def _create_user_pool_client(self) -> cognito.UserPoolClient:
return cognito.UserPoolClient(
scope=self,
id="user-pool-client",
user_pool=self.user_pool,
auth_flows=cognito.AuthFlow(user_srp=True, admin_user_password=False, custom=False),
generate_secret=False,
prevent_user_existence_errors=True,
user_pool_client_name="orbit",
)
def _create_userpool(self):
user_pool = cognito.UserPool(
self,
"movio",
account_recovery=cognito.AccountRecovery.EMAIL_ONLY,
auto_verify=cognito.AutoVerifiedAttrs(email=True, phone=False),
mfa=cognito.Mfa.OFF,
mfa_second_factor=cognito.MfaSecondFactor(otp=True, sms=False),
self_sign_up_enabled=False,
sign_in_aliases=cognito.SignInAliases(email=True, username=True),
standard_attributes=cognito.StandardAttributes(
email=cognito.StandardAttribute(mutable=False,
required=True), ),
user_invitation=cognito.UserInvitationConfig(
email_subject="Moshan email verification",
email_body=
"Thanks for signing up to moshan! Your username is {username} and temporary password is {####}\nYou can now login at https://moshan.tv",
),
user_verification=cognito.UserVerificationConfig(
email_subject="Moshan email verification",
email_body=
"Thanks for signing up to moshan! Verify your account by clicking on {##Verify Email##}",
email_style=cognito.VerificationEmailStyle.LINK),
)
user_pool.add_client(
"moshan",
auth_flows=cognito.AuthFlow(refresh_token=True),
o_auth=cognito.OAuthSettings(
flows=cognito.OAuthFlows(authorization_code_grant=True),
callback_urls=[
"https://moshan.tv/callback.html",
"https://beta.moshan.tv/callback.html"
],
scopes=[
cognito.OAuthScope.EMAIL, cognito.OAuthScope.OPENID,
cognito.OAuthScope.PROFILE
]),
prevent_user_existence_errors=True,
)
cert = Certificate.from_certificate_arn(self, "domainCert",
self.cert_arn)
user_pool.add_domain("CognitoDomain",
custom_domain=cognito.CustomDomainOptions(
domain_name=self.domain_name,
certificate=cert))
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
servu_userpool = aws_cognito.UserPool(
self,
'servu-userpool',
user_pool_name='ServU Users',
sign_in_aliases=aws_cognito.SignInAliases(email=True),
standard_attributes=aws_cognito.StandardAttributes(
email=aws_cognito.StandardAttribute(required=True,
mutable=True),
fullname=aws_cognito.StandardAttribute(required=True,
mutable=True),
address=aws_cognito.StandardAttribute(required=True,
mutable=True),
phone_number=aws_cognito.StandardAttribute(required=True,
mutable=True)),
password_policy=aws_cognito.PasswordPolicy(
min_length=8,
require_digits=True,
require_lowercase=True,
require_symbols=True,
require_uppercase=True,
temp_password_validity=core.Duration.days(1)),
sign_in_case_sensitive=False)
servu_userpool_web_client = aws_cognito.UserPoolClient(
self,
'servu-userpool-web-client',
user_pool=servu_userpool,
auth_flows=aws_cognito.AuthFlow(custom=True,
refresh_token=True,
user_srp=True),
user_pool_client_name='ServU Web Client')
# TODO: Manually configure the domain and callback URLs. Look at CFN for the Pool ID and Client ID
core.CfnOutput(self,
'servu-userpool-id',
value=servu_userpool.user_pool_id,
export_name='servu-userpool-id')
core.CfnOutput(self,
'servu-userpool-client-id',
value=servu_userpool_web_client.user_pool_client_id,
export_name='servu-userpool-client-id')
def __init__(self, scope: cdk.Construct, id: str,
cognito_user_pool: cognito.UserPool, s3_bucket_name: str,
create_configuration_lambda_role_arn: str,
redis: ec.CfnCacheCluster, domain_name: str,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
config_yaml = yaml.load(open("config.yaml"), Loader=yaml.FullLoader)
spoke_accounts = config_yaml.get("spoke_accounts", [])
cognito_user_pool_client = cognito.UserPoolClient(
self,
"UserPoolClient",
user_pool=cognito_user_pool,
generate_secret=True,
supported_identity_providers=[
cognito.UserPoolClientIdentityProvider.COGNITO
],
prevent_user_existence_errors=True,
o_auth=cognito.OAuthSettings(
callback_urls=[
"https://" + domain_name + "/auth",
"https://" + domain_name + "/oauth2/idpresponse",
],
logout_urls=["https://" + domain_name + "/logout"],
flows=cognito.OAuthFlows(authorization_code_grant=True,
implicit_code_grant=True),
scopes=[cognito.OAuthScope.OPENID, cognito.OAuthScope.EMAIL],
),
auth_flows=cognito.AuthFlow(user_password=True, user_srp=True),
)
describe_cognito_user_pool_client = cr.AwsCustomResource(
self,
"UserPoolClientIDResource",
policy=cr.AwsCustomResourcePolicy.from_sdk_calls(
resources=cr.AwsCustomResourcePolicy.ANY_RESOURCE),
on_create=cr.AwsSdkCall(
service="CognitoIdentityServiceProvider",
action="describeUserPoolClient",
parameters={
"UserPoolId": cognito_user_pool.user_pool_id,
"ClientId": cognito_user_pool_client.user_pool_client_id,
},
physical_resource_id=cr.PhysicalResourceId.of(
cognito_user_pool_client.user_pool_client_id),
),
install_latest_aws_sdk=True,
log_retention=logs.RetentionDays.ONE_WEEK,
)
cognito_user_pool_client_secret = (
describe_cognito_user_pool_client.get_response_field(
"UserPoolClient.ClientSecret"))
imported_create_configuration_lambda_role = iam.Role.from_role_arn(
self,
"ImportedCreateConfigurationFileLambdaRole",
role_arn=create_configuration_lambda_role_arn,
)
jwt_secret = config_yaml["jwt_secret"]
config_secret_dict = {
"oidc_secrets": {
"client_id": cognito_user_pool_client.user_pool_client_id,
"secret": cognito_user_pool_client_secret,
