split cognito urls setup and cognito user creation (#1366)

### Feature or Bugfix
- Bugfix
### Details
For more details about the issue read #1353 
In this PR we are solving the problem by splitting the configuration of
Cognito in 2.
* First part (cognito_users_config.py) is setting up the required groups
and users and runs after UserPool deployment
* Second part (cognito_urls_config.py) is setting up Cognito's
callback/logout urls and runs after the CloudFront deployment

We chose to split the functionality because we need to have the
users/groups setup for the integration tests which are run after the
backend deployment.

The other althernative is to keep the config functionality as one but
make the integ tests run after CloudFront stage.

### Relates
- Solves #1353 

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

deploy/custom_resources/cognito_config/cognito_urls.py

@@ -0,0 +1,82 @@
+import logging
+import os
+
+import boto3
+
+logger = logging.getLogger()
+logger.setLevel(os.environ.get('LOG_LEVEL', 'INFO'))
+log = logging.getLogger(__name__)
+
+
+def setup_cognito(
+    region,
+    envname,
+    custom_domain='False',
+):
+    ssm = boto3.client('ssm', region_name=region)
+    user_pool_id = ssm.get_parameter(Name=f'/dataall/{envname}/cognito/userpool')['Parameter']['Value']
+    log.info(f'Cognito Pool ID: {user_pool_id}')
+    app_client = ssm.get_parameter(Name=f'/dataall/{envname}/cognito/appclient')['Parameter']['Value']
+
+    if custom_domain == 'False':
+        log.info('Switching to us-east-1 region...')
+        ssm = boto3.client('ssm', region_name='us-east-1')
+        signin_singout_link = ssm.get_parameter(Name=f'/dataall/{envname}/CloudfrontDistributionDomainName')[
+            'Parameter'
+        ]['Value']
+        user_guide_link = ssm.get_parameter(
+            Name=f'/dataall/{envname}/cloudfront/docs/user/CloudfrontDistributionDomainName'
+        )['Parameter']['Value']
+    else:
+        signin_singout_link = ssm.get_parameter(Name=f'/dataall/{envname}/frontend/custom_domain_name')['Parameter'][
+            'Value'
+        ]
+        user_guide_link = ssm.get_parameter(Name=f'/dataall/{envname}/userguide/custom_domain_name')['Parameter'][
+            'Value'
+        ]
+
+    log.info(f'UI: {signin_singout_link}')
+    log.info(f'USERGUIDE: {user_guide_link}')
+
+    cognito = boto3.client('cognito-idp', region_name=region)
+    user_pool = cognito.describe_user_pool_client(UserPoolId=user_pool_id, ClientId=app_client)
+
+    del user_pool['UserPoolClient']['CreationDate']
+    del user_pool['UserPoolClient']['LastModifiedDate']
+
+    config_callbacks = [
+        f'https://{signin_singout_link}',
+        f'https://{user_guide_link}/parseauth',
+    ]
+    existing_callbacks = user_pool['UserPoolClient'].get('CallbackURLs', [])
+    if 'https://example.com' in existing_callbacks:
+        existing_callbacks.remove('https://example.com')
+    updated_callbacks = existing_callbacks + list(set(config_callbacks) - set(existing_callbacks))
+    log.info(f'Updated CallBackUrls: {updated_callbacks}')
+
+    config_logout_urls = [f'https://{signin_singout_link}']
+    existing_logout_urls = user_pool['UserPoolClient'].get('LogoutURLs', [])
+    updated_logout_urls = existing_logout_urls + list(set(config_logout_urls) - set(existing_logout_urls))
+    log.info(f'Updated LogOutUrls: {updated_logout_urls}')
+
+    user_pool['UserPoolClient']['CallbackURLs'] = updated_callbacks
+    user_pool['UserPoolClient']['LogoutURLs'] = updated_logout_urls
+
+    response = cognito.update_user_pool_client(
+        **user_pool['UserPoolClient'],
+    )
+
+    log.info(f'CallbackUrls and LogOutUrls updated successfully: {response}')
+
+
+def handler(event, context) -> None:
+    log.info('Starting Cognito Configuration...')
+    envname = os.environ.get('envname')
+    region = os.environ.get('deployment_region')
+    custom_domain = os.environ.get('custom_domain')
+    setup_cognito(
+        region,
+        envname,
+        custom_domain,
+    )
+    log.info('Cognito Configuration Finished Successfully')

deploy/custom_resources/cognito_config/cognito_urls_config.py → deploy/custom_resources/cognito_config/cognito_users.py

