From 645b5da67ee0ace8e333362e37f3d1bc9b9d2306 Mon Sep 17 00:00:00 2001 From: Ramesh Maddegoda <94033485+ramesh-maddegoda@users.noreply.github.com> Date: Tue, 27 Sep 2022 10:28:27 -0700 Subject: [PATCH] feat: Added terraform scripts to create API Gateway and Cognito user pool with App clients Refer to task unity-sds/unity-cs#124 --- terraform-api-gateway-cognito/README.md | 104 ++ terraform-api-gateway-cognito/main.tf | 7 + .../update-api-gateway-urls.sh | 21 + terraform-api-gateway-cognito/providers.tf | 12 + .../terraform-modules/api-gateway/rest_api.tf | 57 ++ .../unity-rest-api-gateway-oas30.yaml | 887 ++++++++++++++++++ .../api-gateway/variables.tf | 39 + .../cognito-user-pool/user_pool.tf | 84 ++ .../cognito-user-pool/variables.tf | 53 ++ terraform-api-gateway-cognito/variables.tf | 5 + 10 files changed, 1269 insertions(+) create mode 100644 terraform-api-gateway-cognito/README.md create mode 100644 terraform-api-gateway-cognito/main.tf create mode 100755 terraform-api-gateway-cognito/post-deployment/update-api-gateway-urls.sh create mode 100644 terraform-api-gateway-cognito/providers.tf create mode 100644 terraform-api-gateway-cognito/terraform-modules/api-gateway/rest_api.tf create mode 100644 terraform-api-gateway-cognito/terraform-modules/api-gateway/unity-rest-api-gateway-oas30.yaml create mode 100644 terraform-api-gateway-cognito/terraform-modules/api-gateway/variables.tf create mode 100644 terraform-api-gateway-cognito/terraform-modules/cognito-user-pool/user_pool.tf create mode 100644 terraform-api-gateway-cognito/terraform-modules/cognito-user-pool/variables.tf create mode 100644 terraform-api-gateway-cognito/variables.tf diff --git a/terraform-api-gateway-cognito/README.md b/terraform-api-gateway-cognito/README.md new file mode 100644 index 0000000..07463b1 --- /dev/null +++ b/terraform-api-gateway-cognito/README.md @@ -0,0 +1,104 @@ +# Terraform to Deploy Unity API Gateway + +This Document is a Work in Progress + +## Prerequisites +- Terraform +- AWS CLI + +## Steps to Deploy the API Gateway + +1. Open a terminal and set the following environment variables with correct values associated with your AWS account. + +```shell +export AWS_ACCESS_KEY_ID= +export AWS_SECRET_ACCESS_KEY= +export AWS_SESSION_TOKEN= +export AWS_DEFAULT_REGION=us-west-2 +``` + +2. The following parameters should be available in the AWS System Manager (SSM) Parameter Store before deploying the API Gateway. These values can be set +as a result of a previous deployment (E.g.: A lambda function deployment) or can be set using AWS Console or AWS CLI. + +```shell +/unity/dev/unity-sps-1/api-gateway/functions/cs-lambda-authorizer-uri +/unity/dev/unity-sps-1/api-gateway/integrations/uads-dockstore-nlb-uri +/unity/dev/unity-sps-1/api-gateway/integrations/uads-dev-dockstore-link-2-vpc-link-id +/unity/dev/unity-sps-1/api-gateway/integrations/uds-dev-cumulus-cumulus_granules_dapa-function-uri +/unity/dev/unity-sps-1/api-gateway/integrations/uds-dev-cumulus-cumulus_collections_dapa-function-uri +``` + +If these parameters are not available, it is possible to set these parameters using the AWS CLI as follows. + +Tips: + +#### A function URI for a lambda function can be derived as follows. + +Example: + The `arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:1234567890:function:cs-lambda-authorizer/invocations` + +Can be derived with: + + "arn:aws:apigateway:" + + ":lambda:path/2015-03-31/functions/" + + "/invocations" + + +#### Example + +In this example, the account number is purposefully set to 1234567890 and also added fake values. Please replace these values with correct values): +```shell + +aws ssm put-parameter --name "/unity/dev/unity-sps-1/api-gateway/functions/cs-lambda-authorizer-uri" \ + --value "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:1234567890:function:cs-lambda-authorizer/invocations" \ + --type String + +aws ssm put-parameter --name "/unity/dev/unity-sps-1/api-gateway/integrations/uads-dockstore-nlb-uri" \ + --value "http://uads-dockstore-nlb.elb.us-west-2.amazonaws.com:9999/{proxy}" \ + --type String + +aws ssm put-parameter --name "/unity/dev/unity-sps-1/api-gateway/integrations/uads-dev-dockstore-link-2-vpc-link-id" \ + --value "abcde" \ + --type String + +aws ssm put-parameter --name "/unity/dev/unity-sps-1/api-gateway/integrations/uds-dev-cumulus-cumulus_granules_dapa-function-uri" \ + --value "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:1234567890:function:uds-dev-cumulus-cumulus_granules_dapa/invocations" \ + --type String + +aws ssm put-parameter --name "/unity/dev/unity-sps-1/api-gateway/integrations/uds-dev-cumulus-cumulus_collections_dapa-function-uri" \ + --value "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:1234567890:function:uds-dev-cumulus-cumulus_collections_dapa/invocations" \ + --type String + +``` + +3. Clone unity-cs repository (api-gateway-terraform branch) +```shell +git clone https://github.com/unity-sds/unity-cs.git -b api-gateway-terraform +``` + +4. Change current working directory to `terraform/terraform-api-gateway` + +```shell +cd unity-cs/terraform/terraform-api-gateway/ +``` + +5. Check the YAML file at `unity-cs/terraform/terraform-api-gateway/terraform-modules/unity-rest-api-gateway-oas30.yaml`, +which contains the Open API Specification 3.0 definition of Unity API Gateway and make necessary updates (only if required). You can use +this file to define a complete API Gateway by adding, updating, deleting API resources and methods, configuring authorizers and +setting-up integration points. + +7. Execute following commands to deploy the API Gateway. + +```shell +terraform init +``` + +```shell +terraform apply +``` + +7. Visit the API Gateway service and observe the newly deployed API Gateway (in this example, it takes the name "Unity CS Experimental REST API Gateway"). + +8. To delete the API Gateway, you may use the following command. + +```shell +terraform destroy +``` diff --git a/terraform-api-gateway-cognito/main.tf b/terraform-api-gateway-cognito/main.tf new file mode 100644 index 0000000..f4f50fe --- /dev/null +++ b/terraform-api-gateway-cognito/main.tf @@ -0,0 +1,7 @@ +module "api_gateway" { + source = "./terraform-modules/api-gateway" +} + +module "cognito_user_pool" { + source = "./terraform-modules/cognito-user-pool" +} diff --git a/terraform-api-gateway-cognito/post-deployment/update-api-gateway-urls.sh b/terraform-api-gateway-cognito/post-deployment/update-api-gateway-urls.sh new file mode 100755 index 0000000..5900371 --- /dev/null +++ b/terraform-api-gateway-cognito/post-deployment/update-api-gateway-urls.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +AWS_DEFAULT_REGION='us-west-2' +NAMESPACE='unity-sps' +COUNTER=3 +STAGE='dev' +REST_API_ID='' + +ADES_WPST_URL=$(aws ssm get-parameter --name "/unity/dev/${NAMESPACE}-${COUNTER}/api-gateway/stage-variables/ades-wpst-url" --query Parameter.Value --region "${AWS_DEFAULT_REGION}") +GRQ_ES_URL=$(aws ssm get-parameter --name "/unity/dev/${NAMESPACE}-${COUNTER}/api-gateway/stage-variables/grq-es-url" --query Parameter.Value --region "${AWS_DEFAULT_REGION}") +GRQ_REST_API_URL=$(aws ssm get-parameter --name "/unity/dev/${NAMESPACE}-${COUNTER}/api-gateway/stage-variables/grq-rest-api-url" --query Parameter.Value --region "${AWS_DEFAULT_REGION}") +HYSDS_UI_URL=$(aws ssm get-parameter --name "/unity/dev/${NAMESPACE}-${COUNTER}/api-gateway/stage-variables/hysds-ui-url" --query Parameter.Value --region "${AWS_DEFAULT_REGION}") +MOZART_ES_URL=$(aws ssm get-parameter --name "/unity/dev/${NAMESPACE}-${COUNTER}/api-gateway/stage-variables/mozart-es-url" --query Parameter.Value --region "${AWS_DEFAULT_REGION}") +MOZART_REST_API_URL=$(aws ssm get-parameter --name "/unity/dev/${NAMESPACE}-${COUNTER}/api-gateway/stage-variables/mozart-rest-api-url" --query Parameter.Value --region "${AWS_DEFAULT_REGION}") + +aws apigateway update-stage --rest-api-id "${REST_API_ID}" --stage-name "${STAGE}" --region ${AWS_DEFAULT_REGION} --patch-operations op=replace,path=/variables/adesWpstUrl,value="${ADES_WPST_URL}" +aws apigateway update-stage --rest-api-id "${REST_API_ID}" --stage-name "${STAGE}" --region ${AWS_DEFAULT_REGION} --patch-operations op=replace,path=/variables/grqEsUrl,value="${GRQ_ES_URL}" +aws apigateway update-stage --rest-api-id "${REST_API_ID}" --stage-name "${STAGE}" --region ${AWS_DEFAULT_REGION} --patch-operations op=replace,path=/variables/grqRestApiUrl,value="${GRQ_REST_API_URL}" +aws apigateway update-stage --rest-api-id "${REST_API_ID}" --stage-name "${STAGE}" --region ${AWS_DEFAULT_REGION} --patch-operations op=replace,path=/variables/hysdsUiUrl,value="${HYSDS_UI_URL}" +aws apigateway update-stage --rest-api-id "${REST_API_ID}" --stage-name "${STAGE}" --region ${AWS_DEFAULT_REGION} --patch-operations op=replace,path=/variables/mozartEsUrl,value="${MOZART_ES_URL}" +aws apigateway update-stage --rest-api-id "${REST_API_ID}" --stage-name "${STAGE}" --region ${AWS_DEFAULT_REGION} --patch-operations op=replace,path=/variables/mozartRestApiUrl,value="${MOZART_REST_API_URL}" diff --git a/terraform-api-gateway-cognito/providers.tf b/terraform-api-gateway-cognito/providers.tf new file mode 100644 index 0000000..62dc84a --- /dev/null +++ b/terraform-api-gateway-cognito/providers.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0.0" + } + } +} + +provider "aws" { + region = var.region +} diff --git a/terraform-api-gateway-cognito/terraform-modules/api-gateway/rest_api.tf b/terraform-api-gateway-cognito/terraform-modules/api-gateway/rest_api.tf new file mode 100644 index 0000000..98ff67b --- /dev/null +++ b/terraform-api-gateway-cognito/terraform-modules/api-gateway/rest_api.tf @@ -0,0 +1,57 @@ +resource "aws_api_gateway_rest_api" "rest_api" { + name = var.rest_api_name + endpoint_configuration { + types = ["REGIONAL"] + } + body = data.template_file.api_template.rendered +} + +data "aws_ssm_parameter" "api_gateway_cs_lambda_authorizer_uri" { + name = var.ssm_param_api_gateway_function_cs_lambda_authorizer_uri +} + +data "aws_ssm_parameter" "api_gateway_integration_uads_dockstore_nlb_uri" { + name = var.ssm_param_api_gateway_integration_uads_dockstore_nlb_uri +} + +data "aws_ssm_parameter" "api_gateway_integration_uads_dockstore_link_2_vpc_link_id" { + name = var.ssm_param_api_gateway_integration_uads_dockstore_link_2_vpc_link_id +} + +data "aws_ssm_parameter" "api_gateway_integration_uds_dev_cumulus_cumulus_granules_dapa_function_uri" { + name = var.ssm_param_api_gateway_integration_uds_dev_cumulus_cumulus_granules_dapa_function_uri +} + +data "aws_ssm_parameter" "api_gateway_integration_uds_dev_cumulus_cumulus_collections_dapa_function_uri" { + name = var.ssm_param_api_gateway_integration_uds_dev_cumulus_cumulus_collections_dapa_function_uri +} + +data "template_file" "api_template" { + template = file("./terraform-modules/api-gateway/unity-rest-api-gateway-oas30.yaml") + + vars = { + csLambdaAuthorizerUri = data.aws_ssm_parameter.api_gateway_cs_lambda_authorizer_uri.value + uadsDockstoreNlbUri = data.aws_ssm_parameter.api_gateway_integration_uads_dockstore_nlb_uri.value + uadsDockstoreLink2VpcLinkId = data.aws_ssm_parameter.api_gateway_integration_uads_dockstore_link_2_vpc_link_id.value + udsDevCumulusCumulusGranulesDapaFunctionUri = data.aws_ssm_parameter.api_gateway_integration_uds_dev_cumulus_cumulus_granules_dapa_function_uri.value + udsDevCumulusCumulusCumulusCollectionsDapaFunctionUri = data.aws_ssm_parameter.api_gateway_integration_uds_dev_cumulus_cumulus_collections_dapa_function_uri.value + } +} + +resource "aws_api_gateway_deployment" "api-gateway-deployment" { + rest_api_id = aws_api_gateway_rest_api.rest_api.id + stage_name = "dev" + + variables = { + adesWpstUrl = "-", + grqEsUrl = "-", + grqRestApiUrl = "-", + hysdsUiUrl = "-", + mozartEsUrl = "-", + mozartRestApiUrl = "-" + } +} + +output "url" { + value = "${aws_api_gateway_deployment.api-gateway-deployment.invoke_url}/api" +} \ No newline at end of file diff --git a/terraform-api-gateway-cognito/terraform-modules/api-gateway/unity-rest-api-gateway-oas30.yaml b/terraform-api-gateway-cognito/terraform-modules/api-gateway/unity-rest-api-gateway-oas30.yaml new file mode 100644 index 0000000..d04158b --- /dev/null +++ b/terraform-api-gateway-cognito/terraform-modules/api-gateway/unity-rest-api-gateway-oas30.yaml @@ -0,0 +1,887 @@ +openapi: "3.0.1" +info: + title: "unity-rest-api-gateway" + description: "Unity CS Experimental REST API Gateway" + version: "2022-05-04T20:23:33Z" +paths: + /mozart: + options: + responses: + "200": + description: "200 response" + headers: + Access-Control-Allow-Origin: + schema: + type: "string" + Access-Control-Allow-Methods: + schema: + type: "string" + Access-Control-Allow-Headers: + schema: + type: "string" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + responses: + default: + statusCode: "200" + responseParameters: + method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" + method.response.header.Access-Control-Allow-Origin: "'*'" + requestTemplates: + application/json: "{\"statusCode\": 200}" + passthroughBehavior: "when_no_match" + type: "mock" + /ads/dockstore/{proxy+}: + x-amazon-apigateway-any-method: + parameters: + - name: "proxy" + in: "path" + required: true + schema: + type: "string" + responses: + "200": + description: "200 response" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + connectionId: ${uadsDockstoreLink2VpcLinkId} + httpMethod: "ANY" + uri: ${uadsDockstoreNlbUri} + responses: + default: + statusCode: "200" + requestParameters: + integration.request.path.proxy: "method.request.path.proxy" + passthroughBehavior: "when_no_match" + connectionType: "VPC_LINK" + cacheKeyParameters: + - "method.request.path.proxy" + type: "http_proxy" + /mozart-rest-api/{proxy+}: + options: + parameters: + - name: "proxy" + in: "path" + required: true + schema: + type: "string" + responses: + "200": + description: "200 response" + headers: + Access-Control-Allow-Origin: + schema: + type: "string" + Access-Control-Allow-Methods: + schema: + type: "string" + Access-Control-Allow-Headers: + schema: + type: "string" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + responses: + default: + statusCode: "200" + responseParameters: + method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" + method.response.header.Access-Control-Allow-Origin: "'*'" + requestTemplates: + application/json: "{\"statusCode\": 200}" + passthroughBehavior: "when_no_match" + type: "mock" + x-amazon-apigateway-any-method: + parameters: + - name: "proxy" + in: "path" + required: true + schema: + type: "string" + - name: "Authorization" + in: "header" + required: true + schema: + type: "string" + security: + - Unity_API_Gateway_Lambda_Authorizer: [] + x-amazon-apigateway-request-validator: "Validate body, query string parameters,\ + \ and headers" + x-amazon-apigateway-integration: + httpMethod: "ANY" + uri: "http://$${stageVariables.mozartRestApiUrl}/{proxy}" + responses: + default: + statusCode: "200" + requestParameters: + integration.request.path.proxy: "method.request.path.proxy" + passthroughBehavior: "when_no_match" + cacheKeyParameters: + - "method.request.path.proxy" + type: "http_proxy" + /mozart-rest-api: + options: + responses: + "200": + description: "200 response" + headers: + Access-Control-Allow-Origin: + schema: + type: "string" + Access-Control-Allow-Methods: + schema: + type: "string" + Access-Control-Allow-Headers: + schema: + type: "string" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + responses: + default: + statusCode: "200" + responseParameters: + method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" + method.response.header.Access-Control-Allow-Origin: "'*'" + requestTemplates: + application/json: "{\"statusCode\": 200}" + passthroughBehavior: "when_no_match" + type: "mock" + /grq-es/{proxy+}: + options: + parameters: + - name: "proxy" + in: "path" + required: true + schema: + type: "string" + responses: + "200": + description: "200 response" + headers: + Access-Control-Allow-Origin: + schema: + type: "string" + Access-Control-Allow-Methods: + schema: + type: "string" + Access-Control-Allow-Headers: + schema: + type: "string" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + responses: + default: + statusCode: "200" + responseParameters: + method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" + method.response.header.Access-Control-Allow-Origin: "'*'" + requestTemplates: + application/json: "{\"statusCode\": 200}" + passthroughBehavior: "when_no_match" + type: "mock" + x-amazon-apigateway-any-method: + parameters: + - name: "proxy" + in: "path" + required: true + schema: + type: "string" + - name: "Authorization" + in: "header" + required: true + schema: + type: "string" + security: + - Unity_API_Gateway_Lambda_Authorizer: [] + x-amazon-apigateway-request-validator: "Validate body, query string parameters,\ + \ and headers" + x-amazon-apigateway-integration: + httpMethod: "ANY" + uri: "http://$${stageVariables.grqEsUrl}/{proxy}" + responses: + default: + statusCode: "200" + requestParameters: + integration.request.path.proxy: "method.request.path.proxy" + passthroughBehavior: "when_no_match" + cacheKeyParameters: + - "method.request.path.proxy" + type: "http_proxy" + /ades-wpst: + options: + responses: + "200": + description: "200 response" + headers: + Access-Control-Allow-Origin: + schema: + type: "string" + Access-Control-Allow-Methods: + schema: + type: "string" + Access-Control-Allow-Headers: + schema: + type: "string" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + responses: + default: + statusCode: "200" + responseParameters: + method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" + method.response.header.Access-Control-Allow-Origin: "'*'" + requestTemplates: + application/json: "{\"statusCode\": 200}" + passthroughBehavior: "when_no_match" + type: "mock" + /grq-es: + options: + responses: + "200": + description: "200 response" + headers: + Access-Control-Allow-Origin: + schema: + type: "string" + Access-Control-Allow-Methods: + schema: + type: "string" + Access-Control-Allow-Headers: + schema: + type: "string" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + responses: + default: + statusCode: "200" + responseParameters: + method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" + method.response.header.Access-Control-Allow-Origin: "'*'" + requestTemplates: + application/json: "{\"statusCode\": 200}" + passthroughBehavior: "when_no_match" + type: "mock" + /grq-api/api/v0.1/grq/{proxy+}: + options: + parameters: + - name: "proxy" + in: "path" + required: true + schema: + type: "string" + responses: + "200": + description: "200 response" + headers: + Access-Control-Allow-Origin: + schema: + type: "string" + Access-Control-Allow-Methods: + schema: + type: "string" + Access-Control-Allow-Headers: + schema: + type: "string" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + responses: + default: + statusCode: "200" + responseParameters: + method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" + method.response.header.Access-Control-Allow-Origin: "'*'" + requestTemplates: + application/json: "{\"statusCode\": 200}" + passthroughBehavior: "when_no_match" + type: "mock" + x-amazon-apigateway-any-method: + parameters: + - name: "proxy" + in: "path" + required: true + schema: + type: "string" + - name: "Authorization" + in: "header" + required: true + schema: + type: "string" + security: + - Unity_API_Gateway_Lambda_Authorizer: [] + x-amazon-apigateway-request-validator: "Validate body, query string parameters,\ + \ and headers" + x-amazon-apigateway-integration: + httpMethod: "ANY" + uri: "http://$${stageVariables.grqRestApiUrl}/api/v0.1/grq/{proxy}" + responses: + default: + statusCode: "200" + requestParameters: + integration.request.path.proxy: "method.request.path.proxy" + passthroughBehavior: "when_no_match" + cacheKeyParameters: + - "method.request.path.proxy" + type: "http_proxy" + /grq-api: + options: + responses: + "200": + description: "200 response" + headers: + Access-Control-Allow-Origin: + schema: + type: "string" + Access-Control-Allow-Methods: + schema: + type: "string" + Access-Control-Allow-Headers: + schema: + type: "string" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + responses: + default: + statusCode: "200" + responseParameters: + method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" + method.response.header.Access-Control-Allow-Origin: "'*'" + requestTemplates: + application/json: "{\"statusCode\": 200}" + passthroughBehavior: "when_no_match" + type: "mock" + /grq-api/api/v0.1: + get: + responses: + "200": + description: "200 response" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + httpMethod: "GET" + uri: "http://$${stageVariables.grqRestApiUrl}/api/v0.1" + responses: + default: + statusCode: "200" + passthroughBehavior: "when_no_match" + type: "http" + options: + responses: + "200": + description: "200 response" + headers: + Access-Control-Allow-Origin: + schema: + type: "string" + Access-Control-Allow-Methods: + schema: + type: "string" + Access-Control-Allow-Headers: + schema: + type: "string" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + responses: + default: + statusCode: "200" + responseParameters: + method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" + method.response.header.Access-Control-Allow-Origin: "'*'" + requestTemplates: + application/json: "{\"statusCode\": 200}" + passthroughBehavior: "when_no_match" + type: "mock" + /am-uds-dapa/collections/{collectionId}/items: + get: + parameters: + - name: "datetime" + in: "query" + schema: + type: "string" + - name: "collectionId" + in: "path" + required: true + schema: + type: "string" + - name: "limit" + in: "query" + schema: + type: "string" + - name: "offset" + in: "query" + schema: + type: "string" + - name: "bbox" + in: "query" + schema: + type: "string" + responses: + "200": + description: "200 response" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + security: + - Unity_API_Gateway_Lambda_Authorizer: [] + x-amazon-apigateway-request-validator: "Validate body, query string parameters,\ + \ and headers" + x-amazon-apigateway-integration: + httpMethod: "POST" + uri: ${udsDevCumulusCumulusGranulesDapaFunctionUri} + responses: + default: + statusCode: "200" + passthroughBehavior: "when_no_match" + contentHandling: "CONVERT_TO_TEXT" + type: "aws_proxy" + /hysds-ui: + options: + responses: + "200": + description: "200 response" + headers: + Access-Control-Allow-Origin: + schema: + type: "string" + Access-Control-Allow-Methods: + schema: + type: "string" + Access-Control-Allow-Headers: + schema: + type: "string" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + responses: + default: + statusCode: "200" + responseParameters: + method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" + method.response.header.Access-Control-Allow-Origin: "'*'" + requestTemplates: + application/json: "{\"statusCode\": 200}" + passthroughBehavior: "when_no_match" + type: "mock" + x-amazon-apigateway-any-method: + responses: + "200": + description: "200 response" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + httpMethod: "ANY" + uri: "http://$${stageVariables.hysdsUiUrl}/" + responses: + default: + statusCode: "200" + passthroughBehavior: "when_no_match" + type: "http_proxy" + /mozart/{proxy+}: + options: + parameters: + - name: "proxy" + in: "path" + required: true + schema: + type: "string" + responses: + "200": + description: "200 response" + headers: + Access-Control-Allow-Origin: + schema: + type: "string" + Access-Control-Allow-Methods: + schema: + type: "string" + Access-Control-Allow-Headers: + schema: + type: "string" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + responses: + default: + statusCode: "200" + responseParameters: + method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" + method.response.header.Access-Control-Allow-Origin: "'*'" + requestTemplates: + application/json: "{\"statusCode\": 200}" + passthroughBehavior: "when_no_match" + type: "mock" + x-amazon-apigateway-any-method: + parameters: + - name: "proxy" + in: "path" + required: true + schema: + type: "string" + - name: "Authorization" + in: "header" + required: true + schema: + type: "string" + security: + - Unity_API_Gateway_Lambda_Authorizer: [] + x-amazon-apigateway-request-validator: "Validate body, query string parameters,\ + \ and headers" + x-amazon-apigateway-integration: + httpMethod: "ANY" + uri: "http://$${stageVariables.mozartUrl}/{proxy}" + responses: + default: + statusCode: "200" + requestParameters: + integration.request.path.proxy: "method.request.path.proxy" + passthroughBehavior: "when_no_match" + cacheKeyParameters: + - "method.request.path.proxy" + type: "http_proxy" + /mozart-es/{proxy+}: + options: + parameters: + - name: "proxy" + in: "path" + required: true + schema: + type: "string" + responses: + "200": + description: "200 response" + headers: + Access-Control-Allow-Origin: + schema: + type: "string" + Access-Control-Allow-Methods: + schema: + type: "string" + Access-Control-Allow-Headers: + schema: + type: "string" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + responses: + default: + statusCode: "200" + responseParameters: + method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" + method.response.header.Access-Control-Allow-Origin: "'*'" + requestTemplates: + application/json: "{\"statusCode\": 200}" + passthroughBehavior: "when_no_match" + type: "mock" + x-amazon-apigateway-any-method: + parameters: + - name: "proxy" + in: "path" + required: true + schema: + type: "string" + - name: "Authorization" + in: "header" + required: true + schema: + type: "string" + security: + - Unity_API_Gateway_Lambda_Authorizer: [] + x-amazon-apigateway-request-validator: "Validate body, query string parameters,\ + \ and headers" + x-amazon-apigateway-integration: + httpMethod: "ANY" + uri: "http://$${stageVariables.mozartEsUrl}/{proxy}" + responses: + default: + statusCode: "200" + requestParameters: + integration.request.path.proxy: "method.request.path.proxy" + passthroughBehavior: "when_no_match" + cacheKeyParameters: + - "method.request.path.proxy" + type: "http_proxy" + /ades-wpst/{proxy+}: + options: + parameters: + - name: "proxy" + in: "path" + required: true + schema: + type: "string" + responses: + "200": + description: "200 response" + headers: + Access-Control-Allow-Origin: + schema: + type: "string" + Access-Control-Allow-Methods: + schema: + type: "string" + Access-Control-Allow-Headers: + schema: + type: "string" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + responses: + default: + statusCode: "200" + responseParameters: + method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" + method.response.header.Access-Control-Allow-Origin: "'*'" + requestTemplates: + application/json: "{\"statusCode\": 200}" + passthroughBehavior: "when_no_match" + type: "mock" + x-amazon-apigateway-any-method: + parameters: + - name: "proxy" + in: "path" + required: true + schema: + type: "string" + - name: "Authorization" + in: "header" + required: true + schema: + type: "string" + security: + - Unity_API_Gateway_Lambda_Authorizer: [] + x-amazon-apigateway-request-validator: "Validate body, query string parameters,\ + \ and headers" + x-amazon-apigateway-integration: + httpMethod: "ANY" + uri: "http://$${stageVariables.adesWpstUrl}/{proxy}" + responses: + default: + statusCode: "200" + requestParameters: + integration.request.path.proxy: "method.request.path.proxy" + passthroughBehavior: "when_no_match" + cacheKeyParameters: + - "method.request.path.proxy" + type: "http_proxy" + /am-uds-dapa/collections: + get: + parameters: + - name: "offset" + in: "query" + schema: + type: "string" + - name: "limit" + in: "query" + schema: + type: "string" + responses: + "200": + description: "200 response" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + security: + - Unity_API_Gateway_Lambda_Authorizer: [] + x-amazon-apigateway-request-validator: "Validate body, query string parameters,\ + \ and headers" + x-amazon-apigateway-integration: + httpMethod: "POST" + uri: ${udsDevCumulusCumulusCumulusCollectionsDapaFunctionUri} + responses: + default: + statusCode: "200" + passthroughBehavior: "when_no_match" + contentHandling: "CONVERT_TO_TEXT" + type: "aws_proxy" + put: + responses: + "200": + description: "200 response" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + security: + - Unity_API_Gateway_Lambda_Authorizer: [] + x-amazon-apigateway-request-validator: "Validate body, query string parameters,\ + \ and headers" + x-amazon-apigateway-integration: + httpMethod: "POST" + uri: "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:237868187491:function:uds-dev-cumulus-cumulus_collections_ingest_cnm_dapa/invocations" + responses: + default: + statusCode: "200" + passthroughBehavior: "when_no_match" + contentHandling: "CONVERT_TO_TEXT" + type: "aws_proxy" + /hysds-ui/{proxy+}: + options: + parameters: + - name: "proxy" + in: "path" + required: true + schema: + type: "string" + responses: + "200": + description: "200 response" + headers: + Access-Control-Allow-Origin: + schema: + type: "string" + Access-Control-Allow-Methods: + schema: + type: "string" + Access-Control-Allow-Headers: + schema: + type: "string" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + responses: + default: + statusCode: "200" + responseParameters: + method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" + method.response.header.Access-Control-Allow-Origin: "'*'" + requestTemplates: + application/json: "{\"statusCode\": 200}" + passthroughBehavior: "when_no_match" + type: "mock" + x-amazon-apigateway-any-method: + parameters: + - name: "proxy" + in: "path" + required: true + schema: + type: "string" + x-amazon-apigateway-integration: + httpMethod: "ANY" + uri: "http://$${stageVariables.hysdsUiUrl}/{proxy}" + responses: + default: + statusCode: "200" + requestParameters: + integration.request.path.proxy: "method.request.path.proxy" + passthroughBehavior: "when_no_match" + cacheKeyParameters: + - "method.request.path.proxy" + type: "http_proxy" + /mozart-es: + options: + responses: + "200": + description: "200 response" + headers: + Access-Control-Allow-Origin: + schema: + type: "string" + Access-Control-Allow-Methods: + schema: + type: "string" + Access-Control-Allow-Headers: + schema: + type: "string" + content: + application/json: + schema: + $ref: "#/components/schemas/Empty" + x-amazon-apigateway-integration: + responses: + default: + statusCode: "200" + responseParameters: + method.response.