Merge pull request #1 from sgtoj/dev

Author: sgtoj

.devcontainer/devcontainer.json

@@ -5,7 +5,7 @@
     "ghcr.io/devcontainers/features/docker-in-docker:2.0.1": {},
   },
   "containerEnv": {
-    "TF_PLUGIN_CACHE_DIR": "/workspaces/terraform-aws-cloudfront-middleware-at-edge/.devcontainers/tmp/.terraform.d/"
+    "TF_PLUGIN_CACHE_DIR": "/workspaces/terraform-aws-cloudfront-middleware-at-edge/.devcontainer/tmp/.terraform.d/"
   },
   "customizations": {
     "vscode": {

.devcontainer/tmp/.terraform.d/.gitkeep

@@ -14,6 +14,20 @@ jobs:
     steps:
       - name: Checkout Code
         uses: actions/checkout@v3
+      - name: Setup Node
+        uses: actions/setup-node@v3.7.0
+        with:
+          node-version: 18
+      - name: Tests for auth-at-edge
+        run: |
+          cd assets/cf-mw-auth
+          npm install
+          npm test
+      - name: Tests for url-rewriter
+        run: |
+          cd assets/cf-mw-urlrewrite
+          npm install
+          npm test
       - name: Bump Version
         id: tag_version
         uses: mathieudutour/github-tag-action@v6.1

.github/workflows/release.yml

@@ -0,0 +1,27 @@
+name: test
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+      - name: Setup Node
+        uses: actions/setup-node@v3.7.0
+        with:
+          node-version: 18
+      - name: Tests for auth-at-edge
+        run: |
+          cd assets/cf-mw-auth
+          npm install
+          npm test
+      - name: Tests for url-rewriter
+        run: |
+          cd assets/cf-mw-urlrewrite
+          npm install
+          npm test

.github/workflows/test.yml

@@ -1,11 +1,14 @@
 # .gitignore
 
 # terraform files
+.terraform.lock.hcl
+.terraform.tfstate.lock.info
 *.tfstate
 *.tfstate.*.backup
 *.tfstate.backup
 *.tfplan
 *.terraform/
+*.tfvars
 .grunt
 
 # node.js / typescript

.gitignore

@@ -0,0 +1,24 @@
+PROJ_ROOT := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
+
+# allows args to pass to run-cmd example: make run-cmd echo "hello world"
+ifeq (run-cmd,$(firstword $(MAKECMDGOALS)))
+  RUN_ARGS := $(wordlist 2,$(words $(MAKECMDGOALS)),$(MAKECMDGOALS))
+  $(eval $(RUN_ARGS):;@:)
+endif
+
+all: deps build
+	@exit 0
+
+deps:
+	@exit 0
+
+build:
+	@exit 0
+
+clean:
+	@find . -type d -name "dist" -exec rm -rf {} +
+	@find . -type d -name ".terraform" -exec rm -rf {} +
+	@find . -type d -name ".terraform.d" -exec rm -rf {} +
+	@find . -type d -name ".tfstate" -exec rm -rf {} +
+	@find . -type d -name ".tfstate.backup" -exec rm -rf {} +
+	@touch .devcontainer/.terraform.d/.gitkeep || true

Makefile

@@ -1,11 +1,16 @@
 # Terraform Module: CloudFront Middleware-at-Edge
 
-_This module is under active development and is not yet ready for use. Please
-see `dev` branch for current progress._
+This Terraform module deploys customizable and reusable Lambda@Edge functions
+that provide middleware for AWS CloudFront.
 
 ## Features
 
-- TBA
+- **Authentication & Authorization**: This feature provides authentication and
+  authorization to restrict access to a site hosted on CloudFront. Users can
+  optionally customize the authorization rules via an Open Policy Agent (OPA)
+  policy.
+- **URL Rewriting**: This feature rewrites the URLs of requests. Users can
+  define URL rewrite rules via an Open Policy Agent (OPA) policy.
 
