Add slack cognito client (#100)

* Add slack cognito client

* fix outputs

* add slack client id to authz service

* changeset

.changeset/six-suns-bow.md

@@ -0,0 +1,5 @@
+---
+"@common-fate/terraform-aws-common-fate-deployment": minor
+---
+
+Add a slack cognito client to enable delegated slack based access requests to be attributed correctly to Slack as an origin

main.tf

@@ -120,14 +120,16 @@ module "control_plane" {
   subnet_ids                                 = local.private_subnet_ids
   vpc_id                                     = local.vpc_id
   ecs_cluster_id                             = local.ecs_cluster_id
-  auth_authority_url                         = module.cognito.auth_authority_url
   database_host                              = module.control_plane_db.endpoint
   database_user                              = module.control_plane_db.username
   alb_listener_arn                           = module.alb.listener_arn
   sqs_queue_name                             = module.events.sqs_queue_name
   auth_issuer                                = module.cognito.auth_issuer
   control_plane_service_client_id            = module.cognito.control_plane_service_client_id
   control_plane_service_client_secret        = module.cognito.control_plane_service_client_secret
+  slack_service_client_id                    = module.cognito.slack_service_client_id
+  slack_service_client_secret                = module.cognito.slack_service_client_secret
+  oidc_slack_issuer                          = module.cognito.auth_issuer
   licence_key_ps_arn                         = var.licence_key_ps_arn
   log_level                                  = var.control_plane_log_level
   grant_assume_on_role_arns                  = var.control_plane_grant_assume_on_role_arns
@@ -188,7 +190,6 @@ module "access_handler" {
   release_tag                               = var.release_tag
   subnet_ids                                = local.private_subnet_ids
   vpc_id                                    = local.vpc_id
-  auth_authority_url                        = module.cognito.auth_authority_url
   ecs_cluster_id                            = local.ecs_cluster_id
   alb_listener_arn                          = module.alb.listener_arn
   auth_issuer                               = module.cognito.auth_issuer
@@ -223,6 +224,7 @@ module "authz" {
   oidc_access_handler_service_client_id = module.cognito.access_handler_service_client_id
   oidc_control_plane_client_id          = module.cognito.control_plane_service_client_id
   oidc_provisioner_service_client_id    = module.cognito.provisioner_client_id
+  oidc_slack_service_client_id          = module.cognito.slack_service_client_id
   alb_security_group_id                 = module.alb.alb_security_group_id
   additional_cors_allowed_origins       = var.additional_cors_allowed_origins
 }

modules/access/main.tf

@@ -122,10 +122,6 @@ resource "aws_ecs_task_definition" "access_handler_task" {
         containerPort = 9090,
       }],
       environment = [
-        {
-          name  = "CF_OIDC_AUTHORITY_URL",
-          value = var.auth_authority_url
-        },
         {
           name  = "CF_EVENT_BRIDGE_ARN",
           value = var.eventbus_arn

modules/access/variables.tf

@@ -44,10 +44,6 @@ variable "app_url" {
   }
 }
 
-variable "auth_authority_url" {
-  description = "Specifies the URL used for authentication."
-  type        = string
-}
 
 variable "ecs_cluster_id" {
   description = "Identifies the Amazon Elastic Container Service (ECS) cluster for deployment."

modules/authz/main.tf

@@ -206,6 +206,10 @@ resource "aws_ecs_task_definition" "authz_task" {
         name  = "CF_OIDC_PROVISIONER_SERVICE_CLIENT_ID",
         value = var.oidc_provisioner_service_client_id
       },
+      {
+        name  = "CF_OIDC_SLACK_SERVICE_CLIENT_ID",
+        value = var.oidc_slack_service_client_id
+      },
 
 
     ],

modules/authz/variables.tf

@@ -110,6 +110,10 @@ variable "oidc_provisioner_service_client_id" {
   description = "Provisioner Service Account OIDC Client ID"
   type        = string
 }
+variable "oidc_slack_service_client_id" {
+  description = "Slack Service Account OIDC Client ID"
+  type        = string
+}
 
 variable "log_level" {
   description = "Log level for ECS service"

modules/cognito/main.tf

@@ -153,6 +153,23 @@ resource "aws_cognito_user_pool_client" "control_plane_service_client" {
   generate_secret                      = true
 }
 