"client_scope": ["email", "openid"],
},
"jwt_secret": jwt_secret,
}
config_secret_yaml = yaml.dump(
config_secret_dict,
explicit_start=True,
default_flow_style=False,
)
config_secret = cr.AwsCustomResource(
self,
"ConfigSecretResource",
policy=cr.AwsCustomResourcePolicy.from_sdk_calls(
resources=cr.AwsCustomResourcePolicy.ANY_RESOURCE),
on_update=cr.AwsSdkCall(
service="SecretsManager",
action="updateSecret",
parameters={
"SecretId": CONFIG_SECRET_NAME,
"SecretString": config_secret_yaml,
},
physical_resource_id=cr.PhysicalResourceId.from_response(
"Name"),
),
on_create=cr.AwsSdkCall(
service="SecretsManager",
action="createSecret",
parameters={
"Name": CONFIG_SECRET_NAME,
"Description":
"Sensitive configuration parameters for ConsoleMe",
"SecretString": config_secret_yaml,
},
physical_resource_id=cr.PhysicalResourceId.from_response(
"Name"),
),
on_delete=cr.AwsSdkCall(
service="SecretsManager",
action="deleteSecret",
parameters={
"SecretId": CONFIG_SECRET_NAME,
"ForceDeleteWithoutRecovery": True,
},
),
install_latest_aws_sdk=True,
log_retention=logs.RetentionDays.ONE_WEEK,
)
create_configuration_lambda = lambda_.Function(
self,
"CreateConfigurationFileLambda",
code=lambda_.Code.from_asset("resources/create_config_lambda"),
handler="index.handler",
timeout=cdk.Duration.seconds(30),
layers=[create_dependencies_layer(self, "create_config_lambda")],
runtime=lambda_.Runtime.PYTHON_3_8,
role=imported_create_configuration_lambda_role,
environment={
"DEPLOYMENT_BUCKET":
s3_bucket_name,
"OIDC_METADATA_URL":
"https://cognito-idp." + self.region + ".amazonaws.com/" +
cognito_user_pool.user_pool_id +
"/.well-known/openid-configuration",
"REDIS_HOST":
redis.attr_redis_endpoint_address,
"SES_IDENTITY_ARN":
"arn:aws:ses:" + self.region + ":" + self.account +
":identity/" + domain_name,
"SUPPORT_CHAT_URL":
"https://discord.gg/nQVpNGGkYu",
"APPLICATION_ADMIN":
"consoleme_admin",
"ACCOUNT_NUMBER":
self.account,
"ISSUER":
domain_name,
"SPOKE_ACCOUNTS":
",".join(spoke_accounts),
"CONFIG_SECRET_NAME":
CONFIG_SECRET_NAME,
},
)
create_configuration_resource_provider = cr.Provider(
self,
"CreateConfigurationFileProvider",
on_event_handler=create_configuration_lambda,
log_retention=logs.RetentionDays.ONE_WEEK,
)
create_configuration_lambda_resource = cdk.CustomResource(
self,
"CreateConfigurationFile",
service_token=create_configuration_resource_provider.service_token,
removal_policy=cdk.RemovalPolicy.DESTROY,
properties={"UUID": str(uuid4())},
)
create_configuration_lambda_resource.node.add_dependency(config_secret)
def __init__(self, scope: core.Construct, construct_id: str,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
# -----------------------------------
# Cognito User Pool
# -----------------------------------
userpool = cognito.UserPool(
self,
"ServerlessTodoUserPool",
user_pool_name="ServerlessTodoUserPool",
sign_in_aliases=cognito.SignInAliases(username=True, email=True),
password_policy=cognito.PasswordPolicy(
min_length=6,
require_digits=True,
require_lowercase=True,
require_symbols=True,
require_uppercase=True,
temp_password_validity=core.Duration.days(7)),
auto_verify=cognito.AutoVerifiedAttrs(email=True),
standard_attributes=cognito.StandardAttributes(
email=cognito.StandardAttribute(mutable=True, required=True),
family_name=cognito.StandardAttribute(mutable=True,
required=True),
given_name=cognito.StandardAttribute(mutable=True,
required=True)))
user_pool_client = userpool.add_client(
"UserPoolClient",
auth_flows=cognito.AuthFlow(admin_user_password=True))
# -----------------------------------
# dynamodb
# -----------------------------------
dynamodbTable = dynamodb.Table(
self,
"TaskTable",
partition_key=dynamodb.Attribute(
name="id", type=dynamodb.AttributeType.STRING),
sort_key=dynamodb.Attribute(name="meta",
type=dynamodb.AttributeType.STRING),
billing_mode=dynamodb.BillingMode.PAY_PER_REQUEST,
point_in_time_recovery=True,
server_side_encryption=True)
dynamodbTable.add_global_secondary_index(
partition_key=dynamodb.Attribute(
name="meta", type=dynamodb.AttributeType.STRING),
sort_key=dynamodb.Attribute(name="id",
type=dynamodb.AttributeType.STRING),
index_name="meta-id-index")
dynamodbTable.add_global_secondary_index(
partition_key=dynamodb.Attribute(
name="owner", type=dynamodb.AttributeType.STRING),
sort_key=dynamodb.Attribute(name="meta",
type=dynamodb.AttributeType.STRING),
index_name="owner-meta-index")
# -----------------------------------
# apigateway
# -----------------------------------
acm_arn = self.node.try_get_context('acm_arn')
domain_name = self.node.try_get_context("domain_name")
hosted_zone = self.node.try_get_context("hosted_zone")
api_policy = iam.PolicyDocument(
statements=iam.PolicyStatement(actions=["lambda:InvokeFunction"], )
.add_resources("arn:aws:lambda:{}:{}:function:*".format(
self.region, self.account)))
if acm_arn and domain_name and hosted_zone:
api = apigw.RestApi(
self,
'API',
domain_name=apigw.DomainNameOptions(
certificate=acm.Certificate.from_certificate_arn(
self, 'ApiCertificate', acm_arn),
domain_name=domain_name,
endpoint_type=apigw.EndpointType.REGIONAL),
deploy_options=apigw.StageOptions(metrics_enabled=True),
policy=api_policy,
rest_api_name="Serverless TODO API",
endpoint_types=[apigw.EndpointType.REGIONAL],
default_cors_preflight_options=apigw.CorsOptions(
allow_origins=apigw.Cors.
