Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: migrate sms only MFA infra to Gen 2 #5291

Merged
merged 11 commits into from
Aug 14, 2024
Merged

chore: migrate sms only MFA infra to Gen 2 #5291

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
67a72b9
chore: add new auth backend
Jordan-Nelson Aug 7, 2024
1a029eb
chore: add auth extension
Jordan-Nelson Aug 7, 2024
325cacc
chore: add license headers
Jordan-Nelson Aug 7, 2024
7cb880a
chore: add mfa to env
Jordan-Nelson Aug 13, 2024
797ffd1
chore: add trigger to enable MFA
Jordan-Nelson Aug 13, 2024
b5831c4
chore: add infra for sms required
Jordan-Nelson Aug 13, 2024
63c15a5
chore: refactor tests for gen 2 backends
Jordan-Nelson Aug 13, 2024
f689c6b
chore: add backends to deploy script
Jordan-Nelson Aug 13, 2024
e7f3aac
chore: package-lock for mfa-required-sms
Jordan-Nelson Aug 13, 2024
f1151aa
chore: remove bundling of @aws-crypto/client-node
Jordan-Nelson Aug 13, 2024
ab80d47
chore: fix formatting
Jordan-Nelson Aug 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions infra-gen2/backends/auth/mfa-optional-sms/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# amplify
node_modules
.amplify
amplify_outputs*
amplifyconfiguration*
14 changes: 14 additions & 0 deletions infra-gen2/backends/auth/mfa-optional-sms/amplify/auth/resource.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

import { defineAuth } from "@aws-amplify/backend";

export const auth = defineAuth({
loginWith: {
email: true,
},
multifactor: {
mode: "OPTIONAL",
sms: true,
},
});
25 changes: 25 additions & 0 deletions infra-gen2/backends/auth/mfa-optional-sms/amplify/backend.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

import { defineBackend } from "@aws-amplify/backend";
import { addAuthUserExtensions } from "infra-common";
import { auth } from "./auth/resource";

const backend = defineBackend({
auth,
});

const resources = backend.auth.resources;
const { userPool, cfnResources } = resources;
const { stack } = userPool;
const { cfnUserPool } = cfnResources;

// Adds infra for creating/deleting users via App Sync and fetching confirmation
// and MFA codes from App Sync.
const customOutputs = addAuthUserExtensions({
name: "mfa-optional-sms",
stack,
userPool,
cfnUserPool,
});
backend.addOutput(customOutputs);
3 changes: 3 additions & 0 deletions infra-gen2/backends/auth/mfa-optional-sms/amplify/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"type": "module"
}
17 changes: 17 additions & 0 deletions infra-gen2/backends/auth/mfa-optional-sms/amplify/tsconfig.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"compilerOptions": {
"target": "es2022",
"module": "es2022",
"moduleResolution": "bundler",
"resolveJsonModule": true,
"esModuleInterop": true,
"forceConsistentCasingInFileNames": true,
"strict": true,
"skipLibCheck": true,
"paths": {
"$amplify/*": [
"../.amplify/generated/*"
]
}
}
}
5 changes: 5 additions & 0 deletions infra-gen2/backends/auth/mfa-optional-sms/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"name": "mfa-optional-sms",
"version": "1.0.0",
"main": "index.js"
}
5 changes: 5 additions & 0 deletions infra-gen2/backends/auth/mfa-required-sms/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# amplify
node_modules
.amplify
amplify_outputs*
amplifyconfiguration*
14 changes: 14 additions & 0 deletions infra-gen2/backends/auth/mfa-required-sms/amplify/auth/resource.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

import { defineAuth } from "@aws-amplify/backend";

export const auth = defineAuth({
loginWith: {
email: true,
},
multifactor: {
mode: "REQUIRED",
sms: true,
},
});
25 changes: 25 additions & 0 deletions infra-gen2/backends/auth/mfa-required-sms/amplify/backend.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

import { defineBackend } from "@aws-amplify/backend";
import { addAuthUserExtensions } from "infra-common";
import { auth } from "./auth/resource";

const backend = defineBackend({
auth,
});

const resources = backend.auth.resources;
const { userPool, cfnResources } = resources;
const { stack } = userPool;
const { cfnUserPool } = cfnResources;

