diff --git a/.changeset/six-suns-bow.md b/.changeset/six-suns-bow.md new file mode 100644 index 00000000..b7217741 --- /dev/null +++ b/.changeset/six-suns-bow.md @@ -0,0 +1,5 @@ +--- +"@common-fate/terraform-aws-common-fate-deployment": minor +--- + +Add a slack cognito client to enable delegated slack based access requests to be attributed correctly to Slack as an origin diff --git a/main.tf b/main.tf index 1666f36b..efe50a2a 100644 --- a/main.tf +++ b/main.tf @@ -120,7 +120,6 @@ module "control_plane" { subnet_ids = local.private_subnet_ids vpc_id = local.vpc_id ecs_cluster_id = local.ecs_cluster_id - auth_authority_url = module.cognito.auth_authority_url database_host = module.control_plane_db.endpoint database_user = module.control_plane_db.username alb_listener_arn = module.alb.listener_arn @@ -128,6 +127,9 @@ module "control_plane" { auth_issuer = module.cognito.auth_issuer control_plane_service_client_id = module.cognito.control_plane_service_client_id control_plane_service_client_secret = module.cognito.control_plane_service_client_secret + slack_service_client_id = module.cognito.slack_service_client_id + slack_service_client_secret = module.cognito.slack_service_client_secret + oidc_slack_issuer = module.cognito.auth_issuer licence_key_ps_arn = var.licence_key_ps_arn log_level = var.control_plane_log_level grant_assume_on_role_arns = var.control_plane_grant_assume_on_role_arns @@ -188,7 +190,6 @@ module "access_handler" { release_tag = var.release_tag subnet_ids = local.private_subnet_ids vpc_id = local.vpc_id - auth_authority_url = module.cognito.auth_authority_url ecs_cluster_id = local.ecs_cluster_id alb_listener_arn = module.alb.listener_arn auth_issuer = module.cognito.auth_issuer @@ -223,6 +224,7 @@ module "authz" { oidc_access_handler_service_client_id = module.cognito.access_handler_service_client_id oidc_control_plane_client_id = module.cognito.control_plane_service_client_id oidc_provisioner_service_client_id = module.cognito.provisioner_client_id + oidc_slack_service_client_id = module.cognito.slack_service_client_id alb_security_group_id = module.alb.alb_security_group_id additional_cors_allowed_origins = var.additional_cors_allowed_origins } diff --git a/modules/access/main.tf b/modules/access/main.tf index c6510d57..4a7679d3 100644 --- a/modules/access/main.tf +++ b/modules/access/main.tf @@ -122,10 +122,6 @@ resource "aws_ecs_task_definition" "access_handler_task" { containerPort = 9090, }], environment = [ - { - name = "CF_OIDC_AUTHORITY_URL", - value = var.auth_authority_url - }, { name = "CF_EVENT_BRIDGE_ARN", value = var.eventbus_arn diff --git a/modules/access/variables.tf b/modules/access/variables.tf index 46ab5e0f..00b57ac7 100644 --- a/modules/access/variables.tf +++ b/modules/access/variables.tf @@ -44,10 +44,6 @@ variable "app_url" { } } -variable "auth_authority_url" { - description = "Specifies the URL used for authentication." - type = string -} variable "ecs_cluster_id" { description = "Identifies the Amazon Elastic Container Service (ECS) cluster for deployment." diff --git a/modules/authz/main.tf b/modules/authz/main.tf index 36c8fbe7..d5c6b2b3 100644 --- a/modules/authz/main.tf +++ b/modules/authz/main.tf @@ -206,6 +206,10 @@ resource "aws_ecs_task_definition" "authz_task" { name = "CF_OIDC_PROVISIONER_SERVICE_CLIENT_ID", value = var.oidc_provisioner_service_client_id }, + { + name = "CF_OIDC_SLACK_SERVICE_CLIENT_ID", + value = var.oidc_slack_service_client_id + }, ], diff --git a/modules/authz/variables.tf b/modules/authz/variables.tf index 8dd40b90..6c51d7df 100644 --- a/modules/authz/variables.tf +++ b/modules/authz/variables.tf @@ -110,6 +110,10 @@ variable "oidc_provisioner_service_client_id" { description = "Provisioner Service Account OIDC Client ID" type = string } +variable "oidc_slack_service_client_id" { + description = "Slack Service Account