@@ -22,65 +22,13 @@ def setup_cognito(
     region,
     resource_prefix,
     envname,
-    internet_facing='True',
-    custom_domain='False',
     enable_cw_canaries='False',
     with_approval_tests='False',
 ):
     ssm = boto3.client('ssm', region_name=region)
     user_pool_id = ssm.get_parameter(Name=f'/dataall/{envname}/cognito/userpool')['Parameter']['Value']
     log.info(f'Cognito Pool ID: {user_pool_id}')
-    app_client = ssm.get_parameter(Name=f'/dataall/{envname}/cognito/appclient')['Parameter']['Value']
-
-    if custom_domain == 'False' and internet_facing == 'True':
-        log.info('Switching to us-east-1 region...')
-        ssm = boto3.client('ssm', region_name='us-east-1')
-        signin_singout_link = ssm.get_parameter(Name=f'/dataall/{envname}/CloudfrontDistributionDomainName')[
-            'Parameter'
-        ]['Value']
-        user_guide_link = ssm.get_parameter(
-            Name=f'/dataall/{envname}/cloudfront/docs/user/CloudfrontDistributionDomainName'
-        )['Parameter']['Value']
-    else:
-        signin_singout_link = ssm.get_parameter(Name=f'/dataall/{envname}/frontend/custom_domain_name')['Parameter'][
-            'Value'
-        ]
-        user_guide_link = ssm.get_parameter(Name=f'/dataall/{envname}/userguide/custom_domain_name')['Parameter'][
-            'Value'
-        ]
-
-    log.info(f'UI: {signin_singout_link}')
-    log.info(f'USERGUIDE: {user_guide_link}')
-
     cognito = boto3.client('cognito-idp', region_name=region)
-    user_pool = cognito.describe_user_pool_client(UserPoolId=user_pool_id, ClientId=app_client)
-
-    del user_pool['UserPoolClient']['CreationDate']
-    del user_pool['UserPoolClient']['LastModifiedDate']
-
-    config_callbacks = [
-        f'https://{signin_singout_link}',
-        f'https://{user_guide_link}/parseauth',
-    ]
-    existing_callbacks = user_pool['UserPoolClient'].get('CallbackURLs', [])
-    if 'https://example.com' in existing_callbacks:
-        existing_callbacks.remove('https://example.com')
-    updated_callbacks = existing_callbacks + list(set(config_callbacks) - set(existing_callbacks))
-    log.info(f'Updated CallBackUrls: {updated_callbacks}')
-
-    config_logout_urls = [f'https://{signin_singout_link}']
-    existing_logout_urls = user_pool['UserPoolClient'].get('LogoutURLs', [])
-    updated_logout_urls = existing_logout_urls + list(set(config_logout_urls) - set(existing_logout_urls))
-    log.info(f'Updated LogOutUrls: {updated_logout_urls}')
-
-    user_pool['UserPoolClient']['CallbackURLs'] = updated_callbacks
-    user_pool['UserPoolClient']['LogoutURLs'] = updated_logout_urls
-
-    response = cognito.update_user_pool_client(
-        **user_pool['UserPoolClient'],
-    )
-
-    log.info(f'CallbackUrls and LogOutUrls updated successfully: {response}')
 
     try:
         response = cognito.create_group(
@@ -162,17 +110,13 @@ def handler(event, context) -> None:
     log.info('Starting Cognito Configuration...')
     envname = os.environ.get('envname')
     region = os.environ.get('deployment_region')
-    internet_facing = os.environ.get('internet_facing')
-    custom_domain = os.environ.get('custom_domain')
     enable_cw_canaries = os.environ.get('enable_cw_canaries')
     resource_prefix = os.environ.get('resource_prefix')
     with_approval_tests = os.environ.get('with_approval_tests')
     setup_cognito(
         region,
         resource_prefix,
         envname,
-        internet_facing,
-        custom_domain,
         enable_cw_canaries,
         with_approval_tests,
     )

