Skip to content

Commit

Permalink
feat: add initial project
Browse files Browse the repository at this point in the history
  • Loading branch information
sgtoj committed Jul 16, 2023
1 parent 5a2b7d2 commit d651007
Show file tree
Hide file tree
Showing 83 changed files with 20,089 additions and 16 deletions.
2 changes: 1 addition & 1 deletion .devcontainer/devcontainer.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"ghcr.io/devcontainers/features/docker-in-docker:2.0.1": {},
},
"containerEnv": {
"TF_PLUGIN_CACHE_DIR": "/workspaces/terraform-aws-cloudfront-middleware-at-edge/.devcontainers/tmp/.terraform.d/"
"TF_PLUGIN_CACHE_DIR": "/workspaces/terraform-aws-cloudfront-middleware-at-edge/.devcontainer/tmp/.terraform.d/"
},
"customizations": {
"vscode": {
Expand Down
Empty file.
14 changes: 14 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,20 @@ jobs:
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Setup Node
uses: actions/[email protected]
with:
node-version: 18
- name: Tests for auth-at-edge
run: |
cd assets/cf-mw-auth
npm install
npm test
- name: Tests for url-rewriter
run: |
cd assets/cf-mw-urlrewrite
npm install
npm test
- name: Bump Version
id: tag_version
uses: mathieudutour/[email protected]
Expand Down
27 changes: 27 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: test

on:
pull_request:
branches:
- main

jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Setup Node
uses: actions/[email protected]
with:
node-version: 18
- name: Tests for auth-at-edge
run: |
cd assets/cf-mw-auth
npm install
npm test
- name: Tests for url-rewriter
run: |
cd assets/cf-mw-urlrewrite
npm install
npm test
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,11 +1,14 @@
# .gitignore

# terraform files
.terraform.lock.hcl
.terraform.tfstate.lock.info
*.tfstate
*.tfstate.*.backup
*.tfstate.backup
*.tfplan
*.terraform/
*.tfvars
.grunt

# node.js / typescript
Expand Down
24 changes: 24 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
PROJ_ROOT := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))

# allows args to pass to run-cmd example: make run-cmd echo "hello world"
ifeq (run-cmd,$(firstword $(MAKECMDGOALS)))
RUN_ARGS := $(wordlist 2,$(words $(MAKECMDGOALS)),$(MAKECMDGOALS))
$(eval $(RUN_ARGS):;@:)
endif

all: deps build
@exit 0

deps:
@exit 0

build:
@exit 0

clean:
@find . -type d -name "dist" -exec rm -rf {} +
@find . -type d -name ".terraform" -exec rm -rf {} +
@find . -type d -name ".terraform.d" -exec rm -rf {} +
@find . -type d -name ".tfstate" -exec rm -rf {} +
@find . -type d -name ".tfstate.backup" -exec rm -rf {} +
@touch .devcontainer/.terraform.d/.gitkeep || true
85 changes: 72 additions & 13 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,16 @@
# Terraform Module: CloudFront Middleware-at-Edge

_This module is under active development and is not yet ready for use. Please
see `dev` branch for current progress._
This Terraform module deploys customizable and reusable Lambda@Edge functions
that provide middleware for AWS CloudFront.

## Features

- TBA
- **Authentication & Authorization**: This feature provides authentication and
authorization to restrict access to a site hosted on CloudFront. Users can
optionally customize the authorization rules via an Open Policy Agent (OPA)
policy.
- **URL Rewriting**: This feature rewrites the URLs of requests. Users can
define URL rewrite rules via an Open Policy Agent (OPA) policy.