ALL_ORIGINS, # TODO: Temporary for development
allow_headers=[
"Content-Type", "X-Amz-Date", "Authorization",
"X-Api-Key", "X-Amz-Security-Token", "X-Tracing-Id",
"x-jeffy-correlation-id", "x-amzn-trace-id"
],
allow_methods=apigw.Cors.ALL_METHODS,
allow_credentials=True))
route53.CfnRecordSet(
self,
"apiDomainRecord",
name=domain_name,
type="A",
alias_target={
"dnsName":
api.domain_name.domain_name_alias_domain_name,
"hostedZoneId":
api.domain_name.domain_name_alias_hosted_zone_id
},
hosted_zone_id=hosted_zone,
)
else:
api = apigw.RestApi(
self,
'API',
deploy_options=apigw.StageOptions(metrics_enabled=True),
policy=api_policy,
rest_api_name="Serverless TODO API",
endpoint_types=[apigw.EndpointType.REGIONAL],
default_cors_preflight_options=apigw.CorsOptions(
allow_origins=apigw.Cors.
ALL_ORIGINS, # TODO: Temporary for development
allow_headers=[
"Content-Type", "X-Amz-Date", "Authorization",
"X-Api-Key", "X-Amz-Security-Token", "X-Tracing-Id",
"x-jeffy-correlation-id", "x-amzn-trace-id"
],
allow_methods=apigw.Cors.ALL_METHODS,
allow_credentials=True))
cognito_authorizer = apigw.CognitoUserPoolsAuthorizer(
self,
"CognitoAuthorizer",
cognito_user_pools=[userpool],
authorizer_name='todo_cognito_authorizer',
identity_source='method.request.header.Authorization',
results_cache_ttl=core.Duration.minutes(60))
api_role = iam.Role(self,
"ApiRole",
assumed_by=iam.ServicePrincipal(
service="apigateway.amazonaws.com"))
api_statement = iam.PolicyStatement(
actions=["lambda:InvokeFunction"],
resources=[
"arn:aws:lambda:{}:{}:function:*".format(
self.region, self.account)
])
api_role.add_to_policy(api_statement)
# -----------------------------------
# lambda common configure
# -----------------------------------
env = {
"TABLE_NAME": dynamodbTable.table_name,
"USER_POOL_ID": userpool.user_pool_id,
"USER_POOL_NAME": userpool.user_pool_provider_name,
"CLIENT_ID": user_pool_client.user_pool_client_id
}
# -----------------------------------
# get handler
# -----------------------------------
get_resource_base_name = "getTaskFunction"
get_task_func = lambda_.Function(
self,
get_resource_base_name,
code=lambda_.Code.from_asset(
'function/src/task',
bundling=core.BundlingOptions(
image=lambda_.Runtime.PYTHON_3_8.bundling_docker_image,
command=[
'bash', '-c',
'pip install -r requirements.txt -t /asset-output && cp -a . /asset-output'
],
)),
handler="get.lambda_handler",
runtime=lambda_.Runtime.PYTHON_3_8,
environment=env,
tracing=lambda_.Tracing.ACTIVE,
timeout=core.Duration.seconds(29),
memory_size=512)
get_task_func.add_to_role_policy(statement=iam.PolicyStatement(
actions=['dynamodb:*'],
resources=[
dynamodbTable.table_arn, dynamodbTable.table_arn + '/*'
]))
logs.LogGroup(self,
get_resource_base_name + 'LogGroup',
log_group_name='/aws/lambda/' +
get_task_func.function_name,
retention=logs.RetentionDays.TWO_WEEKS)
task_path = api.root.add_resource("task")
task_id_path = task_path.add_resource("{task_id}")
get_task_integration = apigw.LambdaIntegration(
get_task_func, credentials_role=api_role)
task_id_path.add_method(
"GET",
integration=get_task_integration,
authorization_type=apigw.AuthorizationType.COGNITO,
authorizer=cognito_authorizer,
)
# -----------------------------------
# create handler
# -----------------------------------
create_resource_base_name = "createTaskFunction"
create_task_func = lambda_.Function(
self,
create_resource_base_name,
code=lambda_.Code.from_asset(
'function/src/task',
bundling=core.BundlingOptions(
image=lambda_.Runtime.PYTHON_3_8.bundling_docker_image,
command=[
'bash', '-c',
'pip install -r requirements.txt -t /asset-output && cp -a . /asset-output'
],
)),
handler="create.lambda_handler",
runtime=lambda_.Runtime.PYTHON_3_8,
environment=env,
tracing=lambda_.Tracing.ACTIVE,
timeout=core.Duration.seconds(29),
memory_size=512)
create_task_func.add_to_role_policy(statement=iam.PolicyStatement(
actions=['dynamodb:*'],
resources=[
dynamodbTable.table_arn, dynamodbTable.table_arn + '/*'
]))
logs.LogGroup(self,
create_resource_base_name + 'LogGroup',
log_group_name='/aws/lambda/' +
create_task_func.function_name,
retention=logs.RetentionDays.TWO_WEEKS)
create_task_integration = apigw.LambdaIntegration(
create_task_func, credentials_role=api_role)
task_path.add_method(
"POST",
integration=create_task_integration,
authorization_type=apigw.AuthorizationType.COGNITO,
authorizer=cognito_authorizer,
)
# -----------------------------------
# update handler
# -----------------------------------
update_resource_base_name = "updateTaskFunction"
update_task_func = lambda_.Function(
self,
update_resource_base_name,
code=lambda_.Code.from_asset(
'function/src/task',
bundling=core.BundlingOptions(
image=lambda_.Runtime.PYTHON_3_8.bundling_docker_image,
command=[
'bash', '-c',
'pip install -r requirements.txt -t /asset-output && cp -a . /asset-output'
],
)),
handler="update.lambda_handler",
runtime=lambda_.Runtime.PYTHON_3_8,
environment=env,
tracing=lambda_.Tracing.ACTIVE,
timeout=core.Duration.seconds(29),
memory_size=512)
update_task_func.add_to_role_policy(statement=iam.PolicyStatement(
actions=['dynamodb:*'],
resources=[
dynamodbTable.table_arn, dynamodbTable.table_arn + '/*'
]))
logs.LogGroup(self,
update_resource_base_name + 'LogGroup',
log_group_name='/aws/lambda/' +
update_task_func.function_name,
retention=logs.RetentionDays.TWO_WEEKS)
update_task_integration = apigw.LambdaIntegration(
update_task_func, credentials_role=api_role)