 ## Usage
 
@@ -14,7 +19,29 @@ module "cloudfront_middleware_at_edge" {
   source  = "sgtoj/cloudfront-middleware-at-edge/aws"
   version = "x.x.x"
 
-  # TBD
+  auth_service_config = {
+    enabled                   = true
+    cognito_idp_arn           = "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_TESTPOOL"
+    cognito_idp_domain        = "test.auth.us-east-1.amazoncognito.com"
+    cognito_idp_client_id     = "your-client-id"
+    cognito_idp_client_secret = "your-client-secret"
+    cognito_idp_client_scopes = ["openid", "email", "profile"]
+
+    cognito_idp_jwks = {
+      keys = [
+        { "alg": "RS256", "e": "AQAB", "kid": "...", "kty": "RSA", "n": "...", "use": "sig" },
+        { "alg": "RS256", "e": "AQAB", "kid": "...", "kty": "RSA", "n": "...", "use": "sig" },
+      ]
+    }
+  }
+
+  urlrewrite_service_config = {
+    enabled    = true
+    policy_content = <<-EOF
+      package urlrewriter
+      result := []
+    EOF
+  }
 }
 ```
 
@@ -27,18 +54,50 @@ module "cloudfront_middleware_at_edge" {
 
 ## Inputs
 
-_This module does not currently provide any input._
-
-### Note
-
-This module uses the `cloudposse/label/null` module for naming and tagging
-resources. As such, it also includes a `context.tf` file with additional
-optional variables you can set. Refer to the [`cloudposse/label` documentation](https://registry.terraform.io/modules/cloudposse/label/null/latest)
-for more details on these variables.
+In addition to the variables documented below, this module includes several
+other optional variables (e.g., `name`, `tags`, etc.) provided by the
+`cloudposse/label/null` module. Please refer to the [`cloudposse/label` documentation](https://registry.terraform.io/modules/cloudposse/label/null/latest) for more details on these variables.
+
+| Name                      | Description                                                               |  Type  | Default | Required |
+|---------------------------|---------------------------------------------------------------------------|:------:|:-------:|:--------:|
+| auth_service_config       | Configuration details for the authentication service. More details below. | object |  `{}`   |    no    |
+| urlrewrite_service_config | Configuration details for the URL rewrite service, More details below.    | object |  `{}`   |    no    |
+| destruction_delay         | Delay before destroying resources when they are deleted                   | string | `"20m"` |    no    |
+| aws_account_id            | The AWS account ID that the module will be deployed in                    | string |  `""`   |    no    |
+| aws_region_name           | The AWS region name where the module will be deployed                     | string |  `""`   |    no    |
+
+### `auth_service_config`
+
+| Property                  | Description                                    | Type                                 | Default  | Required |
+|---------------------------|------------------------------------------------|--------------------------------------|----------|----------|
+| enabled                   | Enable the authentication service              | bool                                 | `true`   | no       |
+| log_level                 | Logging level                                  | string                               | `"info"` | no       |
+| aws_region                | AWS region for the service                     | string                               | `null`   | no       |
+| cognito_idp_arn           | ARN of the Cognito Identity Provider           | string                               | n/a      | yes      |
+| cognito_idp_domain        | Domain of the Cognito Identity Provider        | string                               | n/a      | yes      |
+| cognito_idp_jwks          | JWKS of the Cognito Identity Provider          | object({ keys = list(map(string)) }) | n/a      | yes      |
+| cognito_idp_client_id     | Client ID of the Cognito Identity Provider     | string                               | n/a      | yes      |
+| cognito_idp_client_secret | Client secret of the Cognito Identity Provider | string                               | n/a      | yes      |
+| cognito_idp_client_scopes | Client scopes of the Cognito Identity Provider | list(string)                         | n/a      | yes      |
