListOpenIdConnectProviders", 116 | "sns:ListPlatformApplications" 117 | ], 118 | "Resource": "*" 119 | }, 120 | { 121 | "Effect": "Allow", 122 | "Action": "iam:CreateServiceLinkedRole", 123 | "Resource": "*", 124 | "Condition": { 125 | "StringEquals": { 126 | "iam:AWSServiceName": "email.cognito-idp.amazonaws.com" 127 | } 128 | } 129 | }, 130 | { 131 | "Effect": "Allow", 132 | "Action": [ 133 | "iam:DeleteServiceLinkedRole", 134 | "iam:GetServiceLinkedRoleDeletionStatus" 135 | ], 136 | "Resource": "arn:aws:iam::*:role/aws-service-role/email.cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdpEmail*" 137 | } 138 | ] 139 | } 140 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/policies/refresh-token-lambda-role-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Action": "logs:CreateLogGroup", 7 | "Resource": "*" 8 | }, 9 | { 10 | "Effect": "Allow", 11 | "Action": [ 12 | "logs:CreateLogStream", 13 | "logs:PutLogEvents" 14 | ], 15 | "Resource": [ 16 | "*" 17 | ] 18 | }, 19 | { 20 | "Action": [ 21 | "dynamodb:*", 22 | "dax:*", 23 | "application-autoscaling:DeleteScalingPolicy", 24 | "application-autoscaling:DeregisterScalableTarget", 25 | "application-autoscaling:DescribeScalableTargets", 26 | "application-autoscaling:DescribeScalingActivities", 27 | "application-autoscaling:DescribeScalingPolicies", 28 | "application-autoscaling:PutScalingPolicy", 29 | "application-autoscaling:RegisterScalableTarget", 30 | "cloudwatch:DeleteAlarms", 31 | "cloudwatch:DescribeAlarmHistory", 32 | "cloudwatch:DescribeAlarms", 33 | "cloudwatch:DescribeAlarmsForMetric", 34 | "cloudwatch:GetMetricStatistics", 35 | "cloudwatch:ListMetrics", 36 | "cloudwatch:PutMetricAlarm", 37 | "datapipeline:ActivatePipeline", 38 | "datapipeline:CreatePipeline", 39 | "datapipeline:DeletePipeline", 40 | "datapipeline:DescribeObjects", 41 | "datapipeline:DescribePipelines", 42 | "datapipeline:GetPipelineDefinition", 43 | "datapipeline:ListPipelines", 44 | "datapipeline:PutPipelineDefinition", 45 | "datapipeline:QueryObjects", 46 | "ec2:DescribeVpcs", 47 | "ec2:DescribeSubnets", 48 | "ec2:DescribeSecurityGroups", 49 | "iam:GetRole", 50 | "iam:ListRoles", 51 | "sns:CreateTopic", 52 | "sns:DeleteTopic", 53 | "sns:ListSubscriptions", 54 | "sns:ListSubscriptionsByTopic", 55 | "sns:ListTopics", 56 | "sns:Subscribe", 57 | "sns:Unsubscribe", 58 | "sns:SetTopicAttributes", 59 | "lambda:CreateFunction", 60 | "lambda:ListFunctions", 61 | "lambda:ListEventSourceMappings", 62 | "lambda:CreateEventSourceMapping", 63 | "lambda:DeleteEventSourceMapping", 64 | "lambda:GetFunctionConfiguration", 65 | "lambda:DeleteFunction", 66 | "resource-groups:ListGroups", 67 | "resource-groups:ListGroupResources", 68 | "resource-groups:GetGroup", 69 | "resource-groups:GetGroupQuery", 70 | "resource-groups:DeleteGroup", 71 | "resource-groups:CreateGroup", 72 | "tag:GetResources" 73 | ], 74 | "Effect": "Allow", 75 | "Resource": "*" 76 | }, 77 | { 78 | "Action": [ 79 | "iam:PassRole" 80 | ], 81 | "Effect": "Allow", 82 | "Resource": "*", 83 | "Condition": { 84 | "StringLike": { 85 | "iam:PassedToService": [ 86 | "application-autoscaling.amazonaws.com", 87 | "dax.amazonaws.com" 88 | ] 89 | } 90 | } 91 | }, 92 | { 93 | "Effect": "Allow", 94 | "Action": [ 95 | "iam:CreateServiceLinkedRole" 96 | ], 97 | "Resource": "*", 98 | "Condition": { 99 | "StringEquals": { 100 | "iam:AWSServiceName": [ 101 | "replication.dynamodb.amazonaws.com", 102 | "dax.amazonaws.com", 103 | "dynamodb.application-autoscaling.amazonaws.com" 104 | ] 105 | } 106 | } 107 | }, 108 | { 109 | "Effect": "Allow", 110 | "Action": [ 111 | "cognito-identity:*", 112 | "cognito-idp:*", 113 | "cognito-sync:*", 114 | "iam:ListRoles", 115 | "iam:ListOpenIdConnectProviders", 116 | "sns:ListPlatformApplications" 117 | ], 118 | "Resource": "*" 119 | }, 120 | { 121 | "Effect": "Allow", 122 | "Action": "iam:CreateServiceLinkedRole", 123 | "Resource": "*", 124 | "Condition": { 125 | "StringEquals": { 126 | "iam:AWSServiceName": "email.cognito-idp.amazonaws.com" 127 | } 128 | } 129 | }, 130 | { 131 | "Effect": "Allow", 132 | "Action": [ 133 | "iam:DeleteServiceLinkedRole", 134 | "iam:GetServiceLinkedRoleDeletionStatus" 135 | ], 136 | "Resource": "arn:aws:iam::*:role/aws-service-role/email.cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdpEmail*" 137 | } 138 | ] 139 | } 140 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/policies/resend-confirmation-code-lambda-role-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Action": [ 7 | "logs:CreateLogGroup", 8 | "logs:CreateLogStream", 9 | "logs:PutLogEvents" 10 | ], 11 | "Resource": "arn:aws:logs:*:*:*" 12 | }, 13 | { 14 | "Action": [ 15 | "application-autoscaling:DescribeScalableTargets", 16 | "application-autoscaling:DescribeScalingActivities", 17 | "application-autoscaling:DescribeScalingPolicies", 18 | "cloudwatch:DescribeAlarmHistory", 19 | "cloudwatch:DescribeAlarms", 20 | "cloudwatch:DescribeAlarmsForMetric", 21 | "cloudwatch:GetMetricStatistics", 22 | "cloudwatch:ListMetrics", 23 | "datapipeline:DescribeObjects", 24 | "datapipeline:DescribePipelines", 25 | "datapipeline:GetPipelineDefinition", 26 | "datapipeline:ListPipelines", 27 | "datapipeline:QueryObjects", 28 | "dynamodb:BatchGetItem", 29 | "dynamodb:Describe*", 30 | "dynamodb:List*", 31 | "dynamodb:GetItem", 32 | "dynamodb:Query", 33 | "dynamodb:Scan", 34 | "dax:Describe*", 35 | "dax:List*", 36 | "dax:GetItem", 37 | "dax:BatchGetItem", 38 | "dax:Query", 39 | "dax:Scan", 40 | "ec2:DescribeVpcs", 41 | "ec2:DescribeSubnets", 42 | "ec2:DescribeSecurityGroups", 43 | "iam:GetRole", 44 | "iam:ListRoles", 45 | "sns:ListSubscriptionsByTopic", 46 | "sns:ListTopics", 47 | "lambda:ListFunctions", 48 | "lambda:ListEventSourceMappings", 49 | "lambda:GetFunctionConfiguration", 50 | "resource-groups:ListGroups", 51 | "resource-groups:ListGroupResources", 52 | "resource-groups:GetGroup", 53 | "resource-groups:GetGroupQuery", 54 | "tag:GetResources" 55 | ], 56 | "Effect": "Allow", 57 | "Resource": "*" 58 | }, 59 | { 60 | "Effect": "Allow", 61 | "Action": [ 62 | "cognito-identity:*", 63 | "cognito-idp:*", 64 | "cognito-sync:*", 65 | "iam:ListRoles", 66 | "iam:ListOpenIdConnectProviders", 67 | "sns:ListPlatformApplications" 68 | ], 69 | "Resource": "*" 70 | }, 71 | { 72 | "Effect": "Allow", 73 | "Action": "iam:CreateServiceLinkedRole", 74 | "Resource": "*", 75 | "Condition": { 76 | "StringEquals": { 77 | "iam:AWSServiceName": "email.cognito-idp.amazonaws.com" 78 | } 79 | } 80 | }, 81 | { 82 | "Effect": "Allow", 83 | "Action": [ 84 | "iam:DeleteServiceLinkedRole", 85 | "iam:GetServiceLinkedRoleDeletionStatus" 86 | ], 87 | "Resource": "arn:aws:iam::*:role/aws-service-role/email.cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdpEmail*" 88 | } 89 | ] 90 | } 91 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/policies/resend-mfa-lambda-role-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Action": "logs:CreateLogGroup", 7 | "Resource": "*" 8 | }, 9 | { 10 | "Effect": "Allow", 11 | "Action": [ 12 | "logs:CreateLogStream", 13 | "logs:PutLogEvents" 14 | ], 15 | "Resource": [ 16 | "*" 17 | ] 18 | }, 19 | { 20 | "Effect": "Allow", 21 | "Action": [ 22 | "ses:*" 23 | ], 24 | "Resource": "*" 25 | }, 26 | { 27 | "Action": [ 28 | "dynamodb:*", 29 | "dax:*", 30 | "application-autoscaling:DeleteScalingPolicy", 31 | "application-autoscaling:DeregisterScalableTarget", 32 | "application-autoscaling:DescribeScalableTargets", 33 | "application-autoscaling:DescribeScalingActivities", 34 | "application-autoscaling:DescribeScalingPolicies", 35 | "application-autoscaling:PutScalingPolicy", 36 | "application-autoscaling:RegisterScalableTarget", 37 | "cloudwatch:DeleteAlarms", 38 | "cloudwatch:DescribeAlarmHistory", 39 | "cloudwatch:DescribeAlarms", 40 | "cloudwatch:DescribeAlarmsForMetric", 41 | "cloudwatch:GetMetricStatistics", 42 | "cloudwatch:ListMetrics", 43 | "cloudwatch:PutMetricAlarm", 44 | "datapipeline:ActivatePipeline", 45 | "datapipeline:CreatePipeline", 46 | "datapipeline:DeletePipeline", 47 | "datapipeline:DescribeObjects", 48 | "datapipeline:DescribePipelines", 49 | "datapipeline:GetPipelineDefinition", 50 | "datapipeline:ListPipelines", 51 | "datapipeline:PutPipelineDefinition", 52 | "datapipeline:QueryObjects", 53 | "ec2:DescribeVpcs", 54 | "ec2:DescribeSubnets", 55 | "ec2:DescribeSecurityGroups", 56 | "iam:GetRole", 57 | "iam:ListRoles", 58 | "sns:CreateTopic", 59 | "sns:DeleteTopic", 60 | "sns:ListSubscriptions", 61 | "sns:ListSubscriptionsByTopic", 62 | "sns:ListTopics", 63 | "sns:Subscribe", 64 | "sns:Unsubscribe", 65 | "sns:SetTopicAttributes", 66 | "lambda:CreateFunction", 67 | "lambda:ListFunctions", 68 | "lambda:ListEventSourceMappings", 69 | "lambda:CreateEventSourceMapping", 70 | "lambda:DeleteEventSourceMapping", 71 | "lambda:GetFunctionConfiguration", 72 | "lambda:DeleteFunction", 73 | "resource-groups:ListGroups", 74 | "resource-groups:ListGroupResources", 75 | "resource-groups:GetGroup", 76 | "resource-groups:GetGroupQuery", 77 | "resource-groups:DeleteGroup", 78 | "resource-groups:CreateGroup", 79 | "tag:GetResources" 80 | ], 81 | "Effect": "Allow", 82 | "Resource": "*" 83 | }, 84 | { 85 | "Action": [ 86 | "iam:PassRole" 87 | ], 88 | "Effect": "Allow", 89 | "Resource": "*", 90 | "Condition": { 91 | "StringLike": { 92 | "iam:PassedToService": [ 93 | "application-autoscaling.amazonaws.com", 94 | "dax.amazonaws.com" 95 | ] 96 | } 97 | } 98 | }, 99 | { 100 | "Effect": "Allow", 101 | "Action": [ 102 | "iam:CreateServiceLinkedRole" 103 | ], 104 | "Resource": "*", 105 | "Condition": { 106 | "StringEquals": { 107 | "iam:AWSServiceName": [ 108 | "replication.dynamodb.amazonaws.com", 109 | "dax.amazonaws.com", 110 | "dynamodb.application-autoscaling.amazonaws.com" 111 | ] 112 | } 113 | } 114 | }, 115 | { 116 | "Effect": "Allow", 117 | "Action": "cognito-idp:AdminGetUser", 118 | "Resource": "*" 119 | }, 120 | { 121 | "Effect": "Allow", 122 | "Action": "s3:*", 123 | "Resource": "*" 124 | } 125 | ] 126 | } 127 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/policies/user-login-lambda-role-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Action": "logs:CreateLogGroup", 7 | "Resource": "*" 8 | }, 9 | { 10 | "Effect": "Allow", 11 | "Action": [ 12 | "logs:CreateLogStream", 13 | "logs:PutLogEvents" 14 | ], 15 | "Resource": [ 16 | "*" 17 | ] 18 | }, 19 | { 20 | "Action": [ 21 | "dynamodb:*", 22 | "dax:*", 23 | "application-autoscaling:DeleteScalingPolicy", 24 | "application-autoscaling:DeregisterScalableTarget", 25 | "application-autoscaling:DescribeScalableTargets", 26 | "application-autoscaling:DescribeScalingActivities", 27 | "application-autoscaling:DescribeScalingPolicies", 28 | "application-autoscaling:PutScalingPolicy", 29 | "application-autoscaling:RegisterScalableTarget", 30 | "cloudwatch:DeleteAlarms", 31 | "cloudwatch:DescribeAlarmHistory", 32 | "cloudwatch:DescribeAlarms", 33 | "cloudwatch:DescribeAlarmsForMetric", 34 | "cloudwatch:GetMetricStatistics", 35 | "cloudwatch:ListMetrics", 36 | "cloudwatch:PutMetricAlarm", 37 | "datapipeline:ActivatePipeline", 38 | "datapipeline:CreatePipeline", 39 | "datapipeline:DeletePipeline", 40 | "datapipeline:DescribeObjects", 41 | "datapipeline:DescribePipelines", 42 | "datapipeline:GetPipelineDefinition", 43 | "datapipeline:ListPipelines", 44 | "datapipeline:PutPipelineDefinition", 45 | "datapipeline:QueryObjects", 46 | "ec2:DescribeVpcs", 47 | "ec2:DescribeSubnets", 48 | "ec2:DescribeSecurityGroups", 49 | "iam:GetRole", 50 | "iam:ListRoles", 51 | "sns:CreateTopic", 52 | "sns:DeleteTopic", 53 | "sns:ListSubscriptions", 54 | "sns:ListSubscriptionsByTopic", 55 | "sns:ListTopics", 56 | "sns:Subscribe", 57 | "sns:Unsubscribe", 58 | "sns:SetTopicAttributes", 59 | "lambda:CreateFunction", 60 | "lambda:ListFunctions", 61 | "lambda:ListEventSourceMappings", 62 | "lambda:CreateEventSourceMapping", 63 | "lambda:DeleteEventSourceMapping", 64 | "lambda:GetFunctionConfiguration", 65 | "lambda:DeleteFunction", 