task_id_path.add_method(
"POST",
integration=update_task_integration,
authorization_type=apigw.AuthorizationType.COGNITO,
authorizer=cognito_authorizer,
)
# -----------------------------------
# delete handler
# -----------------------------------
delete_resource_base_name = "deleteTaskFunction"
delete_task_func = lambda_.Function(
self,
delete_resource_base_name,
code=lambda_.Code.from_asset(
'function/src/task',
bundling=core.BundlingOptions(
image=lambda_.Runtime.PYTHON_3_8.bundling_docker_image,
command=[
'bash', '-c',
'pip install -r requirements.txt -t /asset-output && cp -a . /asset-output'
],
)),
handler="delete.lambda_handler",
runtime=lambda_.Runtime.PYTHON_3_8,
environment=env,
tracing=lambda_.Tracing.ACTIVE,
timeout=core.Duration.seconds(29),
memory_size=512)
delete_task_func.add_to_role_policy(statement=iam.PolicyStatement(
actions=['dynamodb:*'],
resources=[
dynamodbTable.table_arn, dynamodbTable.table_arn + '/*'
]))
logs.LogGroup(self,
delete_resource_base_name + 'LogGroup',
log_group_name='/aws/lambda/' +
delete_task_func.function_name,
retention=logs.RetentionDays.TWO_WEEKS)
delete_task_integration = apigw.LambdaIntegration(
delete_task_func, credentials_role=api_role)
task_id_path.add_method(
"DELETE",
integration=delete_task_integration,
authorization_type=apigw.AuthorizationType.COGNITO,
authorizer=cognito_authorizer,
)
# -----------------------------------
# search handler
# -----------------------------------
search_resource_base_name = "searchTaskFunction"
search_task_func = lambda_.Function(
self,
search_resource_base_name,
code=lambda_.Code.from_asset(
'function/src/task',
bundling=core.BundlingOptions(
image=lambda_.Runtime.PYTHON_3_8.bundling_docker_image,
command=[
'bash', '-c',
'pip install -r requirements.txt -t /asset-output && cp -a . /asset-output'
],
)),
handler="search.lambda_handler",
runtime=lambda_.Runtime.PYTHON_3_8,
environment=env,
tracing=lambda_.Tracing.ACTIVE,
timeout=core.Duration.seconds(29),
memory_size=512)
search_task_func.add_to_role_policy(statement=iam.PolicyStatement(
actions=['dynamodb:*'],
resources=[
dynamodbTable.table_arn, dynamodbTable.table_arn + '/*'
]))
logs.LogGroup(self,
search_resource_base_name + 'LogGroup',
log_group_name='/aws/lambda/' +
search_task_func.function_name,
retention=logs.RetentionDays.TWO_WEEKS)
search_task_integration = apigw.LambdaIntegration(
search_task_func, credentials_role=api_role)
tasks_path = api.root.add_resource("tasks")
tasks_path.add_method(
"GET",
integration=search_task_integration,
authorization_type=apigw.AuthorizationType.COGNITO,
authorizer=cognito_authorizer,
)
# -----------------------------------
# login handler
# -----------------------------------
login_resource_base_name = "loginFunction"
login_task_func = lambda_.Function(
self,
login_resource_base_name,
code=lambda_.Code.from_asset(
'function/src/user',
bundling=core.BundlingOptions(
image=lambda_.Runtime.PYTHON_3_8.bundling_docker_image,
command=[
'bash', '-c',
'pip install -r requirements.txt -t /asset-output && cp -a . /asset-output'
],
)),
handler="login.lambda_handler",
runtime=lambda_.Runtime.PYTHON_3_8,
environment=env,
tracing=lambda_.Tracing.ACTIVE,
timeout=core.Duration.seconds(29),
memory_size=512)
login_task_func.add_to_role_policy(statement=iam.PolicyStatement(
actions=['cognito-idp:AdminInitiateAuth'],
resources=[userpool.user_pool_arn]))
logs.LogGroup(self,
login_resource_base_name + 'LogGroup',
log_group_name='/aws/lambda/' +
login_task_func.function_name,
retention=logs.RetentionDays.TWO_WEEKS)
login_task_integration = apigw.LambdaIntegration(login_task_func)
auth_path = api.root.add_resource("auth")
auth_login_path = auth_path.add_resource("login")
auth_login_path.add_method("POST", integration=login_task_integration)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Let's start with creating an IAM Service Role, later to be assumed by our ECS Fargate Container
# After creating any resource, we'll be attaching IAM policies to this role using the `fargate_role`.
fargate_role = iam.Role(
self,
"ecsTaskExecutionRole",
role_name="ecsTaskExecutionRole",
assumed_by=iam.ServicePrincipal("ecs-tasks.amazonaws.com"),
description="Custom Role assumed by ECS Fargate (container)"
)
# S3: Create a Bucket for Unicorn Pursuit web page, and grant public read:
bucket = s3.Bucket(self, "www.unicornpursuit.com",
bucket_name="www.unicornpursuit.com",
access_control=s3.BucketAccessControl.PUBLIC_READ,
)
# Grant public read access to the bucket
bucket.grant_public_access()
# Grant S3 Read/Write access to our Fargate Container
fargate_role.add_to_policy(statement=iam.PolicyStatement(
resources=[bucket.bucket_arn],
actions=["s3:*"]
))
# DynamoDB: Create Table for Project Info (ID, Owner, Content, Photo and Votes)
voting_ddb = ddb.CfnTable(
self, "UnicornDynamoDBVoting",
table_name="UnicornDynamoDBVoting",
key_schema=[
ddb.CfnTable.KeySchemaProperty(attribute_name="id",key_type="HASH"),
ddb.CfnTable.KeySchemaProperty(attribute_name="owner",key_type="RANGE"),
],
# In the new DynamoDB, you can't create AttDefProperty for non-key attributes.
attribute_definitions=[
ddb.CfnTable.AttributeDefinitionProperty(attribute_name="id",attribute_type="N"),
ddb.CfnTable.AttributeDefinitionProperty(attribute_name="owner",attribute_type="S"),
],
provisioned_throughput=ddb.CfnTable.ProvisionedThroughputProperty(
read_capacity_units=5,
write_capacity_units=5
)
)