deploy/custom_resources/utils.py

@@ -0,0 +1,23 @@
+import os
+
+from aws_cdk import aws_lambda, BundlingOptions
+from aws_cdk.aws_lambda import AssetCode
+
+from stacks.solution_bundling import SolutionBundling
+
+
+def get_lambda_code(path, image=aws_lambda.Runtime.PYTHON_3_9.bundling_image) -> AssetCode:
+    assets_path = os.path.realpath(
+        os.path.join(
+            os.path.dirname(__file__),
+            path,
+        )
+    )
+
+    return aws_lambda.Code.from_asset(
+        path=assets_path,
+        bundling=BundlingOptions(
+            image=image,
+            local=SolutionBundling(source_path=assets_path),
+        ),
+    )

deploy/stacks/cloudfront.py

@@ -15,8 +15,11 @@
     RemovalPolicy,
     CfnOutput,
     BundlingOptions,
+    aws_kms,
 )
+from aws_cdk.triggers import TriggerFunction
 
+from custom_resources.utils import get_lambda_code
 from .pyNestedStack import pyNestedClass
 from .solution_bundling import SolutionBundling
 from .waf_rules import get_waf_rules
@@ -34,6 +37,7 @@ def __init__(
         custom_waf_rules=None,
         tooling_account_id=None,
         custom_auth=None,
+        backend_region=None,
         **kwargs,
     ):
         super().__init__(scope, id, **kwargs)
@@ -269,6 +273,9 @@ def __init__(
                 )
             )
 
+        if not custom_auth:
+            self.cognito_urls_config(resource_prefix, envname, backend_region, custom_domain, [cloudfront_distribution])
+
         CfnOutput(
             self,
             'OutputCfnFrontDistribution',
@@ -489,3 +496,94 @@ def error_responses():
                 response_page_path='/index.html',
             ),
         ]
+
+    def cognito_urls_config(self, resource_prefix, envname, backend_region, custom_domain, execute_after):
+        lambda_env_key = aws_kms.Key(
+            self,
+            f'{resource_prefix}-cogn-lambda-env-var-key',
+            removal_policy=RemovalPolicy.DESTROY,
+            alias=f'{resource_prefix}-cogn-lambda-env-var-key',
+            enable_key_rotation=True,
+            policy=iam.PolicyDocument(
+                statements=[
+                    iam.PolicyStatement(
+                        resources=['*'],
+                        effect=iam.Effect.ALLOW,
+                        principals=[
+                            iam.AccountPrincipal(account_id=self.account),
+                        ],
+                        actions=['kms:*'],
+                    ),
+                    iam.PolicyStatement(
+                        resources=['*'],
+                        effect=iam.Effect.ALLOW,
+                        principals=[
+                            iam.ServicePrincipal(service='lambda.amazonaws.com'),
+                        ],
+                        actions=['kms:GenerateDataKey*', 'kms:Decrypt'],
+                    ),
+                ],
+            ),
+        )
+
+        cognito_config_code = get_lambda_code('cognito_config')
+
+        TriggerFunction(
+            self,
+            'TriggerFunction-CognitoUrlsConfig',
+            function_name=f'{resource_prefix}-{envname}-cognito_urls_config',
+            description='dataall CognitoUrlsConfig trigger function',
+            initial_policy=[
+                iam.PolicyStatement(
+                    effect=iam.Effect.ALLOW,
+                    actions=[
+                        'secretsmanager:DescribeSecret',
+                        'secretsmanager:GetSecretValue',
+                        'ssm:GetParameterHistory',
+                        'ssm:GetParameters',
+                        'ssm:GetParameter',
+                        'ssm:GetParametersByPath',
+                        'kms:Decrypt',
+                        'kms:GenerateDataKey',
+                        'kms:DescribeKey',
+                        'rum:GetAppMonitor',
+                    ],
+                    resources=[
+                        f'arn:aws:kms:{self.region}:{self.account}:key/*',
+                        f'arn:aws:ssm:*:{self.account}:parameter/*dataall*',
+                        f'arn:aws:secretsmanager:{self.region}:{self.account}:secret:*dataall*',
+                        f'arn:aws:rum:{self.region}:{self.account}:appmonitor/*dataall*',
+                    ],
+                ),
+                iam.PolicyStatement(
+                    effect=iam.Effect.ALLOW,
+                    actions=[
+                        'cognito-idp:AddCustomAttributes',
+                        'cognito-idp:UpdateUserPool',
+                        'cognito-idp:DescribeUserPoolClient',
+                        'cognito-idp:CreateGroup',
+                        'cognito-idp:UpdateUserPoolClient',
+                        'cognito-idp:AdminSetUserPassword',
+                        'cognito-idp:AdminCreateUser',
+                        'cognito-idp:DescribeUserPool',
+                        'cognito-idp:AdminAddUserToGroup',
+                    ],
+                    resources=[f'arn:aws:cognito-idp:{backend_region}:{self.account}:userpool/*'],
+                ),
+            ],
+            code=cognito_config_code,
+            memory_size=256,
+            timeout=Duration.minutes(15),
+            environment={
+                'envname': envname,
+                'deployment_region': backend_region,
+                'custom_domain': str(bool(custom_domain)),
+            },
+            environment_encryption=lambda_env_key,
+            tracing=_lambda.Tracing.ACTIVE,
+            retry_attempts=0,
+            runtime=_lambda.Runtime.PYTHON_3_9,
+            handler='cognito_urls.handler',
+            execute_after=execute_after,
+            execute_on_handler_change=True,
+        )