66 | "resource-groups:ListGroups", 67 | "resource-groups:ListGroupResources", 68 | "resource-groups:GetGroup", 69 | "resource-groups:GetGroupQuery", 70 | "resource-groups:DeleteGroup", 71 | "resource-groups:CreateGroup", 72 | "tag:GetResources" 73 | ], 74 | "Effect": "Allow", 75 | "Resource": "*" 76 | }, 77 | { 78 | "Action": [ 79 | "iam:PassRole" 80 | ], 81 | "Effect": "Allow", 82 | "Resource": "*", 83 | "Condition": { 84 | "StringLike": { 85 | "iam:PassedToService": [ 86 | "application-autoscaling.amazonaws.com", 87 | "dax.amazonaws.com" 88 | ] 89 | } 90 | } 91 | }, 92 | { 93 | "Effect": "Allow", 94 | "Action": [ 95 | "iam:CreateServiceLinkedRole" 96 | ], 97 | "Resource": "*", 98 | "Condition": { 99 | "StringEquals": { 100 | "iam:AWSServiceName": [ 101 | "replication.dynamodb.amazonaws.com", 102 | "dax.amazonaws.com", 103 | "dynamodb.application-autoscaling.amazonaws.com" 104 | ] 105 | } 106 | } 107 | }, 108 | { 109 | "Effect": "Allow", 110 | "Action": [ 111 | "cognito-identity:*", 112 | "cognito-idp:*", 113 | "cognito-sync:*", 114 | "iam:ListRoles", 115 | "iam:ListOpenIdConnectProviders", 116 | "sns:ListPlatformApplications" 117 | ], 118 | "Resource": "*" 119 | }, 120 | { 121 | "Effect": "Allow", 122 | "Action": "iam:CreateServiceLinkedRole", 123 | "Resource": "*", 124 | "Condition": { 125 | "StringEquals": { 126 | "iam:AWSServiceName": "email.cognito-idp.amazonaws.com" 127 | } 128 | } 129 | }, 130 | { 131 | "Effect": "Allow", 132 | "Action": [ 133 | "iam:DeleteServiceLinkedRole", 134 | "iam:GetServiceLinkedRoleDeletionStatus" 135 | ], 136 | "Resource": "arn:aws:iam::*:role/aws-service-role/email.cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdpEmail*" 137 | } 138 | ] 139 | } 140 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/policies/user-logout-lambda-role-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Action": "logs:CreateLogGroup", 7 | "Resource": "*" 8 | }, 9 | { 10 | "Effect": "Allow", 11 | "Action": [ 12 | "logs:CreateLogStream", 13 | "logs:PutLogEvents" 14 | ], 15 | "Resource": [ 16 | "*" 17 | ] 18 | }, 19 | { 20 | "Action": [ 21 | "dynamodb:*", 22 | "dax:*", 23 | "application-autoscaling:DeleteScalingPolicy", 24 | "application-autoscaling:DeregisterScalableTarget", 25 | "application-autoscaling:DescribeScalableTargets", 26 | "application-autoscaling:DescribeScalingActivities", 27 | "application-autoscaling:DescribeScalingPolicies", 28 | "application-autoscaling:PutScalingPolicy", 29 | "application-autoscaling:RegisterScalableTarget", 30 | "cloudwatch:DeleteAlarms", 31 | "cloudwatch:DescribeAlarmHistory", 32 | "cloudwatch:DescribeAlarms", 33 | "cloudwatch:DescribeAlarmsForMetric", 34 | "cloudwatch:GetMetricStatistics", 35 | "cloudwatch:ListMetrics", 36 | "cloudwatch:PutMetricAlarm", 37 | "datapipeline:ActivatePipeline", 38 | "datapipeline:CreatePipeline", 39 | "datapipeline:DeletePipeline", 40 | "datapipeline:DescribeObjects", 41 | "datapipeline:DescribePipelines", 42 | "datapipeline:GetPipelineDefinition", 43 | "datapipeline:ListPipelines", 44 | "datapipeline:PutPipelineDefinition", 45 | "datapipeline:QueryObjects", 46 | "ec2:DescribeVpcs", 47 | "ec2:DescribeSubnets", 48 | "ec2:DescribeSecurityGroups", 49 | "iam:GetRole", 50 | "iam:ListRoles", 51 | "sns:CreateTopic", 52 | "sns:DeleteTopic", 53 | "sns:ListSubscriptions", 54 | "sns:ListSubscriptionsByTopic", 55 | "sns:ListTopics", 56 | "sns:Subscribe", 57 | "sns:Unsubscribe", 58 | "sns:SetTopicAttributes", 59 | "lambda:CreateFunction", 60 | "lambda:ListFunctions", 61 | "lambda:ListEventSourceMappings", 62 | "lambda:CreateEventSourceMapping", 63 | "lambda:DeleteEventSourceMapping", 64 | "lambda:GetFunctionConfiguration", 65 | "lambda:DeleteFunction", 66 | "resource-groups:ListGroups", 67 | "resource-groups:ListGroupResources", 68 | "resource-groups:GetGroup", 69 | "resource-groups:GetGroupQuery", 70 | "resource-groups:DeleteGroup", 71 | "resource-groups:CreateGroup", 72 | "tag:GetResources" 73 | ], 74 | "Effect": "Allow", 75 | "Resource": "*" 76 | }, 77 | { 78 | "Action": [ 79 | "iam:PassRole" 80 | ], 81 | "Effect": "Allow", 82 | "Resource": "*", 83 | "Condition": { 84 | "StringLike": { 85 | "iam:PassedToService": [ 86 | "application-autoscaling.amazonaws.com", 87 | "dax.amazonaws.com" 88 | ] 89 | } 90 | } 91 | }, 92 | { 93 | "Effect": "Allow", 94 | "Action": [ 95 | "iam:CreateServiceLinkedRole" 96 | ], 97 | "Resource": "*", 98 | "Condition": { 99 | "StringEquals": { 100 | "iam:AWSServiceName": [ 101 | "replication.dynamodb.amazonaws.com", 102 | "dax.amazonaws.com", 103 | "dynamodb.application-autoscaling.amazonaws.com" 104 | ] 105 | } 106 | } 107 | }, 108 | { 109 | "Effect": "Allow", 110 | "Action": [ 111 | "cognito-identity:*", 112 | "cognito-idp:*", 113 | "cognito-sync:*", 114 | "iam:ListRoles", 115 | "iam:ListOpenIdConnectProviders", 116 | "sns:ListPlatformApplications" 117 | ], 118 | "Resource": "*" 119 | }, 120 | { 121 | "Effect": "Allow", 122 | "Action": "iam:CreateServiceLinkedRole", 123 | "Resource": "*", 124 | "Condition": { 125 | "StringEquals": { 126 | "iam:AWSServiceName": "email.cognito-idp.amazonaws.com" 127 | } 128 | } 129 | }, 130 | { 131 | "Effect": "Allow", 132 | "Action": [ 133 | "iam:DeleteServiceLinkedRole", 134 | "iam:GetServiceLinkedRoleDeletionStatus" 135 | ], 136 | "Resource": "arn:aws:iam::*:role/aws-service-role/email.cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdpEmail*" 137 | } 138 | ] 139 | } 140 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/policies/userinfo-lambda-role-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Action": "logs:CreateLogGroup", 7 | "Resource": "*" 8 | }, 9 | { 10 | "Effect": "Allow", 11 | "Action": [ 12 | "logs:CreateLogStream", 13 | "logs:PutLogEvents" 14 | ], 15 | "Resource": [ 16 | "*" 17 | ] 18 | }, 19 | { 20 | "Action": [ 21 | "dynamodb:*", 22 | "dax:*", 23 | "application-autoscaling:DeleteScalingPolicy", 24 | "application-autoscaling:DeregisterScalableTarget", 25 | "application-autoscaling:DescribeScalableTargets", 