# Second DynamoDB table called "users" for storing who voted for whom
# Example: [email protected] gave 5 points to project 323, 4 points to 111 etc.
users_ddb = ddb.Table(
self, "UnicornDynamoDBUsers",
table_name="UnicornDynamoDBUsers",
partition_key=ddb.Attribute(
name="Owner",
type=ddb.AttributeType.STRING
)
)
# Grant RW writes for Unicorn App in Fargate
fargate_role.add_to_policy(statement=iam.PolicyStatement(
resources=[voting_ddb.attr_arn,
users_ddb.table_arn],
actions=["dynamodb:*"]
))
# Cognito: Create User Pool
userpool = cognito.UserPool(
self, "CognitoUnicornUserPool",
user_pool_name="CognitoUnicornUserPool",
self_sign_up_enabled=True,
## Require username or email for users to sign in
sign_in_aliases=cognito.SignInAliases(
username=False,
email=True,
),
# Require users to give their full name when signing up
required_attributes=cognito.RequiredAttributes(
fullname=True,
email=True,
phone_number=True
),
# Verify new sign ups using email
auto_verify=cognito.AutoVerifiedAttrs(
email=False,
phone=True,
),
# Configure OTP Settings ()
user_verification=cognito.UserVerificationConfig(
sms_message="Hey Unicorn Hunter, welcome to Unicorn Pursuit! Your OTP is {####}",
),
# Set up required password policy
password_policy=cognito.PasswordPolicy(
min_length=12,
require_symbols=True,
require_lowercase=True,
require_uppercase=True,
require_digits=True,
)
)
## Cognito: Create App Client & create Authentication Flow with User and Password
userpool.add_client(
"UnicornAppClient",
user_pool_client_name="UnicornAppClient",
generate_secret=False,
## We'll allow both Flows, Implicit and Authorization Code, and decide in the app which to use.
auth_flows=cognito.AuthFlow(
admin_user_password=False,
custom=False,
refresh_token=True,
user_password=True,
user_srp=False
),
)
# Grant Cognito Access to Fargate. Include SSM, so Client App ID can be retrived.
fargate_role.add_to_policy(statement=iam.PolicyStatement(
resources=["*"],
actions=["ssm:*"]
))
fargate_role.add_to_policy(statement=iam.PolicyStatement(
resources=[userpool.user_pool_arn],
actions=["cognito-identity:*","cognito-idp:*","cognito-sync:*"]
))
## Fargate: Create ECS:Fargate with ECR uploaded image
vpc = ec2.Vpc(self, "UnicornVPC", max_azs=2, nat_gateways=None)
""" VPC with optimal NAT GW usage
vpc_lowcost = ec2.Vpc(self, "LowCostVPC",
max_azs=2,
cidr="10.7.0.0/16",
nat_gateways=None,
subnet_configuration=[ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.PUBLIC,
name="Public",
cidr_mask=24,
), ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.ISOLATED,
name="Private",
cidr_mask=24,
)
],
) """
linux_ami = ec2.AmazonLinuxImage(generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE
)
nat_ec2 = ec2.Instance(self, "NAT",
instance_name="NAT",
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC),
instance_type=ec2.InstanceType(instance_type_identifier="t3.nano"),
machine_image=linux_ami,
user_data=ec2.UserData.for_linux(),
source_dest_check=False,
)
# Configure Linux Instance to act as NAT Instance
nat_ec2.user_data.add_commands("sysctl -w net.ipv4.ip_forward=1")
nat_ec2.user_data.add_commands("/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE")
# Add a static route to the ISOLATED subnet, pointing 0.0.0.0/0 to a NAT EC2
selection = vpc.select_subnets(
subnet_type=ec2.SubnetType.PRIVATE
)
for subnet in selection.subnets:
subnet.add_route("DefaultNAT", router_id=nat_ec2.instance_id, router_type=ec2.RouterType.INSTANCE, destination_cidr_block="0.0.0.0/0")
# Create ECS Cluster
cluster = ecs.Cluster(self, "UnicornCluster", vpc=vpc)
ecr.Repository(self, "unicorn", repository_name="unicorn")
fargate_service = ecs_patterns.ApplicationLoadBalancedFargateService(self, "UnicornFargateService",
cluster=cluster,
cpu=512,
desired_count=1,
task_image_options=ecs_patterns.ApplicationLoadBalancedTaskImageOptions(
image=ecs.ContainerImage.from_registry("057097267726.dkr.ecr.eu-west-1.amazonaws.com/unicorn"),
# image=ecs.ContainerImage.from_registry(repo.repository_uri_for_tag()),
container_port=8080,
container_name="unicorn",
execution_role=fargate_role,
),
memory_limit_mib=1024,
public_load_balancer=True
)
fargate_service.service.connections.security_groups[0].add_ingress_rule(
peer = ec2.Peer.ipv4(vpc.vpc_cidr_block),
connection = ec2.Port.tcp(8080),
description="Allow http inbound from VPC"
)
# Update NAT EC2 Security Group, to allow only HTTPS from Fargate Service Security Group.
nat_ec2.connections.security_groups[0].add_ingress_rule(
peer = fargate_service.service.connections.security_groups[0],
connection = ec2.Port.tcp(443),
description="Allow https from Fargate Service"
)
# Grant ECR Access to Fargate by attaching an existing ReadOnly policy. so that Unicorn Docker Image can be pulled.
#fargate_role.add_managed_policy(iam.ManagedPolicy("AmazonEC2ContainerRegistryReadOnly"))
fargate_role.add_to_policy(statement=iam.PolicyStatement(
resources=["*"],
actions=["ecr:*"]
))
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# S3: Create a Bucket for Unicorn Pursuit web page, and grant public read:
bucket = s3.Bucket(
self,
"www.unicornpursuit.com",
bucket_name="www.unicornpursuit.com",
access_control=s3.BucketAccessControl.PUBLIC_READ,
)
# Grant public read access to the bucket
bucket.grant_public_access()
# DynamoDB: Create Table for Project Info (ID, Owner, Content, Photo and Votes)
voting = ddb.CfnTable(
self,
"UnicornDynamoDBVoting",
table_name="UnicornDynamoDBVoting",
key_schema=[
ddb.CfnTable.KeySchemaProperty(attribute_name="id",
key_type="HASH"),
ddb.CfnTable.KeySchemaProperty(attribute_name="owner",
key_type="RANGE"),
],
# In the new DynamoDB, you can't create AttDefProperty for non-key attributes.
attribute_definitions=[
ddb.CfnTable.AttributeDefinitionProperty(attribute_name="id",
attribute_type="N"),
ddb.CfnTable.AttributeDefinitionProperty(
attribute_name="owner", attribute_type="S"),
],
provisioned_throughput=ddb.CfnTable.ProvisionedThroughputProperty(
read_capacity_units=5, write_capacity_units=5))
