Merge pull request #137 from NASA-PDS/cognito-alb-lambda

Web based Cognito authentication for Nucleus Airflow UI
NASA-PDS · Feb 6, 2025 · b9e8a79 · b9e8a79
2 parents cfa4fe6 + aab98de
commit b9e8a79
Show file tree

Hide file tree

Showing 12 changed files with 917 additions and 22 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -135,8 +135,7 @@
         "venv",
         "dist",
         "build",
-        ".*\\.egg-info",
-        "\u2018*.tfstate \\\n    --exclude-files \u2018\\*.tfvars"
+        ".*\\.egg-info"
       ]
     }
   ],
@@ -157,31 +156,41 @@
         "filename": "terraform/README.md",
         "hashed_secret": "f2d4e04179e44fa7386b985ac3c7ee4d95dfd65d",
         "is_verified": false,
-        "line_number": 102,
+        "line_number": 109,
         "is_secret": false
       },
       {
         "type": "AWS Sensitive Information (Experimental Plugin)",
         "filename": "terraform/README.md",
         "hashed_secret": "659a4d010b74afeddbcb9c4e8eae01f4390eeacc",
         "is_verified": false,
-        "line_number": 103,
+        "line_number": 110,
         "is_secret": false
       },
       {
         "type": "AWS Sensitive Information (Experimental Plugin)",
         "filename": "terraform/README.md",
         "hashed_secret": "bd3b85b91cb8cf6cfc6a4adc7a2505714939505b",
         "is_verified": false,
-        "line_number": 103,
+        "line_number": 110,
         "is_secret": false
       },
       {
         "type": "Secret Keyword",
         "filename": "terraform/README.md",
         "hashed_secret": "a356cb3f3d1c9797cf59daf5b22fc0c7434d8dc7",
         "is_verified": false,
-        "line_number": 107,
+        "line_number": 114,
+        "is_secret": false
+      }
+    ],
+    "terraform/terraform-modules/ecs-ecr/docker/deploy-ecr-images.sh": [
+      {
+        "type": "AWS Sensitive Information (Experimental Plugin)",
+        "filename": "terraform/terraform-modules/ecs-ecr/docker/deploy-ecr-images.sh",
+        "hashed_secret": "9ad897024d8c36c541d7fe84084c4e9f4df00b2a",
+        "is_verified": false,
+        "line_number": 4,
         "is_secret": false
       }
     ],
@@ -290,5 +299,5 @@
       }
     ]
   },
-  "generated_at": "2024-11-26T22:36:37Z"
+  "generated_at": "2025-02-04T19:12:34Z"
 }
diff --git a/terraform/README.md b/terraform/README.md
@@ -38,6 +38,10 @@ system admin team of your AWS account)
 
 6. PDS Registry (OpenSearch) is accessible from the AWS account which is used to deploy PDS Nucleus)
 
+7. A Cognito User Pool to manage Nucleus users
+
+8. A certificate to be used for the ALB Listener facing Airflow UI
+
 
 ## Steps to Deploy the PDS Nucleus Baseline System
 
@@ -90,6 +94,10 @@ Note:  Examples of `terraform.tfvars` files are available at `terraform/variable
     - pds_nucleus_config_bucket_name  : S3 Bucket name to keep temporary configurations (E.g.: pds-nucleus-config-mcp-test)
     - pds_nucleus_default_airflow_dag_id : The default example DAG to be included for testing (E.g.: pds-basic-registry-load-use-case)
     - pds_registry_loader_harvest_task_role_arn: An IAM role which is associated with a Cognito user group
+    - cognito_user_pool_id: The ID of the Cognito user pool which is used to create Nuclues user accounts
+    - cognito_user_pool_domain: Cognitp domain name of the Cognito user pool which is sued to create Nuclues user accounts
+    - auth_alb_listener_certificate_arn: ARN of the certificate to be used for the ALB Listener facing Airflow UI
+    - aws_elb_account_id_for_the_region: The standard ELB account ID for the AWS region. For US West (Oregon), this is  797873946194. Read more at https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html)
 
 
 > Note: `terraform.tfvars` is only used to test with your configuration with the actual values in your AWS account. This file will not be uploaded to GitHub as it's ignored by Git. Once testing is completed successfully work with your admin to get the values for these tested variables updated via GitHub secrets, which are dynamically passed in during runtime.
@@ -128,6 +136,12 @@ pds_nucleus_config_bucket_name               = "pds-nucleus-config-mcp-dev"
 pds_nucleus_default_airflow_dag_id = "pds-basic-registry-load-use-case"
 
 pds_registry_loader_harvest_task_role_arn = "arn:aws:iam::12345678:role/harvest-task-role"
+
+
+cognito_user_pool_id              = "us-west-2_ABCDEFG"
+cognito_user_pool_domain          = "pds-registry"
+auth_alb_listener_certificate_arn = "arn:aws:acm:us-west-2:123456789:certificate/ca123456-abcd-abcd-1234-abcdefghi"
+aws_elb_account_id_for_the_region = "797873946194"
 ```
 
 

diff --git a/terraform/main.tf b/terraform/main.tf
@@ -125,4 +125,20 @@ module "test-data" {
 }
 
 
+# The Terraform module to implement Cognito authentication for PDS Nucleus
+module "cognito-auth" {
+  source = "./terraform-modules/cognito-auth"
+
+  vpc_id                            = var.vpc_id
+  permission_boundary_for_iam_roles = var.permission_boundary_for_iam_roles
+  depends_on                        = [module.common]
+  airflow_env_name                  = var.airflow_env_name
+  auth_alb_listener_port            = var.auth_alb_listener_port
+  auth_alb_name                     = var.auth_alb_name
+  auth_alb_subnet_ids               = var.auth_alb_subnet_ids
+  auth_alb_listener_certificate_arn = var.auth_alb_listener_certificate_arn
+  cognito_user_pool_domain          = var.cognito_user_pool_domain
+  cognito_user_pool_id              = var.cognito_user_pool_id
+  aws_elb_account_id_for_the_region = var.aws_elb_account_id_for_the_region
+}