+| opa_policy_content        | Content of the OPA policy                      | string                               | `null`   | no       |
+| opa_policy_data           | Data for the OPA policy                        | map(string)                          | `{}`     | no       |
+
+### `urlrewrite_service_config`
+
+| Property       | Description                       | Type   | Default                               | Required |
+|----------------|-----------------------------------|--------|---------------------------------------|----------|
+| enabled        | Enable the URL rewrite service    | bool   | `false`                               | no       |
+| log_level      | Logging level                     | string | `"info"`                              | no       |
+| aws_region     | AWS region for the service        | string | `null`                                | no       |
+| policy_content | Content of the URL rewrite policy | string | `"package urlrewriter\nresult := []"` | no       |
 
 ## Outputs
 
-_This module does not currently provide any outputs._
+| Name                | Description                                                               |
+|---------------------|---------------------------------------------------------------------------|
+| auth_services       | Details of the created AWS Lambda functions for each of the auth services |
+| auth_routes         | Route configurations for the auth services                                |
+| urlrewrite_services | Details of the created AWS Lambda function for the URL rewrite service    |
 
 ## Contributing
 

README.md

@@ -0,0 +1,11 @@
+.gitignore
+.git
+
+*Dockerfile*
+*docker-compose*
+.dockerignore
+
+.vscode/
+node_modules/
+
+*.env

assets/cf-mw-auth/.dockerignore

@@ -0,0 +1,46 @@
+module.exports = {
+  plugins: [
+    'import',
+    'jest',
+  ],
+  rules: {
+    'func-style': 'error',
+  },
+  overrides: [
+    {
+      files: [
+        '**/*.{ts,tsx}',
+      ],
+      parser: '@typescript-eslint/parser',
+      parserOptions: {
+        ecmaVersion: 2019,
+        sourceType: 'module',
+        tsconfigRootDir: __dirname,
+        project: [
+          './tsconfig.json',
+        ],
+      },
+      plugins: [
+        '@typescript-eslint',
+      ],
+      extends: [
+        'airbnb-typescript/base',
+      ],
+      rules: {
+        '@typescript-eslint/no-unused-vars': 'warn',
+        '@typescript-eslint/no-floating-promises': 'error',
+      },
+    },
+    {
+      files: [
+        'scripts/**/*.js',
+      ],
+      parserOptions: {
+        ecmaVersion: "latest",
+      },
+      env: {
+        es6: true
+      }
+    }
+  ],
+};

assets/cf-mw-auth/.eslintrc.js

@@ -0,0 +1,58 @@
+# ------------------------------------------------------------------- base ---
+
+FROM node:18 as base
+
+RUN mkdir -p /opt/app
+WORKDIR /opt/app
+
+ENV NODE_ENV development
+
+# intentally not installing node_modules inside the /opt/app dir; this makes
+# for a better experience when using image in development environment
+ADD package*.json /opt/
+RUN npm ci
+
+ADD ./ ./
+
+# -------------------------------------------------------------------- test ---
+
+FROM base as test
+
+RUN npm run lint && npm run test
+
+# -------------------------------------------------------------------- test ---
+
+FROM test as build
+
+ENV OPA_VERSION=0.49.0
+RUN SYSTEM_ARCH=$(dpkg --print-architecture) \
+    && curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v${OPA_VERSION}/opa_linux_${SYSTEM_ARCH}_static \
+    && mv opa /usr/bin/opa \
+    && chmod +x /usr/bin/opa \
+    && opa -h
+
+RUN npm run build
+
+ARG SERVICE_POLICY_ENCODED=cGFja2FnZSBhdXRoX2F0X2VkZ2VfYXV0aHoKcmVzdWx0cyA6PSBbXQo=
+RUN echo "$SERVICE_POLICY_ENCODED" | base64 -d > /opt/app/dist/policy.rego
+
+RUN opa build -t wasm -e auth_at_edge_authz/results /opt/app/dist/policy.rego \
+    && tar -zxv -C /opt/app/dist -f bundle.tar.gz '/policy.wasm'
+
+# ----------------------------------------------------------------- package ---
+
+FROM alpine:latest as package
+
+RUN apk add jq
+
+ARG SERVICE_CONFIG_ENCODED=e30K
+
+COPY --from=build /opt/app/dist /opt/app/dist
+COPY --from=build /opt/package-lock.json /opt/app/dist/
+
+RUN echo "$SERVICE_CONFIG_ENCODED" | base64 -d | jq > /opt/app/dist/configuration.json
+
+RUN apk add zip \
+    && cd /opt/app/dist \
+    && zip -r /tmp/package.zip .
+