# Grant RW writes for Unicorn App in Fargate and relevant Lambdas invoked from API Gateway
# voting.grant_read_write_data(user)
# Second DynamoDB table called "users" for storing who voted for whom
# Example: [email protected] gave 5 points to project 323, 4 points to 111 etc.
users = ddb.Table(self,
"UnicornDynamoDBUsers",
table_name="UnicornDynamoDBUsers",
partition_key=ddb.Attribute(
name="owner", type=ddb.AttributeType.STRING))
# Cognito: Create User Pool
userpool = cognito.UserPool(
self,
"CognitoUnicornUserPool",
user_pool_name="CognitoUnicornUserPool",
self_sign_up_enabled=True,
## Require username or email for users to sign in
sign_in_aliases=cognito.SignInAliases(
username=False,
email=True,
),
# Require users to give their full name when signing up
required_attributes=cognito.RequiredAttributes(fullname=True,
email=True,
phone_number=True),
# Verify new sign ups using email
auto_verify=cognito.AutoVerifiedAttrs(
email=False,
phone=True,
),
# Configure OTP Settings ()
user_verification=cognito.UserVerificationConfig(
sms_message=
"Hey Unicorn Hunter, welcome to Unicorn Pursuit! Your OTP is {####}",
),
# Set up required password policy
password_policy=cognito.PasswordPolicy(
min_length=12,
require_symbols=True,
require_lowercase=True,
require_uppercase=True,
require_digits=True,
))
## Cognito: Create App Client & create Authentication Flow with User and Password
client = userpool.add_client(
"UnicornAppClient",
user_pool_client_name="UnicornAppClient",
generate_secret=False,
## We'll allow both Flows, Implicit and Authorization Code, and decide in the app which to use.
auth_flows=cognito.AuthFlow(admin_user_password=False,
custom=False,
refresh_token=True,
user_password=True,
user_srp=False),
)
def base_cognito_user_pool(construct, **kwargs):
"""
Function that generates a Cognito User Pool.
:param construct: Custom construct that will use this function. From the external construct is usually 'self'.
:param kwargs: Consist of required 'queue_name' and optionals 'queue_delivery_delay' and 'queue_visibility_timeout'.
:return: DynamoDB Table Construct.
"""
user_pool_name = construct.prefix + "_" + kwargs[
"pool_name"] + "_pool_" + construct.environment_
if kwargs.get("email") is not None:
email_settings = cognito.EmailSettings(
from_=kwargs["email"]["from"],
reply_to=kwargs["email"].get("reply_to"))
else:
email_settings = None
password_policy_settings = kwargs.get("password_policy")
temporary_password_validation_time = (
core.Duration.days(
password_policy_settings.get("temporary_password_duration"))
if password_policy_settings.get("temporary_password_duration")
is not None else None)
password_policy = cognito.PasswordPolicy(
min_length=password_policy_settings.get("minimum_length"),
temp_password_validity=temporary_password_validation_time,
require_lowercase=password_policy_settings.get("require",
{}).get("lower_case"),
require_uppercase=password_policy_settings.get("require",
{}).get("upper_case"),
require_digits=password_policy_settings.get("require",
{}).get("digits"),
require_symbols=password_policy_settings.get("require",
{}).get("symbols"),
)
sign_up_info = kwargs["sign_up"]
self_sing_up = sign_up_info["enabled"]
user_verification_info = base_user_verification(
sign_up_info=sign_up_info["user_verification"])
user_invitation = kwargs.get("invitation")
user_invitation_configuration = cognito.UserInvitationConfig(
email_subject=user_invitation.get("email", {}).get("subject"),
email_body=user_invitation.get("email", {}).get("body"),
sms_message=user_invitation.get("sms", {}).get("body"),
)
trigger_functions = kwargs.get("triggers", {})
lambda_triggers = base_lambda_triggers(construct,
trigger_functions=trigger_functions)
sign_in_list = kwargs.get("sign_in").get("order", list())
sing_in_kwargs = dict()
for element in sign_in_list:
sing_in_kwargs[element] = True
sign_in_aliases = cognito.SignInAliases(**sing_in_kwargs)
attributes = kwargs.get("attributes")
standard_attributes_list = attributes.get("standard", list())
standard_attributes_dict = dict()
for element in standard_attributes_list:
standard_attributes_dict[element["name"]] = cognito.StandardAttribute(
mutable=element.get("mutable"), required=element.get("required"))
standard_attributes = cognito.StandardAttributes(
**standard_attributes_dict)
custom_attributes_list = attributes.get("custom", list())
if len(custom_attributes_list) > 0:
custom_attributes = base_custom_attributes(
custom_attributes_list=custom_attributes_list)
else:
custom_attributes = None
user_pool = cognito.UserPool(
construct,
id=user_pool_name,
user_pool_name=user_pool_name,
email_settings=email_settings,
password_policy=password_policy,
self_sign_up_enabled=self_sing_up,
user_verification=user_verification_info,
user_invitation=user_invitation_configuration,
sign_in_aliases=sign_in_aliases,
standard_attributes=standard_attributes,
custom_attributes=custom_attributes,
lambda_triggers=lambda_triggers,
)
user_pool_client = None
if kwargs.get("app_client", {}).get("enabled") is True:
client_name = kwargs["app_client"]["client_name"]
generate_secret = kwargs["app_client"]["generate_secret"]
user_pool_client_name = construct.prefix + "_" + client_name + "_client_" + construct.environment_
auth_flows = None
auth_flows_configuration = kwargs["app_client"].get("auth_flows")
if auth_flows_configuration is not None:
auth_flows = cognito.AuthFlow(**auth_flows_configuration)
user_pool_client = cognito.UserPoolClient(
construct,
id=user_pool_client_name,
user_pool_client_name=user_pool_client_name,
generate_secret=generate_secret,
auth_flows=auth_flows,
user_pool=user_pool,
)
return user_pool, user_pool_client
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
pool = cognito.UserPool(scope=self,
id="user-pool",
mfa=cognito.Mfa.OPTIONAL,
mfa_second_factor=cognito.MfaSecondFactor(
otp=True, sms=True),
password_policy=cognito.PasswordPolicy(
min_length=12,
require_lowercase=True,
require_uppercase=False,
require_digits=False,
require_symbols=False,
))
client = pool.add_client(
id="customer-app-client",
auth_flows=cognito.AuthFlow(