26 | "application-autoscaling:DescribeScalingActivities", 27 | "application-autoscaling:DescribeScalingPolicies", 28 | "application-autoscaling:PutScalingPolicy", 29 | "application-autoscaling:RegisterScalableTarget", 30 | "cloudwatch:DeleteAlarms", 31 | "cloudwatch:DescribeAlarmHistory", 32 | "cloudwatch:DescribeAlarms", 33 | "cloudwatch:DescribeAlarmsForMetric", 34 | "cloudwatch:GetMetricStatistics", 35 | "cloudwatch:ListMetrics", 36 | "cloudwatch:PutMetricAlarm", 37 | "datapipeline:ActivatePipeline", 38 | "datapipeline:CreatePipeline", 39 | "datapipeline:DeletePipeline", 40 | "datapipeline:DescribeObjects", 41 | "datapipeline:DescribePipelines", 42 | "datapipeline:GetPipelineDefinition", 43 | "datapipeline:ListPipelines", 44 | "datapipeline:PutPipelineDefinition", 45 | "datapipeline:QueryObjects", 46 | "ec2:DescribeVpcs", 47 | "ec2:DescribeSubnets", 48 | "ec2:DescribeSecurityGroups", 49 | "iam:GetRole", 50 | "iam:ListRoles", 51 | "sns:CreateTopic", 52 | "sns:DeleteTopic", 53 | "sns:ListSubscriptions", 54 | "sns:ListSubscriptionsByTopic", 55 | "sns:ListTopics", 56 | "sns:Subscribe", 57 | "sns:Unsubscribe", 58 | "sns:SetTopicAttributes", 59 | "lambda:CreateFunction", 60 | "lambda:ListFunctions", 61 | "lambda:ListEventSourceMappings", 62 | "lambda:CreateEventSourceMapping", 63 | "lambda:DeleteEventSourceMapping", 64 | "lambda:GetFunctionConfiguration", 65 | "lambda:DeleteFunction", 66 | "resource-groups:ListGroups", 67 | "resource-groups:ListGroupResources", 68 | "resource-groups:GetGroup", 69 | "resource-groups:GetGroupQuery", 70 | "resource-groups:DeleteGroup", 71 | "resource-groups:CreateGroup", 72 | "tag:GetResources" 73 | ], 74 | "Effect": "Allow", 75 | "Resource": "*" 76 | }, 77 | { 78 | "Action": [ 79 | "iam:PassRole" 80 | ], 81 | "Effect": "Allow", 82 | "Resource": "*", 83 | "Condition": { 84 | "StringLike": { 85 | "iam:PassedToService": [ 86 | "application-autoscaling.amazonaws.com", 87 | "dax.amazonaws.com" 88 | ] 89 | } 90 | } 91 | }, 92 | { 93 | "Effect": "Allow", 94 | "Action": [ 95 | "iam:CreateServiceLinkedRole" 96 | ], 97 | "Resource": "*", 98 | "Condition": { 99 | "StringEquals": { 100 | "iam:AWSServiceName": [ 101 | "replication.dynamodb.amazonaws.com", 102 | "dax.amazonaws.com", 103 | "dynamodb.application-autoscaling.amazonaws.com" 104 | ] 105 | } 106 | } 107 | }, 108 | { 109 | "Effect": "Allow", 110 | "Action": [ 111 | "cognito-identity:*", 112 | "cognito-idp:*", 113 | "cognito-sync:*", 114 | "iam:ListRoles", 115 | "iam:ListOpenIdConnectProviders", 116 | "sns:ListPlatformApplications" 117 | ], 118 | "Resource": "*" 119 | }, 120 | { 121 | "Effect": "Allow", 122 | "Action": "iam:CreateServiceLinkedRole", 123 | "Resource": "*", 124 | "Condition": { 125 | "StringEquals": { 126 | "iam:AWSServiceName": "email.cognito-idp.amazonaws.com" 127 | } 128 | } 129 | }, 130 | { 131 | "Effect": "Allow", 132 | "Action": [ 133 | "iam:DeleteServiceLinkedRole", 134 | "iam:GetServiceLinkedRoleDeletionStatus" 135 | ], 136 | "Resource": "arn:aws:iam::*:role/aws-service-role/email.cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdpEmail*" 137 | } 138 | ] 139 | } 140 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/provider.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | aws = { 4 | source = "hashicorp/aws" 5 | version = "~> 4.64.0" 6 | } 7 | } 8 | } 9 | 10 | provider "aws" { 11 | region = "eu-west-1" 12 | #shared_credentials_file = "~/.aws/credentials" 13 | profile = "cloudinit" 14 | } 15 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/refresh-token.tf: -------------------------------------------------------------------------------- 1 | module "refresh-token-lambda-role-policy" { 2 | source = "../../../modules/tf-iam-role-policy" 3 | role-policy-name = "${var.refresh-token-lambda-function-name}-role-policy" 4 | role-policy-json-file = "${local.auth_microservice_path}/policies/refresh-token-lambda-role-policy.json" 5 | role-name = module.refresh-token-lambda-role.iam-role-name 6 | } 7 | 8 | module "refresh-token-lambda-role" { 9 | source = "../../../modules/tf-iam-role" 10 | iam-role-name = "${var.refresh-token-lambda-function-name}-role" 11 | iam-role-path = "/" 12 | iam-assume-role-policy-file = "${local.auth_microservice_path}/policies/lambda-assume-role-policy.json" 13 | } 14 | 15 | data "archive_file" "refresh-token-zip" { 16 | type = "zip" 17 | excludes = ["lambda.zip"] 18 | source_dir = var.refresh-token-lambda-zip-src-path 19 | output_path = join("", ["${local.auth_microservice_path}/", "${var.refresh-token-lambda-zip-src-path}/lambda.zip"]) 20 | } 21 | 22 | resource "aws_lambda_function" "refresh-token-lambda" { 23 | filename = join("", ["${local.auth_microservice_path}/", "${var.refresh-token-lambda-zip-src-path}/lambda.zip"]) 24 | function_name = var.refresh-token-lambda-function-name 25 | handler = var.refresh-token-lambda-entrypoint 26 | role = module.refresh-token-lambda-role.iam-role-arn 27 | description = var.refresh-token-lambda-function-desc 28 | memory_size = var.auth-lambdas-memory-size 29 | runtime = var.auth-lambdas-runtime 30 | timeout = var.auth-lambdas-timeout 31 | layers = [aws_lambda_layer_version.jsonschema.arn] 32 | 33 | environment { 34 | variables = { 35 | COGNITO_USER_POOL_ID = module.user-pool.user-pool-id 36 | COGNITO_APP_CLIENT_ID = module.user-pool.user-pool-client-id 37 | } 38 | } 39 | 40 | source_code_hash = data.archive_file.refresh-token-zip.output_base64sha256 41 | } 42 | 43 | resource "aws_cloudwatch_log_group" "refresh-token-lambda-log-group" { 44 | name = "/aws/lambda/${var.refresh-token-lambda-function-name}" 45 | retention_in_days = "1" 46 | } 47 | 48 | module "refresh-token-lambda-endpoint" { 49 | source = "../../../modules/tf-api-gw-lambda-proxy" 50 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 51 | api-resource-path = aws_api_gateway_resource.refresh-token.path 52 | api-resource-id = aws_api_gateway_resource.refresh-token.id 53 | api-http-method = "POST" 54 | authorization-type = "NONE" 55 | authorizer-id = "" 56 | is-api-key-required = "true" 57 | lambda-function-name = aws_lambda_function.refresh-token-lambda.function_name 58 | lambda-function-arn = aws_lambda_function.refresh-token-lambda.arn 59 | } 60 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/resend-confirmation-code.tf: -------------------------------------------------------------------------------- 1 | module "resend-confirmation-code-lambda-role-policy" { 2 | source = "../../../modules/tf-iam-role-policy" 3 | role-policy-name = "${var.resend-confirmation-code-lambda-function-name}-role-policy" 4 | role-policy-json-file = "${local.auth_microservice_path}/policies/resend-confirmation-code-lambda-role-policy.json" 5 | role-name = module.resend-confirmation-code-lambda-role.iam-role-name 6 | } 7 | 8 | module "resend-confirmation-code-lambda-role" { 9 | source = "../../../modules/tf-iam-role" 10 | iam-role-name = "${var.resend-confirmation-code-lambda-function-name}-role" 11 | iam-role-path = "/" 12 | iam-assume-role-policy-file = "${local.auth_microservice_path}/policies/lambda-assume-role-policy.json" 13 | } 14 | 15 | data "archive_file" "resend-confirmation-code-zip" { 16 | type = "zip" 17 | excludes = ["lambda.zip"] 18 | source_dir = var.resend-confirmation-code-lambda-zip-src-path 19 | output_path = join("", ["${local.auth_microservice_path}/", "${var.resend-confirmation-code-lambda-zip-src-path}/lambda.zip"]) 20 | } 21 | 22 | resource "aws_lambda_function" "resend-confirmation-code-lambda" { 23 | filename = join("", ["${local.auth_microservice_path}/", "${var.resend-confirmation-code-lambda-zip-src-path}/lambda.zip"]) 24 | function_name = var.resend-confirmation-code-lambda-function-name 25 | handler = var.resend-confirmation-code-lambda-entrypoint 26 | role = module.resend-confirmation-code-lambda-role.iam-role-arn 27 | description = var.resend-confirmation-code-lambda-function-desc 28 | memory_size = var.auth-lambdas-memory-size 29 | runtime = var.auth-lambdas-runtime 30 | timeout = var.auth-lambdas-timeout 31 | layers = [aws_lambda_layer_version.jsonschema.arn] 32 | 33 | environment { 34 | variables = { 35 | COGNITO_USER_POOL_ID = module.user-pool.user-pool-id 36 | } 37 | } 38 | 39 | source_code_hash = data.archive_file.resend-confirmation-code-zip.output_base64sha256 40 | } 41 | 42 | resource "aws_cloudwatch_log_group" "resend-confirmation-code-lambda-log-group" { 43 | name = "/aws/lambda/${var.resend-confirmation-code-lambda-function-name}" 44 | retention_in_days = "1" 45 | } 46 | 47 | module "resend-confirmation-code-lambda-endpoint" { 48 | source = "../../../modules/tf-api-gw-lambda-proxy" 49 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 50 | api-resource-path = aws_api_gateway_resource.resend-confirmation-code.path 51 | api-resource-id = aws_api_gateway_resource.resend-confirmation-code.id 52 | api-http-method = "POST" 53 | authorization-type = "NONE" 54 | authorizer-id = "" 55 | is-api-key-required = "true" 56 | lambda-function-name = aws_lambda_function.resend-confirmation-code-lambda.function_name 57 | lambda-function-arn = aws_lambda_function.resend-confirmation-code-lambda.arn 58 | } 59 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/resend-mfa.tf: -------------------------------------------------------------------------------- 1 | module "resend-mfa-lambda-role-policy" { 2 | source = "../../../modules/tf-iam-role-policy" 3 | role-policy-name = "${var.resend-mfa-lambda-function-name}-role-policy" 4 | role-policy-json-file = "${local.auth_microservice_path}/policies/resend-mfa-lambda-role-policy.json" 5 | role-name = module.resend-mfa-lambda-role.iam-role-name 6 | } 7 | 8 | module "resend-mfa-lambda-role" { 9 | source = "../../../modules/tf-iam-role" 10 | iam-role-name = "${var.resend-mfa-lambda-function-name}-role" 11 | iam-role-path = "/" 12 | iam-assume-role-policy-file = "${local.auth_microservice_path}/policies/lambda-assume-role-policy.json" 13 | } 14 | 15 | data "archive_file" "resend-mfa-zip" { 16 | type = "zip" 17 | excludes = ["lambda.zip"] 18 | source_dir = var.resend-mfa-lambda-zip-src-path 19 | output_path = join("", ["${local.auth_microservice_path}/", "${var.resend-mfa-lambda-zip-src-path}/lambda.zip"]) 20 | } 21 | 22 | resource "aws_lambda_function" "resend-mfa-lambda" { 23 | filename = join("", ["${local.auth_microservice_path}/", "${var.resend-mfa-lambda-zip-src-path}/lambda.zip"]) 24 | function_name = var.resend-mfa-lambda-function-name 25 | handler = var.resend-mfa-lambda-entrypoint 26 | role = module.resend-mfa-lambda-role.iam-role-arn 27 | description = var.resend-mfa-lambda-function-desc 28 | memory_size = var.auth-lambdas-memory-size 29 | runtime = var.auth-lambdas-runtime 30 | timeout = var.auth-lambdas-timeout 31 | layers = [aws_lambda_layer_version.jsonschema.arn] 32 | 33 | environment { 34 | variables = { 35 | S3_BUCKET_MFA_BUCKET = "${module.auth-mfa.s3-id}" 36 | USERS_MFA_FOLDER = "${var.users-mfa-folder}" 37 | FROM_EMAIL = "${var.from-email}" 38 | COGNITO_USER_POOL_ID = module.user-pool.user-pool-id 39 | } 40 | } 41 | 42 | source_code_hash = data.archive_file.resend-mfa-zip.output_base64sha256 43 | } 44 | 45 | resource "aws_cloudwatch_log_group" "resend-mfa-lambda-log-group" { 46 | name = "/aws/lambda/${var.resend-mfa-lambda-function-name}" 47 | retention_in_days = "1" 48 | } 49 | 50 | module "resend-mfa-lambda-endpoint" { 51 | source = "../../../modules/tf-api-gw-lambda-proxy" 52 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 53 | api-resource-path = aws_api_gateway_resource.resend-mfa.path 54 | api-resource-id = aws_api_gateway_resource.resend-mfa.id 55 | api-http-method = "POST" 56 | authorization-type = "NONE" 57 | authorizer-id = "" 58 | is-api-key-required = "true" 59 | lambda-function-name = aws_lambda_function.resend-mfa-lambda.function_name 60 | lambda-function-arn = aws_lambda_function.resend-mfa-lambda.arn 61 | } 62 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/reset-password.tf: -------------------------------------------------------------------------------- 1 | module "reset-password-lambda-role-policy" { 2 | source = "../../../modules/tf-iam-role-policy" 3 | role-policy-name = "${var.reset-password-lambda-function-name}-role-policy" 4 | role-policy-json-file = "${local.auth_microservice_path}/policies/reset-password-lambda-role-policy.json" 5 | role-name = module.reset-password-lambda-role.iam-role-name 6 | } 7 | 8 | module "reset-password-lambda-role" { 9 | source = "../../../modules/tf-iam-role" 10 | iam-role-name = "${var.reset-password-lambda-function-name}-role" 11 | iam-role-path = "/" 12 | iam-assume-role-policy-file = "${local.auth_microservice_path}/policies/lambda-assume-role-policy.json" 13 | } 14 | 15 | data "archive_file" "reset-password-zip" { 16 | type = "zip" 17 | excludes = ["lambda.zip"] 18 | source_dir = var.reset-password-lambda-zip-src-path 19 | output_path = join("", ["${local.auth_microservice_path}/", "${var.reset-password-lambda-zip-src-path}/lambda.zip"]) 20 | } 21 | 22 | resource "aws_lambda_function" "reset-password-lambda" { 23 | filename = join("", ["${local.auth_microservice_path}/", "${var.reset-password-lambda-zip-src-path}/lambda.zip"]) 24 | function_name = var.reset-password-lambda-function-name 25 | handler = var.reset-password-lambda-entrypoint 26 | role = module.reset-password-lambda-role.iam-role-arn 27 | description = var.reset-password-lambda-function-desc 28 | memory_size = var.auth-lambdas-memory-size 29 | runtime = var.auth-lambdas-runtime 30 | timeout = var.auth-lambdas-timeout 31 | layers = [aws_lambda_layer_version.jsonschema.arn] 32 | 33 | environment { 34 | variables = { 35 | COGNITO_USER_POOL_ID = module.user-pool.user-pool-id 36 | } 37 | } 38 | 39 | source_code_hash = data.archive_file.reset-password-zip.output_base64sha256 40 | } 41 | 42 | resource "aws_cloudwatch_log_group" "reset-password-lambda-log-group" { 43 | name = "/aws/lambda/${var.reset-password-lambda-function-name}" 44 | retention_in_days = "1" 45 | } 46 | 47 | module "reset-password-lambda-endpoint" { 48 | source = "../../../modules/tf-api-gw-lambda-proxy" 49 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 50 | api-resource-path = aws_api_gateway_resource.reset-password.path 51 | api-resource-id = aws_api_gateway_resource.reset-password.id 52 | api-http-method = "POST" 53 | authorization-type = "NONE" 54 | authorizer-id = "" 55 | is-api-key-required = "true" 56 | lambda-function-name = aws_lambda_function.reset-password-lambda.function_name 57 | lambda-function-arn = aws_lambda_function.reset-password-lambda.arn 58 | } 59 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/resources.tf: -------------------------------------------------------------------------------- 1 | # /resend-mfa 2 | resource "aws_api_gateway_resource" "resend-mfa" { 3 | rest_api_id = aws_api_gateway_rest_api.api-gw.id 4 | parent_id = aws_api_gateway_rest_api.api-gw.root_resource_id 5 | path_part = "resend-mfa" 6 | } 7 | 8 | # /resend-confirmation-code 9 | resource "aws_api_gateway_resource" "resend-confirmation-code" { 10 | rest_api_id = aws_api_gateway_rest_api.api-gw.id 11 | parent_id = aws_api_gateway_rest_api.api-gw.root_resource_id 12 | path_part = "resend-confirmation-code" 13 | } 14 | 15 | # /login 16 | resource "aws_api_gateway_resource" "login" { 17 | rest_api_id = aws_api_gateway_rest_api.api-gw.id 18 | parent_id = aws_api_gateway_rest_api.api-gw.root_resource_id 19 | path_part = "login" 20 | } 21 | 22 | # /logout 23 | resource "aws_api_gateway_resource" "logout" { 24 | rest_api_id = aws_api_gateway_rest_api.api-gw.id 25 | parent_id = aws_api_gateway_rest_api.api-gw.root_resource_id 26 | path_part = "logout" 27 | } 28 | 29 | # /mfa-verify 30 | resource "aws_api_gateway_resource" "mfa-verify" { 31 | rest_api_id = aws_api_gateway_rest_api.api-gw.id 32 | parent_id = aws_api_gateway_rest_api.api-gw.root_resource_id 33 | path_part = "mfa-verify" 34 | } 35 | 36 | # /refresh-token 37 | resource "aws_api_gateway_resource" "refresh-token" { 38 | rest_api_id = aws_api_gateway_rest_api.api-gw.id 39 | parent_id = aws_api_gateway_rest_api.api-gw.root_resource_id 40 | path_part = "refresh-token" 41 | } 42 | 43 | # /userinfo 44 | resource "aws_api_gateway_resource" "userinfo" { 45 | rest_api_id = aws_api_gateway_rest_api.api-gw.id 46 | parent_id = aws_api_gateway_rest_api.api-gw.root_resource_id 47 | path_part = "userinfo" 48 | } 49 | 50 | # /forgot-password 51 | resource "aws_api_gateway_resource" "forgot-password" { 52 | rest_api_id = aws_api_gateway_rest_api.api-gw.id 53 | parent_id = aws_api_gateway_rest_api.api-gw.root_resource_id 54 | path_part = "forgot-password" 55 | } 56 | 57 | 58 | # /users 59 | resource "aws_api_gateway_resource" "users" { 60 | rest_api_id = aws_api_gateway_rest_api.api-gw.id 61 | parent_id = aws_api_gateway_rest_api.api-gw.root_resource_id 62 | path_part = "users" 63 | } 64 | 65 | # /users/{user_id} 66 | resource "aws_api_gateway_resource" "user-id" { 67 | rest_api_id = aws_api_gateway_rest_api.api-gw.id 68 | parent_id = aws_api_gateway_resource.users.id 69 | path_part = "{user_id}" 70 | } 71 | 72 | # /users/{user_id}/confirm 73 | resource "aws_api_gateway_resource" "confirm" { 74 | rest_api_id = aws_api_gateway_rest_api.api-gw.id 75 | parent_id = aws_api_gateway_resource.user-id.id 76 | path_part = "confirm" 77 | } 78 | 79 | # /users/{user_id}/confirm-mfa 80 | resource "aws_api_gateway_resource" "confirm-mfa" { 81 | rest_api_id = aws_api_gateway_rest_api.api-gw.id 82 | parent_id = aws_api_gateway_resource.user-id.id 83 | path_part = "confirm-mfa" 84 | } 85 | 86 | # /users/{user_id}/change-password 87 | resource "aws_api_gateway_resource" "change-password" { 88 | rest_api_id = aws_api_gateway_rest_api.api-gw.id 89 | parent_id = aws_api_gateway_resource.user-id.id 90 | path_part = "change-password" 91 | } 92 | 93 | # /users/{user_id}/reset-password 94 | resource "aws_api_gateway_resource" "reset-password" { 95 | rest_api_id = aws_api_gateway_rest_api.api-gw.id 96 | parent_id = aws_api_gateway_resource.user-id.id 97 | path_part = "reset-password" 98 | } 99 | 100 | # /users/{user_id}/confirm-password 101 | resource "aws_api_gateway_resource" "confirm-password" { 102 | rest_api_id = aws_api_gateway_rest_api.api-gw.id 103 | parent_id = aws_api_gateway_resource.user-id.id 104 | path_part = "confirm-password" 105 | } 106 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/s3.tf: -------------------------------------------------------------------------------- 1 | module "auth-mfa" { 2 | source = "../../../modules/tf-s3-encrypted" 3 | bucket-name = var.auth-mfa-bucket-name 4 | } 5 | 6 | resource "aws_s3_bucket_public_access_block" "auth-mfa-block-public-access" { 7 | bucket = module.auth-mfa.s3-id 8 | block_public_acls = true 9 | block_public_policy = true 10 | ignore_public_acls = true 11 | restrict_public_buckets = true 12 | } 13 | 14 | module "layers-packages" { 15 | source = "../../../modules/tf-s3-encrypted" 16 | bucket-name = var.layers-packages-bucket-name 17 | } 18 | 19 | resource "aws_s3_bucket_public_access_block" "layers-packages-block-public-access" { 20 | bucket = module.layers-packages.s3-id 21 | block_public_acls = true 22 | block_public_policy = true 23 | ignore_public_acls = true 24 | restrict_public_buckets = true 25 | } 26 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/user-login.tf: -------------------------------------------------------------------------------- 1 | module "user-login-lambda-role-policy" { 2 | source = "../../../modules/tf-iam-role-policy" 3 | role-policy-name = "${var.user-login-lambda-function-name}-role-policy" 4 | role-policy-json-file = "${local.auth_microservice_path}/policies/user-login-lambda-role-policy.json" 5 | role-name = module.user-login-lambda-role.iam-role-name 6 | } 7 | 8 | module "user-login-lambda-role" { 9 | source = "../../../modules/tf-iam-role" 10 | iam-role-name = "${var.user-login-lambda-function-name}-role" 11 | iam-role-path = "/" 12 | iam-assume-role-policy-file = "${local.auth_microservice_path}/policies/lambda-assume-role-policy.json" 13 | } 14 | 15 | data "archive_file" "user-login-zip" { 16 | type = "zip" 17 | excludes = ["lambda.zip"] 18 | source_dir = var.user-login-lambda-zip-src-path 19 | output_path = join("", ["${local.auth_microservice_path}/", "${var.user-login-lambda-zip-src-path}/lambda.zip"]) 20 | } 21 | 22 | resource "aws_lambda_function" "user-login-lambda" { 23 | filename = join("", ["${local.auth_microservice_path}/", "${var.user-login-lambda-zip-src-path}/lambda.zip"]) 24 | function_name = var.user-login-lambda-function-name 25 | handler = var.user-login-lambda-entrypoint 26 | role = module.user-login-lambda-role.iam-role-arn 27 | description = var.user-login-lambda-function-desc 28 | memory_size = var.auth-lambdas-memory-size 29 | runtime = var.auth-lambdas-runtime 30 | timeout = var.auth-lambdas-timeout 31 | layers = [aws_lambda_layer_version.jsonschema.arn] 32 | 33 | environment { 34 | variables = { 35 | COGNITO_USER_POOL_ID = module.user-pool.user-pool-id 36 | COGNITO_APP_CLIENT_ID = module.user-pool.user-pool-client-id 37 | } 38 | } 39 | 40 | source_code_hash = data.archive_file.user-login-zip.output_base64sha256 41 | } 42 | 43 | resource "aws_cloudwatch_log_group" "user-login-lambda-log-group" { 44 | name = "/aws/lambda/${var.user-login-lambda-function-name}" 45 | retention_in_days = "1" 46 | } 47 | 48 | module "user-login-lambda-endpoint" { 49 | source = "../../../modules/tf-api-gw-lambda-proxy" 50 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 51 | api-resource-path = aws_api_gateway_resource.login.path 52 | api-resource-id = aws_api_gateway_resource.login.id 53 | api-http-method = "POST" 54 | authorization-type = "NONE" 55 | authorizer-id = "" 56 | is-api-key-required = "true" 57 | lambda-function-name = aws_lambda_function.user-login-lambda.function_name 58 | lambda-function-arn = aws_lambda_function.user-login-lambda.arn 59 | } 60 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/user-logout.tf: -------------------------------------------------------------------------------- 1 | module "user-logout-lambda-role-policy" { 2 | source = "../../../modules/tf-iam-role-policy" 3 | role-policy-name = "${var.user-logout-lambda-function-name}-role-policy" 4 | role-policy-json-file = "${local.auth_microservice_path}/policies/user-logout-lambda-role-policy.json" 5 | role-name = module.user-logout-lambda-role.iam-role-name 6 | } 7 | 8 | module "user-logout-lambda-role" { 9 | source = "../../../modules/tf-iam-role" 10 | iam-role-name = "${var.user-logout-lambda-function-name}-role" 11 | iam-role-path = "/" 12 | iam-assume-role-policy-file = "${local.auth_microservice_path}/policies/lambda-assume-role-policy.json" 13 | } 14 | 15 | data "archive_file" "user-logout-zip" { 16 | type = "zip" 17 | excludes = ["lambda.zip"] 18 | source_dir = var.user-logout-lambda-zip-src-path 19 | output_path = join("", ["${local.auth_microservice_path}/", "${var.user-logout-lambda-zip-src-path}/lambda.zip"]) 20 | } 21 | 22 | resource "aws_lambda_function" "user-logout-lambda" { 23 | filename = join("", ["${local.auth_microservice_path}/", "${var.user-logout-lambda-zip-src-path}/lambda.zip"]) 24 | function_name = var.user-logout-lambda-function-name 25 | handler = var.user-logout-lambda-entrypoint 26 | role = module.user-logout-lambda-role.iam-role-arn 27 | description = var.user-logout-lambda-function-desc 28 | memory_size = var.auth-lambdas-memory-size 29 | runtime = var.auth-lambdas-runtime 30 | timeout = var.auth-lambdas-timeout 31 | layers = [aws_lambda_layer_version.jsonschema.arn] 32 | 33 | environment { 34 | variables = { 35 | COGNITO_USER_POOL_ID = module.user-pool.user-pool-id 36 | COGNITO_APP_CLIENT_ID = module.user-pool.user-pool-client-id 37 | } 38 | } 39 | 40 | source_code_hash = data.archive_file.user-logout-zip.output_base64sha256 41 | } 42 | 43 | resource "aws_cloudwatch_log_group" "user-logout-lambda-log-group" { 