+resource "aws_cognito_user_pool_client" "slack_service_client" {
+  name         = "${var.namespace}-${var.stage}-slack-client"
+  user_pool_id = aws_cognito_user_pool.cognito_user_pool.id
+
+  explicit_auth_flows = [
+    "ALLOW_USER_SRP_AUTH",
+    "ALLOW_REFRESH_TOKEN_AUTH"
+  ]
+
+  access_token_validity                = 8
+  allowed_oauth_flows                  = ["client_credentials"]
+  allowed_oauth_scopes                 = aws_cognito_resource_server.resource_server.scope_identifiers
+  allowed_oauth_flows_user_pool_client = true
+  generate_secret                      = true
+}
+
+
 
 resource "aws_cognito_user_pool_client" "access_handler_service_client" {
   name         = "${var.namespace}-${var.stage}-access-handler-client"

modules/cognito/outputs.tf

@@ -100,3 +100,13 @@ output "identity_provider_name" {
   description = "The name of the Cognito identity provider"
   value       = local.identity_provider_name
 }
+
+output "slack_service_client_id" {
+  description = "The client ID for the slack service."
+  value       = aws_cognito_user_pool_client.slack_service_client.id
+}
+
+output "slack_service_client_secret" {
+  description = "The client secret for the slack service."
+  value       = aws_cognito_user_pool_client.slack_service_client.client_secret
+}

modules/controlplane/main.tf

@@ -317,15 +317,6 @@ locals {
       name  = "CF_SCIM_SOURCE",
       value = var.scim_source
     },
-    {
-      name  = "CF_OIDC_AUTHORITY_URL",
-      value = var.auth_authority_url
-    },
-    // used for client credentials
-    {
-      name  = "CF_CONTROL_PLANE_SERVICE_OIDC_ISSUER",
-      value = var.auth_issuer
-    },
     // used for auth middleware
     {
       name  = "CF_OIDC_TRUSTED_ISSUER_COGNITO",
@@ -398,6 +389,18 @@ locals {
       name  = "CF_CONTROL_PLANE_SERVICE_OIDC_ISSUER",
       value = var.oidc_control_plane_issuer
     },
+    {
+      name  = "CF_SLACK_SERVICE_OIDC_CLIENT_ID",
+      value = var.slack_service_client_id
+    },
+    {
+      name  = "CF_SLACK_SERVICE_OIDC_CLIENT_SECRET",
+      value = var.slack_service_client_secret
+    },
+    {
+      name  = "CF_SLACK_SERVICE_OIDC_ISSUER",
+      value = var.oidc_slack_issuer
+    },
     { name  = "CF_CORS_ALLOWED_ORIGINS"
       value = join(",", concat([var.app_url], var.additional_cors_allowed_origins))
     },

modules/controlplane/variables.tf

@@ -115,11 +115,6 @@ variable "ecs_cluster_id" {
   type        = string
 }
 
-variable "auth_authority_url" {
-  description = "Specifies the URL used for authentication."
-  type        = string
-}
-
 variable "auth_issuer" {
   description = "Specifies the issuer for authentication."
   type        = string
@@ -135,11 +130,24 @@ variable "control_plane_service_client_secret" {
   type        = string
   sensitive   = true
 }
-
 variable "oidc_control_plane_issuer" {
   description = "OIDC issuer for the Control Plane service"
   type        = string
 }
+variable "slack_service_client_id" {
+  description = "Specifies the client ID for the slack service."
+  type        = string
+}
+
+variable "slack_service_client_secret" {
+  description = "Specifies the client secret for the slack service."
+  type        = string
+  sensitive   = true
+}
+variable "oidc_slack_issuer" {
+  description = "OIDC issuer for the Slack service"
+  type        = string
+}
 
 variable "alb_listener_arn" {
   description = "Specifies the Amazon Load Balancer (ALB) listener ARN."