user_password=True,
refresh_token=True,
user_srp=True,
),
)
graphql_api = appsync.GraphqlApi(
scope=self,
id="graphql-api",
name="todo-api",
schema=appsync.Schema.from_asset(
file_path=os.path.join("graphQL", "schema.graphql")),
authorization_config=appsync.AuthorizationConfig(
default_authorization=appsync.AuthorizationMode(
authorization_type=appsync.AuthorizationType.USER_POOL,
user_pool_config=appsync.UserPoolConfig(user_pool=pool,
))),
xray_enabled=True)
todo_table = dynamodb.Table(
scope=self,
id="todo-table",
removal_policy=core.RemovalPolicy.DESTROY,
partition_key=dynamodb.Attribute(
name="id", type=dynamodb.AttributeType.STRING),
)
commnet_table = dynamodb.Table(
scope=self,
id="comment-table",
removal_policy=core.RemovalPolicy.DESTROY,
partition_key=dynamodb.Attribute(
name="commentid", type=dynamodb.AttributeType.STRING),
sort_key=dynamodb.Attribute(name="todoid",
type=dynamodb.AttributeType.STRING),
)
commnet_table.add_global_secondary_index(
partition_key=dynamodb.Attribute(
name="todoid", type=dynamodb.AttributeType.STRING),
index_name="todoid-index")
todo_dS = graphql_api.add_dynamo_db_data_source(
id="todoDS",
table=todo_table,
)
todo_dS.create_resolver(
type_name="Query",
field_name="getTodos",
request_mapping_template=appsync.MappingTemplate.from_file(
os.path.join("graphQL", "getItemsRequest.vtl")),
response_mapping_template=appsync.MappingTemplate.from_file(
os.path.join("graphQL", "getItemsResponse.vtl")),
)
todo_dS.create_resolver(
type_name="Mutation",
field_name="addTodo",
request_mapping_template=appsync.MappingTemplate.from_file(
os.path.join("graphQL", "addTodoRequest.vtl")),
response_mapping_template=appsync.MappingTemplate.from_file(
os.path.join("graphQL", "addTodoResponse.vtl")),
)
comment_dS = graphql_api.add_dynamo_db_data_source(
id="commentDS",
table=commnet_table,
)
comment_dS.create_resolver(
type_name="Todo",
field_name="contents",
request_mapping_template=appsync.MappingTemplate.from_file(
os.path.join("graphQL", "getCommentsRequest.vtl")),
response_mapping_template=appsync.MappingTemplate.from_file(
os.path.join("graphQL", "getCommentsResponse.vtl")),
)
comment_dS.create_resolver(
type_name="Mutation",
field_name="addComment",
request_mapping_template=appsync.MappingTemplate.from_file(
os.path.join("graphQL", "addCommentRequest.vtl")),
response_mapping_template=appsync.MappingTemplate.from_file(
os.path.join("graphQL", "addCommentResponse.vtl")),
)
def __init__(self, scope: core.Construct, id: str,
artifact_bucket: s3.Bucket, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
pool = cognito.UserPool(scope=self,
id="user-pool",
mfa=cognito.Mfa.OPTIONAL,
mfa_second_factor=cognito.MfaSecondFactor(
otp=True, sms=True),
password_policy=cognito.PasswordPolicy(
min_length=12,
require_lowercase=True,
require_uppercase=False,
require_digits=False,
require_symbols=False,
))
client = pool.add_client(
id="customer-app-client",
auth_flows=cognito.AuthFlow(user_password=True,
refresh_token=True),
)
backend = _lambda.Function(
scope=self,
id="api-function",
runtime=_lambda.Runtime.GO_1_X,
handler="main",
memory_size=500,
timeout=core.Duration.seconds(10),
environment={
"USER_POOL_ID": pool.user_pool_id,
"CLIENT_ID": client.user_pool_client_id,
},
code=_lambda.Code.from_bucket(
bucket=artifact_bucket,
key="Server/main.zip",
),
)
backend.add_to_role_policy(
statement=iam.PolicyStatement(actions=[
"cognito-idp:RespondToAuthChallenge",
"cognito-idp:InitiateAuth", "cognito-idp:SetUserMFAPreference",
"cognito-idp:AssociateSoftwareToken",
"cognito-idp:VerifySoftwareToken"
],
resources=[pool.user_pool_arn]))
api = apigateway.LambdaRestApi(
scope=self,
id="mfa-api",
handler=backend,
endpoint_types=[apigateway.EndpointType.REGIONAL],
default_cors_preflight_options=apigateway.CorsOptions(
allow_origins=["*"]))
self.api = api
self.backend_fn = backend
static_website_bucket = s3.Bucket(
scope=self,
id="static-website-bucket",
)
self.static_website_bucket = static_website_bucket
distribution = cloudfront.CloudFrontWebDistribution(
scope=self,
id="static-website-distribution",
default_root_object="index.html",
origin_configs=[
cloudfront.SourceConfiguration(
s3_origin_source=cloudfront.S3OriginConfig(
s3_bucket_source=static_website_bucket,
origin_access_identity=cloudfront.OriginAccessIdentity(
scope=self,
id="origin-access-identity",
)),
behaviors=[cloudfront.Behavior(is_default_behavior=True)])
],
)
def __init__(self, scope: core.Construct, id: str,
cognito_domain_name: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# The code that defines your stack goes here):
svc_name = self.node.try_get_context("service_name")
url_name = core.CfnParameter(
self,
id="cognitoDomainName",
description="Enter the name the domain you want to use",
type="String",
default="mystique")
# Create an Identity Pool
self.unicorn_user_pool = _cognito.UserPool(
self,
"unicornUserPool",
user_pool_name="Miztiik-Unicorn-App-User-Pool",
# sign_in_aliases={"username": True,"email": True}
sign_in_aliases=_cognito.SignInAliases(username=True, email=True),
standard_attributes={
"email": {
"required": True,
"mutable": False
},
"fullname": {
"required": False,
"mutable": True
}
},
auto_verify=_cognito.AutoVerifiedAttrs(email=True))
# OAuth Scopes
self.unicorn_user_pool_res_srv_identifier = f"premium_api"
self.unicorn_read_scope = f"read"
self.unicorn_write_scope = f"write"
unicorn_users_auth_domain = _cognito.UserPoolDomain(
self,
"userPoolDomain",
user_pool=self.unicorn_user_pool,
cognito_domain=_cognito.CognitoDomainOptions(
domain_prefix=f"{cognito_domain_name}"))
self.unicorn_user_pool.user_pool_arn
user_pool_res_srv = _cognito.CfnUserPoolResourceServer(
self,
"ResourceServer",
# Having URL format is recommended
# identifier=f"{premium_content.url}",
identifier=f"{self.unicorn_user_pool_res_srv_identifier}",
name=f"premium-api-authorizer",
user_pool_id=self.unicorn_user_pool.user_pool_id,
scopes=[{
"scopeName": f"{self.unicorn_read_scope}",
"scopeDescription": "Get Premium Api Content"
}, {
"scopeName": f"{self.unicorn_write_scope}",
"scopeDescription": "Put Premium Api Content"
}])