44 | name = "/aws/lambda/${var.user-logout-lambda-function-name}" 45 | retention_in_days = "1" 46 | } 47 | 48 | module "user-logout-lambda-endpoint" { 49 | source = "../../../modules/tf-api-gw-lambda-proxy" 50 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 51 | api-resource-path = aws_api_gateway_resource.logout.path 52 | api-resource-id = aws_api_gateway_resource.logout.id 53 | api-http-method = "POST" 54 | authorization-type = "NONE" 55 | authorizer-id = "" 56 | is-api-key-required = "true" 57 | lambda-function-name = aws_lambda_function.user-logout-lambda.function_name 58 | lambda-function-arn = aws_lambda_function.user-logout-lambda.arn 59 | } 60 | -------------------------------------------------------------------------------- /terraform/live/services/auth-microservice/userinfo.tf: -------------------------------------------------------------------------------- 1 | module "userinfo-lambda-role-policy" { 2 | source = "../../../modules/tf-iam-role-policy" 3 | role-policy-name = "${var.userinfo-lambda-function-name}-role-policy" 4 | role-policy-json-file = "${local.auth_microservice_path}/policies/userinfo-lambda-role-policy.json" 5 | role-name = module.userinfo-lambda-role.iam-role-name 6 | } 7 | 8 | module "userinfo-lambda-role" { 9 | source = "../../../modules/tf-iam-role" 10 | iam-role-name = "${var.userinfo-lambda-function-name}-role" 11 | iam-role-path = "/" 12 | iam-assume-role-policy-file = "${local.auth_microservice_path}/policies/lambda-assume-role-policy.json" 13 | } 14 | 15 | data "archive_file" "userinfo-zip" { 16 | type = "zip" 17 | excludes = ["lambda.zip"] 18 | source_dir = var.userinfo-lambda-zip-src-path 19 | output_path = join("", ["${local.auth_microservice_path}/", "${var.userinfo-lambda-zip-src-path}/lambda.zip"]) 20 | } 21 | 22 | resource "aws_lambda_function" "userinfo-lambda" { 23 | filename = join("", ["${local.auth_microservice_path}/", "${var.userinfo-lambda-zip-src-path}/lambda.zip"]) 24 | function_name = var.userinfo-lambda-function-name 25 | handler = var.userinfo-lambda-entrypoint 26 | role = module.userinfo-lambda-role.iam-role-arn 27 | description = var.userinfo-lambda-function-desc 28 | memory_size = var.auth-lambdas-memory-size 29 | runtime = var.auth-lambdas-runtime 30 | timeout = var.auth-lambdas-timeout 31 | layers = [aws_lambda_layer_version.jsonschema.arn, aws_lambda_layer_version.pyjwt.arn] 32 | 33 | environment { 34 | variables = { 35 | COGNITO_USER_POOL_ID = module.user-pool.user-pool-id 36 | } 37 | } 38 | 39 | source_code_hash = data.archive_file.userinfo-zip.output_base64sha256 40 | } 41 | 42 | resource "aws_cloudwatch_log_group" "userinfo-lambda-log-group" { 43 | name = "/aws/lambda/${var.userinfo-lambda-function-name}" 44 | retention_in_days = "1" 45 | } 46 | 47 | module "userinfo-lambda-endpoint" { 48 | source = "../../../modules/tf-api-gw-lambda-proxy-cognito-authorizer" 49 | rest-api-id = aws_api_gateway_rest_api.api-gw.id 50 | api-resource-path = aws_api_gateway_resource.userinfo.path 51 | api-resource-id = aws_api_gateway_resource.userinfo.id 52 | api-http-method = "GET" 53 | cognito-authorizer-id = aws_api_gateway_authorizer.cognito-authorizer.id 54 | is-api-key-required = "true" 55 | lambda-function-name = aws_lambda_function.userinfo-lambda.function_name 56 | lambda-function-arn = aws_lambda_function.userinfo-lambda.arn 57 | } 58 | -------------------------------------------------------------------------------- /terraform/modules/README.md: -------------------------------------------------------------------------------- 1 | Terraform modules 2 | ============================ 3 | Generic Terraform modules for **CognitoApi** AWS Infrastructure stack. 4 | ![Terraform](https://github.com/CloudinitFrance/cognito-api/blob/main/terraform/modules/images/Terraform.png?raw=true) 5 | -------------------------------------------------------------------------------- /terraform/modules/images/Terraform.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudinitFrance/cognito-api/00e97322665ec66d943b19da0777ab67d9379da7/terraform/modules/images/Terraform.png -------------------------------------------------------------------------------- /terraform/modules/tf-api-gw-cors/README.md: -------------------------------------------------------------------------------- 1 | # terraform tf-api-gw-cors module 2 | 3 | Terraform Api Gateway Cors module 4 | 5 | ## Example: 6 | ``` 7 | module "users-list-cors" { 8 | source = "https://github.com/TarekCheikh/terraform-aws-modules//tf-api-gw-cors?ref=v1.0.0" 9 | } 10 | ``` 11 | 12 | This will enable CORS for the **GET /users** endpoint by adding the following OPTIONS: 13 | - 14 | -------------------------------------------------------------------------------- /terraform/modules/tf-api-gw-cors/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | methodOptions = "OPTIONS" 3 | #defaultHeaders = ["Content-Type", "X-Amz-Date", "Authorization", "X-Api-Key", "X-Amz-Security-Token"] 4 | defaultHeaders = ["Content-Type", "X-Amz-Date", "X-Amz-Security-Token", "Authorization", "X-Api-Key", "X-Requested-With", "Accept", "Access-Control-Allow-Methods", "Access-Control-Allow-Origin", "Access-Control-Allow-Headers"] 5 | #methods = "${join(",", concat(var.api-http-methods, tolist(local.methodOptions)))}" 6 | methods = "'${join(",", var.api-http-methods)}'" 7 | headers = "${var.discard-default-headers ? join(",", var.headers) : join(",", distinct(concat(var.headers, local.defaultHeaders)))}" 8 | } 9 | 10 | resource "aws_api_gateway_method" "cors-method" { 11 | rest_api_id = "${var.rest-api-id}" 12 | resource_id = "${var.api-resource-id}" 13 | http_method = "OPTIONS" 14 | authorization = "NONE" 15 | } 16 | 17 | resource "aws_api_gateway_integration" "cors-integration" { 18 | rest_api_id = "${var.rest-api-id}" 19 | resource_id = "${var.api-resource-id}" 20 | http_method = "${aws_api_gateway_method.cors-method.http_method}" 21 | type = "MOCK" 22 | 23 | request_templates = { 24 | "application/json" = <