Merge pull request #14 from kdesao-devops/remove_org_read_saml

Remove org read from saml + Use domain name
BCDevOps · Mar 17, 2023 · 15df965 · 15df965
2 parents d60f184 + 50e268a
commit 15df965
Show file tree

Hide file tree

Showing 7 changed files with 356 additions and 235 deletions.
diff --git a/apigateway.tf b/apigateway.tf
@@ -1,7 +1,7 @@
 resource "aws_api_gateway_rest_api" "samlpost" {
   provider = aws.iam-security-account
 
-  name        = "SAMLPostExample"
+  name        = "LoginAppSAML"
   description = "Terraform Serverless Application Example"
 
   tags = local.common_tags
@@ -67,7 +67,7 @@ resource "aws_api_gateway_deployment" "samlpost" {
 
   rest_api_id = aws_api_gateway_rest_api.samlpost.id
   //	@todo change value below to something like "saml"
-  stage_name = "test"
+  stage_name = "api"
 }
 
 

diff --git a/cloudfront.tf b/cloudfront.tf
@@ -2,6 +2,58 @@ locals {
   cf_origin_id = "api_gateway_saml"
 }
 
+data "aws_route53_zone" "this" {
+  provider = aws.perimeter-account
+  name     = var.domain_name
+}
+
+resource "aws_route53_record" "login_app" {
+  provider = aws.perimeter-account
+  zone_id  = data.aws_route53_zone.this.zone_id
+  name     = "login.${var.domain_name}"
+  type     = "A"
+
+  alias {
+    name                   = aws_cloudfront_distribution.geofencing.domain_name
+    zone_id                = aws_cloudfront_distribution.geofencing.hosted_zone_id
+    evaluate_target_health = false
+  }
+}
+
+resource "aws_acm_certificate" "this" {
+  provider          = aws.iam-security-account-us-east-1
+  domain_name       = "login.${var.domain_name}"
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route53_record" "this_acm" {
+  provider = aws.perimeter-account
+  for_each = {
+    for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = data.aws_route53_zone.this.zone_id
+}
+
+resource "aws_acm_certificate_validation" "this" {
+  provider                = aws.iam-security-account-us-east-1
+  certificate_arn         = aws_acm_certificate.this.arn
+  validation_record_fqdns = [for record in aws_route53_record.this_acm : record.fqdn]
+}
+
 resource "aws_cloudfront_distribution" "geofencing" {
   provider = aws.iam-security-account
 
@@ -62,6 +114,9 @@ resource "aws_cloudfront_distribution" "geofencing" {
     max_ttl                = 86400
   }
 
+  aliases = ["login.${var.domain_name}"]
+  default_root_object = "${aws_api_gateway_deployment.samlpost.stage_name}/redirect"
+
   price_class = "PriceClass_100"
 
   restrictions {
@@ -75,10 +130,17 @@ resource "aws_cloudfront_distribution" "geofencing" {
   tags = local.common_tags
 
   viewer_certificate {
-    cloudfront_default_certificate = true
+    cloudfront_default_certificate = false
+    acm_certificate_arn            = aws_acm_certificate_validation.this.certificate_arn
+    minimum_protocol_version       = "TLSv1.2_2021"
+    ssl_support_method             = "sni-only"
   }
 }
 
 output "cloudfront_url" {
   value = "https://${aws_cloudfront_distribution.geofencing.domain_name}/${aws_api_gateway_deployment.samlpost.stage_name}"
 }
+
+output "login_domain_name" {
+  value = "https://login.${var.domain_name}/${aws_api_gateway_deployment.samlpost.stage_name}"
+}
diff --git a/lambda.tf b/lambda.tf
@@ -7,7 +7,7 @@ data "archive_file" "lambda_zip" {
 resource "aws_lambda_function" "samlpost" {
   provider = aws.iam-security-account
 
-  function_name = "SAMLPostExample-${var.resource_name_suffix}"
+  function_name = "${var.lambda_name}-${var.resource_name_suffix}"
   filename      = data.archive_file.lambda_zip.output_path
 
   source_code_hash = data.archive_file.lambda_zip.output_base64sha256
@@ -21,10 +21,10 @@ resource "aws_lambda_function" "samlpost" {
 
   environment {
     variables = {
-      samlReadRole = "arn:aws:iam::${local.master_account_id}:saml-provider/${var.keycloak_saml_name},arn:aws:iam::${local.master_account_id}:role/${local.saml_read_role_name}",
-      kc_base_url = var.kc_base_url,
-      kc_realm = var.kc_realm,
-      kc_terraform_auth_client_id = var.kc_terraform_auth_client_id,
+      samlReadRole                    = "arn:aws:iam::${local.master_account_id}:saml-provider/${var.keycloak_saml_name},arn:aws:iam::${local.master_account_id}:role/${local.saml_read_role_name}",
+      kc_base_url                     = var.kc_base_url,
+      kc_realm                        = var.kc_realm,
+      kc_terraform_auth_client_id     = var.kc_terraform_auth_client_id,
       kc_terraform_auth_client_secret = var.kc_terraform_auth_client_secret
     }
   }
@@ -35,7 +35,7 @@ resource "aws_lambda_function" "samlpost" {
 resource "aws_iam_role" "lambda_exec" {
   provider = aws.iam-security-account
 
-  name               = "serverless_saml_lambda-${var.resource_name_suffix}"
+  name               = "${var.lambda_name}-${var.resource_name_suffix}"
   assume_role_policy = <<EOF
 {
    "Version": "2012-10-17",
@@ -66,6 +66,28 @@ resource "aws_iam_role_policy_attachment" "test-attach" {
   policy_arn = data.aws_iam_policy.AWSLambdaBasicExecutionRole.arn
 }
 
+resource "aws_iam_policy" "assume_role_org_read" {
+  provider = aws.iam-security-account
+  name     = "serverless_saml_lambda-org-read-${var.resource_name_suffix}"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = [
+        "sts:AssumeRole"
+      ]
+      Resource = "${aws_iam_role.saml_read_role.arn}"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "thisSTS" {
+  provider   = aws.iam-security-account
+  role       = aws_iam_role.lambda_exec.name
+  policy_arn = aws_iam_policy.assume_role_org_read.arn
+}
+
 resource "aws_lambda_permission" "apigw" {
   provider = aws.iam-security-account
 

diff --git a/lambda/samlpost/index.html b/lambda/samlpost/index.html
@@ -301,7 +301,7 @@
 
       $.ajax({
         type: "POST",
-        url: "/test/accounttags",
+        url: "/api/accounttags",
         data: JSON.stringify({ samlResponse: samlResponse }),
         success: function (data, textStatus, jqXHR) {
           $("#loadingtags").remove();
@@ -397,7 +397,7 @@
 
       $.ajax({
         type: "POST",
-        url: "/test/consolelogin",
+        url: "/api/consolelogin",
         data: JSON.stringify(params),
         success: function (data, textStatus, jqXHR) {
           window.open(data.Location);