// Adds infra for creating/deleting users via App Sync and fetching confirmation
// and MFA codes from App Sync.
const customOutputs = addAuthUserExtensions({
name: "mfa-required-sms",
stack,
userPool,
cfnUserPool,
});
backend.addOutput(customOutputs);
3 changes: 3 additions & 0 deletions infra-gen2/backends/auth/mfa-required-sms/amplify/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"type": "module"
}
17 changes: 17 additions & 0 deletions infra-gen2/backends/auth/mfa-required-sms/amplify/tsconfig.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"compilerOptions": {
"target": "es2022",
"module": "es2022",
"moduleResolution": "bundler",
"resolveJsonModule": true,
"esModuleInterop": true,
"forceConsistentCasingInFileNames": true,
"strict": true,
"skipLibCheck": true,
"paths": {
"$amplify/*": [
"../.amplify/generated/*"
]
}
}
}
5 changes: 5 additions & 0 deletions infra-gen2/backends/auth/mfa-required-sms/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"name": "mfa-required-sms",
"version": "1.0.0",
"main": "index.js"
}
2 changes: 2 additions & 0 deletions infra-gen2/infra-common/src/auth-user-extensions/auth-user-extensions.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import { CfnUserPool, IUserPool } from "aws-cdk-lib/aws-cognito";
import { addCreateUserLambda } from "./create-user-lambda";
import { addCustomSenderLambda } from "./custom-sender-lambda";
import { addDeleteUserLambda } from "./delete-user-lambda";
import { addEnableSmsMfaLambda } from "./enable-sms-mfa-lambda";
import { addUserGraphql } from "./user-graphql";

type AmplifyOutputs = Parameters<BackendBase["addOutput"]>[0];
Expand All @@ -23,6 +24,7 @@ export const addAuthUserExtensions = ({
addCustomSenderLambda({ name, stack, cfnUserPool, graphQL });
addCreateUserLambda({ name, stack, userPool, graphQL });
addDeleteUserLambda({ name, stack, userPool, graphQL });
addEnableSmsMfaLambda({ name, stack, userPool, graphQL });
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: Will this add the lambda to every backend that calls this method? Can this be optional?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it will add it to each env. It could be optional. So could the other lambdas. I think it is simpler to add all the lambdas to each env rather than try to remember which envs have which lambda. It doesn't really cost anything if it doesn't get invoked.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't need to come from this PR, but it would be a nice optimization to have these be pulled in as needed. Besides reducing the amount of resources added to the AWS account, it may speed up deployment of the entire infra stack. May also prevent maintenance confusion by having the bare minimum for each env.

return {
data: {
aws_region: stack.region,
Expand Down
6 changes: 0 additions & 6 deletions infra-gen2/infra-common/src/auth-user-extensions/custom-sender-lambda.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,6 @@ export function addCustomSenderLambda({
"custom-email-sender.js"
),
runtime: Runtime.NODEJS_18_X,
bundling: {
nodeModules: ["@aws-crypto/client-node"],
},
Comment on lines -47 to -49
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: This was causing an issue deploying the infra, and is not needed. It am not sure why it was not causing an issue previously.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the clean up.