OIDC Client ID" + type = string +} variable "log_level" { description = "Log level for ECS service" diff --git a/modules/cognito/main.tf b/modules/cognito/main.tf index 5d9df21d..fbcd224a 100644 --- a/modules/cognito/main.tf +++ b/modules/cognito/main.tf @@ -153,6 +153,23 @@ resource "aws_cognito_user_pool_client" "control_plane_service_client" { generate_secret = true } +resource "aws_cognito_user_pool_client" "slack_service_client" { + name = "${var.namespace}-${var.stage}-slack-client" + user_pool_id = aws_cognito_user_pool.cognito_user_pool.id + + explicit_auth_flows = [ + "ALLOW_USER_SRP_AUTH", + "ALLOW_REFRESH_TOKEN_AUTH" + ] + + access_token_validity = 8 + allowed_oauth_flows = ["client_credentials"] + allowed_oauth_scopes = aws_cognito_resource_server.resource_server.scope_identifiers + allowed_oauth_flows_user_pool_client = true + generate_secret = true +} + + resource "aws_cognito_user_pool_client" "access_handler_service_client" { name = "${var.namespace}-${var.stage}-access-handler-client" diff --git a/modules/cognito/outputs.tf b/modules/cognito/outputs.tf index 247909b4..66646da0 100644 --- a/modules/cognito/outputs.tf +++ b/modules/cognito/outputs.tf @@ -100,3 +100,13 @@ output "identity_provider_name" { description = "The name of the Cognito identity provider" value = local.identity_provider_name } + +output "slack_service_client_id" { + description = "The client ID for the slack service." + value = aws_cognito_user_pool_client.slack_service_client.id +} + +output "slack_service_client_secret" { + description = "The client secret for the slack service." + value = aws_cognito_user_pool_client.slack_service_client.client_secret +} diff --git a/modules/controlplane/main.tf b/modules/controlplane/main.tf index 37563944..bbdfe8ab 100644 --- a/modules/controlplane/main.tf +++ b/modules/controlplane/main.tf @@ -317,15 +317,6 @@ locals { name = "CF_SCIM_SOURCE", value = var.scim_source }, - { - name = "CF_OIDC_AUTHORITY_URL", - value = var.auth_authority_url - }, - // used for client credentials - { - name = "CF_CONTROL_PLANE_SERVICE_OIDC_ISSUER", - value = var.auth_issuer - }, // used for auth middleware { name = "CF_OIDC_TRUSTED_ISSUER_COGNITO", @@ -398,6 +389,18 @@ locals { name = "CF_CONTROL_PLANE_SERVICE_OIDC_ISSUER", value = var.oidc_control_plane_issuer }, + { + name = "CF_SLACK_SERVICE_OIDC_CLIENT_ID", + value = var.slack_service_client_id + }, + { + name = "CF_SLACK_SERVICE_OIDC_CLIENT_SECRET", + value = var.slack_service_client_secret + }, + { + name = "CF_SLACK_SERVICE_OIDC_ISSUER", + value = var.oidc_slack_issuer + }, { name = "CF_CORS_ALLOWED_ORIGINS" value = join(",", concat([var.app_url], var.additional_cors_allowed_origins)) }, diff --git a/modules/controlplane/variables.tf b/modules/controlplane/variables.tf index a07da0e9..7cb1e430 100644 --- a/modules/controlplane/variables.tf +++ b/modules/controlplane/variables.tf @@ -115,11 +115,6 @@ variable "ecs_cluster_id" { type = string } -variable "auth_authority_url" { - description = "Specifies the URL used for authentication." - type = string -} - variable "auth_issuer" { description = "Specifies the issuer for authentication." type = string @@ -135,11 +130,24 @@ variable "control_plane_service_client_secret" { type = string sensitive = true } - variable "oidc_control_plane_issuer" { description = "OIDC issuer for the Control Plane service" type = string } +variable "slack_service_client_id" { + description = "Specifies the client ID for the slack service." + type = string +} + +variable "slack_service_client_secret" { + description = "Specifies the client secret for the slack service." + type = string + sensitive = true +} +variable "oidc_slack_issuer" { + description = "OIDC issuer for the Slack service" + type = string +} variable "alb_listener_arn" { description = "Specifies the Amazon Load Balancer (ALB) listener ARN."