deploy/stacks/cloudfront_stack.py

@@ -16,6 +16,7 @@ def __init__(
         custom_domain=None,
         custom_waf_rules=None,
         custom_auth=None,
+        backend_region=None,
         **kwargs,
     ):
         super().__init__(scope, id, **kwargs)
@@ -42,5 +43,6 @@ def __init__(
             custom_domain=custom_domain,
             custom_waf_rules=custom_waf_rules,
             custom_auth=custom_auth,
+            backend_region=backend_region,
             **kwargs,
         )

deploy/stacks/cloudfront_stage.py

@@ -16,6 +16,7 @@ def __init__(
         custom_domain=None,
         custom_waf_rules=None,
         custom_auth=None,
+        backend_region=None,
         **kwargs,
     ):
         super().__init__(scope, id, **kwargs)
@@ -29,6 +30,7 @@ def __init__(
             custom_domain=custom_domain,
             custom_waf_rules=custom_waf_rules,
             custom_auth=custom_auth,
+            backend_region=backend_region,
         )
 
         Tags.of(cloudfront_stack).add('Application', f'{resource_prefix}-{envname}')

deploy/stacks/cognito.py

@@ -17,6 +17,7 @@
 from aws_cdk.aws_cognito import AuthFlow
 from aws_cdk.triggers import TriggerFunction
 
+from custom_resources.utils import get_lambda_code
 from .pyNestedStack import pyNestedClass
 from .solution_bundling import SolutionBundling
 from .waf_rules import get_waf_rules
@@ -349,22 +350,7 @@ def __init__(
             sync_cr.node.add_dependency(domain_name)
             sync_cr.node.add_dependency(pool_arn)
 
-        cognito_config_assets = os.path.realpath(
-            os.path.join(
-                os.path.dirname(__file__),
-                '..',
-                'custom_resources',
-                'cognito_config',
-            )
-        )
-
-        cognito_config_code = _lambda.Code.from_asset(
-            path=cognito_config_assets,
-            bundling=BundlingOptions(
-                image=_lambda.Runtime.PYTHON_3_9.bundling_image,
-                local=SolutionBundling(source_path=cognito_config_assets),
-            ),
-        )
+        cognito_config_code = get_lambda_code('cognito_config')
 
         TriggerFunction(
             self,
@@ -411,8 +397,6 @@ def __init__(
             environment={
                 'envname': envname,
                 'deployment_region': self.region,
-                'internet_facing': str(internet_facing),
-                'custom_domain': str(not domain_name),
                 'enable_cw_canaries': str(enable_cw_rum),
                 'resource_prefix': resource_prefix,
                 'with_approval_tests': str(with_approval_tests),
@@ -421,7 +405,7 @@ def __init__(
             tracing=_lambda.Tracing.ACTIVE,
             retry_attempts=0,
             runtime=_lambda.Runtime.PYTHON_3_9,
-            handler='cognito_urls_config.handler',
+            handler='cognito_users.handler',
             execute_after=[self.client],
             execute_on_handler_change=True,
         )