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" + method.response.header.Access-Control-Allow-Origin: "'*'" + requestTemplates: + application/json: "{\"statusCode\": 200}" + passthroughBehavior: "when_no_match" + type: "mock" +components: + schemas: + Empty: + title: "Empty Schema" + type: "object" + securitySchemes: + Unity_API_Gateway_Lambda_Authorizer: + type: "apiKey" + name: "Authorization" + in: "header" + x-amazon-apigateway-authtype: "custom" + x-amazon-apigateway-authorizer: + authorizerUri: ${csLambdaAuthorizerUri} + authorizerResultTtlInSeconds: 0 + type: "token" +x-amazon-apigateway-gateway-responses: + DEFAULT_5XX: + responseParameters: + gatewayresponse.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + gatewayresponse.header.Access-Control-Allow-Origin: "'*'" + gatewayresponse.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'" + DEFAULT_4XX: + responseParameters: + gatewayresponse.header.Access-Control-Allow-Methods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'" + gatewayresponse.header.Access-Control-Allow-Origin: "'*'" + gatewayresponse.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'" +x-amazon-apigateway-request-validators: + Validate body, query string parameters, and headers: + validateRequestParameters: true + validateRequestBody: true diff --git a/terraform-api-gateway-cognito/terraform-modules/api-gateway/variables.tf b/terraform-api-gateway-cognito/terraform-modules/api-gateway/variables.tf new file mode 100644 index 0000000..fe8d918 --- /dev/null +++ b/terraform-api-gateway-cognito/terraform-modules/api-gateway/variables.tf @@ -0,0 +1,39 @@ +variable "rest_api_name" { + type = string + description = "REST API Name" + default = "Unity CS Experimental REST API Gateway" +} + +# ----------------------------------------------------------------- +# SSM Params +# ----------------------------------------------------------------- + +variable "ssm_param_api_gateway_function_cs_lambda_authorizer_uri" { + type = string + description = "SSM Param for API Gateway CS Lambda Authorizer Function URI" + default = "/unity/dev/unity-sps-1/api-gateway/functions/cs-lambda-authorizer-uri" +} + +variable "ssm_param_api_gateway_integration_uads_dockstore_nlb_uri" { + type = string + description = "SSM Param for UADS Dockstore NLB URI" + default = "/unity/dev/unity-sps-1/api-gateway/integrations/uads-dockstore-nlb-uri" +} + +variable "ssm_param_api_gateway_integration_uads_dockstore_link_2_vpc_link_id" { + type = string + description = "SSM Param for UADS Dockstore Link 2 VPC Link Id" + default = "/unity/dev/unity-sps-1/api-gateway/integrations/uads-dev-dockstore-link-2-vpc-link-id" +} + +variable "ssm_param_api_gateway_integration_uds_dev_cumulus_cumulus_granules_dapa_function_uri" { + type = string + description = "SSM Param for UDS Dev Cumulus Cumulus Granules DAPA Function URI" + default = "/unity/dev/unity-sps-1/api-gateway/integrations/uds-dev-cumulus-cumulus_granules_dapa-function-uri" +} + +variable "ssm_param_api_gateway_integration_uds_dev_cumulus_cumulus_collections_dapa_function_uri" { + type = string + description = "SSM Param for UDS Dev Cumulus Cumulus Collections DAPA Function URI" + default = "/unity/dev/unity-sps-1/api-gateway/integrations/uds-dev-cumulus-cumulus_collections_dapa-function-uri" +} diff --git a/terraform-api-gateway-cognito/terraform-modules/cognito-user-pool/user_pool.tf b/terraform-api-gateway-cognito/terraform-modules/cognito-user-pool/user_pool.tf new file mode 100644 index 0000000..7ce05b0 --- /dev/null +++ b/terraform-api-gateway-cognito/terraform-modules/cognito-user-pool/user_pool.tf @@ -0,0 +1,84 @@ +resource "aws_cognito_user_pool" "pool" { + name = "unity-experimental-user-pool" +} + +# Configurations for unity-uds-distribution Cognito app client +resource "aws_cognito_user_pool_client" "unity-uds-distribution-user-pool-client" { + name = "unity-uds-distribution-user-pool-client" + user_pool_id = aws_cognito_user_pool.pool.id + generate_secret = true + callback_urls = var.unity_uds_distribution_callback_urls + allowed_oauth_flows_user_pool_client = true + allowed_oauth_flows = ["code"] + allowed_oauth_scopes = ["email", "openid"] + explicit_auth_flows = ["ALLOW_CUSTOM_AUTH", "ALLOW_USER_PASSWORD_AUTH", "ALLOW_USER_SRP_AUTH", "ALLOW_REFRESH_TOKEN_AUTH"] + supported_identity_providers = ["COGNITO"] +} + +# Configurations for localhost-jupyterhub Cognito app client +resource "aws_cognito_user_pool_client" "localhost-jupyterhub-user-pool-client" { + name = "localhost-jupyterhub-user-pool-client" + user_pool_id = aws_cognito_user_pool.pool.id + generate_secret = true + callback_urls = var.localhost_jupyterhub_callback_urls + logout_urls = var.localhost_jupyterhub_logout_urls + allowed_oauth_flows_user_pool_client = true + allowed_oauth_flows = ["code"] + allowed_oauth_scopes = ["email", "openid"] + explicit_auth_flows = ["ALLOW_CUSTOM_AUTH", "ALLOW_USER_PASSWORD_AUTH", "ALLOW_USER_SRP_AUTH", "ALLOW_REFRESH_TOKEN_AUTH"] + supported_identity_providers = ["COGNITO"] +} + +# Configurations for unity-app-to-app-client Cognito app client +resource "aws_cognito_user_pool_client" "unity-app-to-app-client-user-pool-client" { + name = "unity-app-to-app-client-user-pool-client" + user_pool_id = aws_cognito_user_pool.pool.id + generate_secret = true + allowed_oauth_flows_user_pool_client = true + callback_urls = var.localhost_jupyterhub_callback_urls + logout_urls = var.localhost_jupyterhub_logout_urls + allowed_oauth_flows = ["code"] + allowed_oauth_scopes = ["email", "openid"] + explicit_auth_flows = ["ALLOW_CUSTOM_AUTH", "ALLOW_USER_SRP_AUTH", "ALLOW_REFRESH_TOKEN_AUTH"] + supported_identity_providers = ["COGNITO"] +} + +# Configurations for uads-jupyter-development Cognito app client +resource "aws_cognito_user_pool_client" "uads-jupyter-development-client-user-pool-client" { + name = "uads-jupyter-development-client-user-pool-client" + user_pool_id = aws_cognito_user_pool.pool.id + callback_urls = var.uads_jupyter-development_client_callback_urls + logout_urls = var.uads_jupyter-development_client_logout_urls + generate_secret = true + allowed_oauth_flows_user_pool_client = true + allowed_oauth_flows = ["code"] + allowed_oauth_scopes = ["email", "openid"] + explicit_auth_flows = ["ALLOW_CUSTOM_AUTH", "ALLOW_USER_SRP_AUTH", "ALLOW_REFRESH_TOKEN_AUTH"] + supported_identity_providers = ["COGNITO"] +} + +# Configurations for hysds-ui Cognito app client +resource "aws_cognito_user_pool_client" "hysds-ui-client-user-pool-client" { + name = "hysds-ui-client-user-pool-client" + user_pool_id = aws_cognito_user_pool.pool.id + callback_urls = var.hysds_ui_client_callback_urls + logout_urls = var.hysds_ui_client_logout_urls + allowed_oauth_flows_user_pool_client = true + allowed_oauth_flows = ["code"] + allowed_oauth_scopes = ["email", "openid"] + explicit_auth_flows = ["ALLOW_CUSTOM_AUTH", "ALLOW_USER_PASSWORD_AUTH", "ALLOW_USER_SRP_AUTH", "ALLOW_REFRESH_TOKEN_AUTH"] + supported_identity_providers = ["COGNITO"] +} + +# Configurations for localhost-hysds-ui Cognito app client +resource "aws_cognito_user_pool_client" "localhost-hysds-ui-client-user-pool-client" { + name = "localhost-hysds-ui-client-user-pool-client" + user_pool_id = aws_cognito_user_pool.pool.id + callback_urls = var.localhost_hysds_ui_client_callback_urls + logout_urls = var.localhost_hysds_ui_client_logout_urls + allowed_oauth_flows_user_pool_client = true + allowed_oauth_flows = ["code"] + allowed_oauth_scopes = ["email", "openid"] + explicit_auth_flows = ["ALLOW_CUSTOM_AUTH", "ALLOW_USER_PASSWORD_AUTH", "ALLOW_USER_SRP_AUTH", "ALLOW_REFRESH_TOKEN_AUTH"] + supported_identity_providers = ["COGNITO"] +} diff --git a/terraform-api-gateway-cognito/terraform-modules/cognito-user-pool/variables.tf b/terraform-api-gateway-cognito/terraform-modules/cognito-user-pool/variables.tf new file mode 100644 index 0000000..da3577b --- /dev/null +++ b/terraform-api-gateway-cognito/terraform-modules/cognito-user-pool/variables.tf @@ -0,0 +1,53 @@ +variable "unity_uds_distribution_callback_urls" { + type = list + description = "Unity UDS Distribution - List of Callback Urls" + default = ["https://.execute-api.us-west-2.amazonaws.com:9000/dev/"] +} + +variable "uads_jupyter-development_client_callback_urls" { + type = list + description = "Jupyterhub - List of Callback Urls" + default = ["http://localhost:8000/hub/oauth_callback"] +} + +variable "uads_jupyter-development_client_logout_urls" { + type = list + description = "Jupyterhub - List of Logout Urls" + default = ["http://localhost:8000/hub/oauth_callback/logout"] +} + +variable "localhost_jupyterhub_callback_urls" { + type = list + description = "Localhost Jupyterhub - List of Callback Urls" + default = ["http://localhost:8000/hub/oauth_callback"] +} + +variable "localhost_jupyterhub_logout_urls" { + type = list + description = "Localhost Jupyterhub - List of Logout Urls" + default = ["http://localhost:8000/hub/oauth_callback/logout"] +} + +variable "hysds_ui_client_callback_urls" { + type = list + description = "HySDS UI Client - List of Callback Urls" + default = ["https://.execute-api.us-west-2.amazonaws.com/dev/hysds-ui/"] +} + +variable "hysds_ui_client_logout_urls" { + type = list + description = "HySDS UI Client - List of Logout Urls" + default = ["https://.execute-api.us-west-2.amazonaws.com/dev/hysds-ui/logout"] +} + +variable "localhost_hysds_ui_client_callback_urls" { + type = list + description = "Local HySDS UI Client - List of Callback Urls" + default = ["http://localhost:8080"] +} + +variable "localhost_hysds_ui_client_logout_urls" { + type = list + description = "Local HySDS UI Client - List of Logout Urls" + default = ["http://localhost:8080/logout"] +} diff --git a/terraform-api-gateway-cognito/variables.tf b/terraform-api-gateway-cognito/variables.tf new file mode 100644 index 0000000..894ce97 --- /dev/null +++ b/terraform-api-gateway-cognito/variables.tf @@ -0,0 +1,5 @@ +variable "region" { + type = string + description = "Region" + default = "us-west-2" +} \ No newline at end of file