This repository has been archived by the owner on Jun 18, 2024. It is now read-only.
forked from NASA-IMPACT/veda-auth
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathapp.py
141 lines (113 loc) · 4.15 KB
/
app.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#!/usr/bin/env python3
import subprocess
import aws_cdk as cdk
from infra.stack import AuthStack, BucketPermissions
from config import auth_app_settings
git_sha = subprocess.check_output(["git", "rev-parse", "HEAD"]).decode().strip()
try:
git_tag = subprocess.check_output(["git", "describe", "--tags"]).decode().strip()
except subprocess.CalledProcessError:
git_tag = "no-tag"
proj_prefix = auth_app_settings.project_prefix
app_name = f"{proj_prefix}-{auth_app_settings.app_name}"
tags = {
"Project": proj_prefix,
"Owner": auth_app_settings.owner,
"Client": "nasa-impact",
"Stack": auth_app_settings.stage,
"GitCommit": git_sha,
"GitTag": git_tag,
}
app = cdk.App()
stack_name = f"{app_name}-{auth_app_settings.stage}"
stack = AuthStack(
app,
stack_name,
auth_app_settings,
synthesizer=cdk.DefaultStackSynthesizer(
qualifier=auth_app_settings.cdk_qualifier
))
# Create a data managers group in user pool if data managers role is provided
if data_managers_role_arn := auth_app_settings.data_managers_role_arn:
stack.add_cognito_group_with_existing_role(
f"{proj_prefix}-data-store-managers",
f"Authenticated users assume read write {proj_prefix.upper()} data access role",
role_arn=data_managers_role_arn,
)
# Create Groups
if auth_app_settings.cognito_groups:
stack.add_cognito_group(
f"{proj_prefix}-staging-writers",
"Users that have read/write-access to the GHGC store and staging datastore",
{
f"{proj_prefix}-data-store-dev": BucketPermissions.read_write,
f"{proj_prefix}-data-store": BucketPermissions.read_write,
f"{proj_prefix}-data-store-staging": BucketPermissions.read_write,
},
)
stack.add_cognito_group(
f"{proj_prefix}-writers",
"Users that have read/write-access to the GHGC store",
{
f"{proj_prefix}-data-store-dev": BucketPermissions.read_write,
f"{proj_prefix}-data-store": BucketPermissions.read_write,
},
)
stack.add_cognito_group(
f"{proj_prefix}-staging-readers",
"Users that have read-access to the GHGC store and staging data store",
{
f"{proj_prefix}-data-store-dev": BucketPermissions.read_only,
f"{proj_prefix}-data-store": BucketPermissions.read_only,
f"{proj_prefix}-data-store-staging": BucketPermissions.read_only,
},
)
# TODO: Should this be the default IAM role for the user group?
stack.add_cognito_group(
f"{proj_prefix}-readers",
"Users that have read-access to the GHGC store",
{
f"{proj_prefix}-data-store": BucketPermissions.read_only,
},
)
# Generate a resource server (ie something to protect behind auth) with scopes
# (permissions that we can grant to users/services).
stac_registry_scopes = stack.add_resource_server(
f"{proj_prefix}-stac-ingestion-registry",
supported_scopes={
"stac:register": "Create STAC ingestions",
"stac:cancel": "Cancel a STAC ingestion",
"stac:list": "Cancel a STAC ingestion",
},
)
# Generate a client for a service, specifying the permissions it will be granted.
# In this case, we want this client to be able to only register new STAC ingestions in
# the STAC ingestion registry service.
stack.add_service_client(
f"{proj_prefix}-workflows",
scopes=[
stac_registry_scopes["stac:register"],
],
)
# Generate an OIDC provider, allowing CI workers to assume roles in the account
oidc_thumbprint = auth_app_settings.oidc_thumbprint
oidc_provider_url = auth_app_settings.oidc_provider_url
if oidc_thumbprint and oidc_provider_url:
stack.add_oidc_provider(
f"{proj_prefix}-oidc-provider-{auth_app_settings.stage}",
oidc_provider_url,
oidc_thumbprint,
)
# Programmatic Clients
client = stack.add_programmatic_client(f"{proj_prefix}-sdk")
cdk.CfnOutput(
stack,
"client_id",
export_name=f"{stack_name}-client-id",
value=client.user_pool_client_id,
)
# Frontend Clients
# stack.add_frontend_client('ghgc-dashboard')
for key, value in tags.items():
cdk.Tags.of(stack).add(key, value)
app.synth()