## Usage

Expand All @@ -14,7 +19,29 @@ module "cloudfront_middleware_at_edge" {
source = "sgtoj/cloudfront-middleware-at-edge/aws"
version = "x.x.x"
# TBD
auth_service_config = {
enabled = true
cognito_idp_arn = "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_TESTPOOL"
cognito_idp_domain = "test.auth.us-east-1.amazoncognito.com"
cognito_idp_client_id = "your-client-id"
cognito_idp_client_secret = "your-client-secret"
cognito_idp_client_scopes = ["openid", "email", "profile"]
cognito_idp_jwks = {
keys = [
{ "alg": "RS256", "e": "AQAB", "kid": "...", "kty": "RSA", "n": "...", "use": "sig" },
{ "alg": "RS256", "e": "AQAB", "kid": "...", "kty": "RSA", "n": "...", "use": "sig" },
]
}
}
urlrewrite_service_config = {
enabled = true
policy_content = <<-EOF
package urlrewriter
result := []
EOF
}
}
```

Expand All @@ -27,18 +54,50 @@ module "cloudfront_middleware_at_edge" {

## Inputs

_This module does not currently provide any input._

### Note

This module uses the `cloudposse/label/null` module for naming and tagging
resources. As such, it also includes a `context.tf` file with additional
optional variables you can set. Refer to the [`cloudposse/label` documentation](https://registry.terraform.io/modules/cloudposse/label/null/latest)
for more details on these variables.
In addition to the variables documented below, this module includes several
other optional variables (e.g., `name`, `tags`, etc.) provided by the
`cloudposse/label/null` module. Please refer to the [`cloudposse/label` documentation](https://registry.terraform.io/modules/cloudposse/label/null/latest) for more details on these variables.

| Name | Description | Type | Default | Required |
|---------------------------|---------------------------------------------------------------------------|:------:|:-------:|:--------:|
| auth_service_config | Configuration details for the authentication service. More details below. | object | `{}` | no |
| urlrewrite_service_config | Configuration details for the URL rewrite service, More details below. | object | `{}` | no |
| destruction_delay | Delay before destroying resources when they are deleted | string | `"20m"` | no |
| aws_account_id | The AWS account ID that the module will be deployed in | string | `""` | no |
| aws_region_name | The AWS region name where the module will be deployed | string | `""` | no |

### `auth_service_config`

| Property | Description | Type | Default | Required |
|---------------------------|------------------------------------------------|--------------------------------------|----------|----------|
| enabled | Enable the authentication service | bool | `true` | no |
| log_level | Logging level | string | `"info"` | no |
| aws_region | AWS region for the service | string | `null` | no |
| cognito_idp_arn | ARN of the Cognito Identity Provider | string | n/a | yes |
| cognito_idp_domain | Domain of the Cognito Identity Provider | string | n/a | yes |
| cognito_idp_jwks | JWKS of the Cognito Identity Provider | object({ keys = list(map(string)) }) | n/a | yes |
| cognito_idp_client_id | Client ID of the Cognito Identity Provider | string | n/a | yes |
| cognito_idp_client_secret | Client secret of the Cognito Identity Provider | string | n/a | yes |
| cognito_idp_client_scopes | Client scopes of the Cognito Identity Provider | list(string) | n/a | yes |
| opa_policy_content | Content of the OPA policy | string | `null` | no |
| opa_policy_data | Data for the OPA policy | map(string) | `{}` | no |

### `urlrewrite_service_config`

| Property | Description | Type | Default | Required |
|----------------|-----------------------------------|--------|---------------------------------------|----------|
| enabled | Enable the URL rewrite service | bool | `false` | no |
| log_level | Logging level | string | `"info"` | no |
| aws_region | AWS region for the service | string | `null` | no |
| policy_content | Content of the URL rewrite policy | string | `"package urlrewriter\nresult := []"` | no |

## Outputs

_This module does not currently provide any outputs._
| Name | Description |
|---------------------|---------------------------------------------------------------------------|
| auth_services | Details of the created AWS Lambda functions for each of the auth services |
| auth_routes | Route configurations for the auth services |
| urlrewrite_services | Details of the created AWS Lambda function for the URL rewrite service |

## Contributing

Expand Down
11 changes: 11 additions & 0 deletions assets/cf-mw-auth/.dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
.gitignore
.git

*Dockerfile*
*docker-compose*
.dockerignore

.vscode/
node_modules/

*.env
46 changes: 46 additions & 0 deletions assets/cf-mw-auth/.eslintrc.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
module.exports = {
plugins: [
'import',
'jest',
],
rules: {
'func-style': 'error',
},
overrides: [
{
files: [
'**/*.{ts,tsx}',
],
parser: '@typescript-eslint/parser',
parserOptions: {
ecmaVersion: 2019,
sourceType: 'module',
tsconfigRootDir: __dirname,
project: [
'./tsconfig.json',
],
},
plugins: [
'@typescript-eslint',
],
extends: [
'airbnb-typescript/base',
],
rules: {
'@typescript-eslint/no-unused-vars': 'warn',
'@typescript-eslint/no-floating-promises': 'error',
},
},
{
files: [
'scripts/**/*.js',
],
parserOptions: {
ecmaVersion: "latest",
},
env: {
es6: true
}
}
],
};
58 changes: 58 additions & 0 deletions assets/cf-mw-auth/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# ------------------------------------------------------------------- base ---

FROM node:18 as base

RUN mkdir -p /opt/app
WORKDIR /opt/app

ENV NODE_ENV development

# intentally not installing node_modules inside the /opt/app dir; this makes
# for a better experience when using image in development environment
ADD package*.json /opt/
RUN npm ci

ADD ./ ./

# -------------------------------------------------------------------- test ---

FROM base as test

RUN npm run lint && npm run test

# -------------------------------------------------------------------- test ---

FROM test as build

ENV OPA_VERSION=0.49.0
RUN SYSTEM_ARCH=$(dpkg --print-architecture) \
&& curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v${OPA_VERSION}/opa_linux_${SYSTEM_ARCH}_static \
&& mv opa /usr/bin/opa \
&& chmod +x /usr/bin/opa \
&& opa -h

RUN npm run build

ARG SERVICE_POLICY_ENCODED=cGFja2FnZSBhdXRoX2F0X2VkZ2VfYXV0aHoKcmVzdWx0cyA6PSBbXQo=
RUN echo "$SERVICE_POLICY_ENCODED" | base64 -d > /opt/app/dist/policy.rego

RUN opa build -t wasm -e auth_at_edge_authz/results /opt/app/dist/policy.rego \
&& tar -zxv -C /opt/app/dist -f bundle.tar.gz '/policy.wasm'

# ----------------------------------------------------------------- package ---

FROM alpine:latest as package

RUN apk add jq

ARG SERVICE_CONFIG_ENCODED=e30K

COPY --from=build /opt/app/dist /opt/app/dist
COPY --from=build /opt/package-lock.json /opt/app/dist/

RUN echo "$SERVICE_CONFIG_ENCODED" | base64 -d | jq > /opt/app/dist/configuration.json

RUN apk add zip \
&& cd /opt/app/dist \
&& zip -r /tmp/package.zip .

18 changes: 18 additions & 0 deletions assets/cf-mw-auth/jest.config.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
/** @type {import('ts-jest/dist/types').InitialOptionsTsJest} */
module.exports = {
preset: 'ts-jest',
testEnvironment: 'node',
verbose: true,
resetMocks: true,
testPathIgnorePatterns: [
"dist"
],

moduleNameMapper: {
"#node-web-compat": "./node-web-compat-node.js",
},
};

process.env = Object.assign(process.env, {
LOG_LEVEL: 'silent',
});
Loading

0 comments on commit d651007

Please sign in to comment.