user_pool_client = _cognito.UserPoolClient(
self,
"AppClient",
user_pool=self.unicorn_user_pool,
user_pool_client_name="premium_app_users",
generate_secret=True,
# We'll allow both Flows, Implicit and Authorization Code, and decide in the app which to use.
auth_flows=_cognito.AuthFlow(admin_user_password=False,
custom=True,
refresh_token=True,
user_password=False,
user_srp=True),
prevent_user_existence_errors=True,
o_auth=_cognito.OAuthSettings(
flows=_cognito.OAuthFlows(authorization_code_grant=False,
implicit_code_grant=False,
client_credentials=True),
scopes=[
# _cognito.OAuthScope.EMAIL,
# _cognito.OAuthScope.OPENID,
# _cognito.OAuthScope.COGNITO_ADMIN,
# _cognito.OAuthScope.PROFILE,
# https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_cognito/OAuthScope.html#aws_cdk.aws_cognito.OAuthScope
_cognito.OAuthScope.custom(
f"{self.unicorn_user_pool_res_srv_identifier}/{self.unicorn_read_scope}"
),
_cognito.OAuthScope.custom(
f"{self.unicorn_user_pool_res_srv_identifier}/{self.unicorn_write_scope}"
)
]))
# Add dependency so that ResourceServer is deployed before App Client
user_pool_client.node.add_dependency(user_pool_res_srv)
# Retrieve Cognito App Client Secret and Add to Secrets Manager
app_secrets = CognitoAppClientSecretRetrieverStack(
self,
"appClientSecrets",
user_pool_id=self.unicorn_user_pool.user_pool_id,
user_pool_client_id=user_pool_client.user_pool_client_id,
user_pool_oauth2_endpoint=
f"https://{unicorn_users_auth_domain.domain_name}.auth.{core.Aws.REGION}.amazoncognito.com/oauth2/token",
unicorn_user_pool_res_srv_identifier=
f"{self.unicorn_user_pool_res_srv_identifier}",
unicorn_read_scope=f"{self.unicorn_read_scope}",
unicorn_write_scope=f"{self.unicorn_write_scope}")
# Export Value
self.unicorn_user_pool_secrets_arn = app_secrets.response
###########################################
################# OUTPUTS #################
###########################################
output_0 = core.CfnOutput(
self,
"AutomationFrom",
value=f"{global_args.SOURCE_INFO}",
description=
"To know more about this automation stack, check out our github page."
)
# https://AUTH_DOMAIN/oauth2/token
output_1 = core.CfnOutput(
self,
"UnicornIdentityAuthDomain",
value=
f"https://{unicorn_users_auth_domain.domain_name}.auth.{core.Aws.REGION}.amazoncognito.com/oauth2/token",
description="Authenticate Against this endpoint")
output_2 = core.CfnOutput(self,
"AppPoolSecretsArn",
value=f"{app_secrets.response}",
description="AppPoolSecretsArn")
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a VPC for Aurora (required for serverless Aurora)
aurora_vpc = ec2.Vpc(self, 'AuroraVpc')
# Create serverless MySQL Aurora cluster
aurora_cluster = rds.ServerlessCluster(
self,
'AuroraCluster',
vpc=aurora_vpc,
engine=rds.DatabaseClusterEngine.AURORA_MYSQL,
default_database_name='core')
# Handler for the hello endpoint
hello_lambda = _lambda.Function(
self,
'HelloHandler',
runtime=_lambda.Runtime.PYTHON_3_8,
code=_lambda.Code.asset('lambda'),
handler='hello.handler',
)
# Handler for the GET /user_accounts endpoint
get_user_account_lambda = _lambda.Function(
self,
'GetUserAccount',
runtime=_lambda.Runtime.PYTHON_3_8,
code=_lambda.Code.asset('lambda'),
handler='get_user_account.handler',
environment={
'CLUSTER_ARN': aurora_cluster.cluster_arn,
'SECRET_ARN': aurora_cluster.secret.secret_arn,
'DB_NAME': 'core',
})
# Grant the lambda function the required permissions to access the database
aurora_cluster.grant_data_api_access(
get_user_account_lambda) # This also enables the data api
# Cognito User Pool for sign up and authorization
user_pool = cognito.UserPool(
self,
'user-pool',
self_sign_up_enabled=True,
auto_verify=cognito.AutoVerifiedAttrs(email=True, phone=False),
sign_in_aliases=cognito.SignInAliases(email=True, username=True))
# User pool client - used for sign up and sign in and password recovery
user_pool.add_client('app-client',
auth_flows=cognito.AuthFlow(user_password=True,
user_srp=True))
# Create the API Gateway REST API
api = apigw.RestApi(self, 'test-api')
# Create custom authorizer, modeled after work around detailed here:
# https://github.com/aws/aws-cdk/issues/723#issuecomment-504753280
cognito_authorizer = apigw.CfnAuthorizer(
self,
'CognitoAuthorizer',
type='COGNITO_USER_POOLS',
provider_arns=[user_pool.user_pool_arn],
identity_source='method.request.header.Authorization',
rest_api_id=api.rest_api_id,
name='CognitoAuthorizer')
# Hello resource and endpoint, handled by the hello lambda
hello_resource = api.root.add_resource('hello')
hello_method = hello_resource.add_method(
'GET', integration=apigw.LambdaIntegration(hello_lambda))
hello_method_resource = hello_method.node.find_child('Resource')
hello_method_resource.add_property_override(
'AuthorizationType', apigw.AuthorizationType.COGNITO)
hello_method_resource.add_property_override(
'AuthorizerId', {"Ref": cognito_authorizer.logical_id})
# Add user_account resource
user_account_resource = api.root.add_resource('user_account')
# Add GET handler for user_account
get_user_account_method = user_account_resource.add_method(
'GET',
integration=apigw.LambdaIntegration(get_user_account_lambda))
get_user_account_method_resource = get_user_account_method.node.find_child(
'Resource')
get_user_account_method_resource.add_property_override(
'AuthorizationType', apigw.AuthorizationType.COGNITO)
get_user_account_method_resource.add_property_override(
'AuthorizerId', {"Ref": cognito_authorizer.logical_id})