environment: {
GRAPHQL_API_ENDPOINT: graphQL.graphqlUrl,
GRAPHQL_API_KEY: graphQL.apiKey!,
Expand All @@ -68,9 +65,6 @@ export function addCustomSenderLambda({
"custom-sms-sender.js"
),
runtime: Runtime.NODEJS_18_X,
bundling: {
nodeModules: ["@aws-crypto/client-node"],
},
environment: {
GRAPHQL_API_ENDPOINT: graphQL.graphqlUrl,
GRAPHQL_API_KEY: graphQL.apiKey!,
Expand Down
49 changes: 49 additions & 0 deletions infra-gen2/infra-common/src/auth-user-extensions/enable-sms-mfa-lambda.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

import { Stack } from "aws-cdk-lib";
import { GraphqlApi, MappingTemplate } from "aws-cdk-lib/aws-appsync";
import { IUserPool } from "aws-cdk-lib/aws-cognito";
import { Runtime } from "aws-cdk-lib/aws-lambda";
import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
import path from "path";

export function addEnableSmsMfaLambda({
name,
stack,
graphQL,
userPool,
}: {
name: string;
stack: Stack;
graphQL: GraphqlApi;
userPool: IUserPool;
}) {
const enableSmsMfaLambda = new NodejsFunction(stack, `${name}-enableSmsMfa`, {
runtime: Runtime.NODEJS_18_X,
entry: path.resolve(
__dirname,
"..",
"lambda-triggers",
"enable-sms-mfa.js"
),
environment: {
USER_POOL_ID: userPool.userPoolId,
},
});

userPool.grant(enableSmsMfaLambda, "cognito-idp:AdminSetUserMFAPreference");

// Mutation.enableSmsMfa
const enableSmsMfaSource = graphQL.addLambdaDataSource(
"GraphQLApiEnableSmsMfaLambda",
enableSmsMfaLambda
);

enableSmsMfaSource.createResolver("MutationEnableSmsMfaResolver", {
typeName: "Mutation",
fieldName: "enableSmsMfa",
requestMappingTemplate: MappingTemplate.lambdaRequest(),
responseMappingTemplate: MappingTemplate.lambdaResult(),
});
}
54 changes: 54 additions & 0 deletions infra-gen2/infra-common/src/lambda-triggers/enable-sms-mfa.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

import * as cognito from "@aws-sdk/client-cognito-identity-provider";
import type * as lambda from "aws-lambda";

interface EnableSmsMfaRequest {
username: string;
}

interface EnableSmsMfaResponse {
success: boolean;
error?: string;
}

const USER_POOL_ID = process.env.USER_POOL_ID;
const CLIENT = new cognito.CognitoIdentityProviderClient({
region: process.env.REGION,
});

export const handler: lambda.AppSyncResolverHandler<
EnableSmsMfaRequest,
EnableSmsMfaResponse
> = async (
event: lambda.AppSyncResolverEvent<EnableSmsMfaRequest>
): Promise<EnableSmsMfaResponse> => {
console.log(`Got event: ${JSON.stringify(event, null, 2)}`);

const { username } = event.arguments;
console.log(`Enabling SMS MFA for user ${username}...`);
try {
const mfaParams: cognito.AdminSetUserMFAPreferenceCommandInput = {
UserPoolId: USER_POOL_ID,
Username: username,
SMSMfaSettings: {
Enabled: true,
PreferredMfa: true,
},
};
const resp = await CLIENT.send(
new cognito.AdminSetUserMFAPreferenceCommand(mfaParams),
);
console.log(`Successfully enabled MFA for ${username}`, resp);
return {
success: true,
};
} catch (err: any) {
console.log(`Could not enable MFA for ${username}`, err);
return {
success: false,
error: err.toString(),
};
}
};
14 changes: 14 additions & 0 deletions infra-gen2/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions infra-gen2/tool/deploy_gen2.dart
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,16 @@ const List<AmplifyBackendGroup> infraConfig = [
identifier: 'phone-sign-in',
pathToSource: 'infra-gen2/backends/auth/phone-sign-in',
),
AmplifyBackend(
name: 'mfa-optional-sms',
identifier: 'mfa-opt-sms',
pathToSource: 'infra-gen2/backends/auth/mfa-optional-sms',
),
AmplifyBackend(
name: 'mfa-required-sms',
identifier: 'mfa-req-sms',
pathToSource: 'infra-gen2/backends/auth/mfa-required-sms',
),
],
),
AmplifyBackendGroup(
Expand Down
Loading
Loading