Basic auth support added (#4)

Basic auth support added

+ added basic autentication code
+ param store setup to keep basic auth details
* refactor nodejs authorization lambda
* README updated
* var to let

README.md

@@ -16,6 +16,7 @@ IFE terraform module creates resources described in section **IFE**
     - list of clients
         - each client identified by client_id:secret
         - each client has list of OAuth scopes which determine which API is client authorized to call
+    - Optional Basic authentication support - Parameter store
 
 - Creates API Gateway 
     - VPC link
@@ -37,6 +38,7 @@ Configuration JSON example:
   "mappings": [
     {
       "scope_path": "api-path-to-expose-1",
+      "basic_auth": true,
       "resource_server": "IFE-RS-1",
       "target": "https://some-service.example.com/endpoint-1",
       "enabled": true
@@ -45,6 +47,7 @@ Configuration JSON example:
   "clients": [
     {
       "name": "ife-client-1",
+      "basic_auth": true,
       "allowed_oauth_flows": [
         "client_credentials"
       ],
@@ -66,6 +69,8 @@ It its composed from 2 parts:
 
 2) clients
     * `name` client's name which will be used when new client is created
+    * `basic_auth` allows exposed API to use also with Basic authentication Authorization header. This is not
+        recommended though sometimes its needed. Client details will be persisted in Parameter Store
     * `allowed_oauth_flows` currently only client_credentials supported
     * `allowed_scopes` what API on API GW level is client authorized to call. 
      It is combination of `resource_server/scope_path` values
@@ -132,7 +137,8 @@ Provider requirements:
 | create_api_custom_domain | True if own domain should be used | bool | false | no | 
 | certificate_domain | Certificate domain where certificated in ACM is issued for. Use only if create_api_custom_domain = true  | string | "" | no | 
 | _Lambda config_  | - | - | - | - |
-| lambda_log_retention | ambda cloud watch log retention in days | number | 7 | no | 
+| lambda_log_retention | lambda cloud watch log retention in days | number | 7 | no | 
+| param_store_client_prefix | Prefix used in parameter store where all client basic auth configurations will be stored | string | ife | no | 
 
 ### Output variables
 `tags`

examples/complete/ife-configuration-dev.json

@@ -16,6 +16,7 @@
   "clients": [
     {
       "name": "ife-client-1",
+      "basic_auth": false,
       "allowed_oauth_flows": [
         "client_credentials"
       ],
@@ -26,6 +27,7 @@
     },
     {
       "name": "ife-client-2",
+      "basic_auth": false,
       "allowed_oauth_flows": [
         "client_credentials"
       ],

ife-cognito/main.tf

@@ -3,6 +3,10 @@ locals {
   resource_server_config = {
     for rs in var.ife_configuration.mappings : rs.resource_server => rs.scope_path...
   }
+
+  basic_auth_client_settings = {
+    for client in var.ife_configuration.clients : client.name => client if client.basic_auth == true
+  }
 }
 
 
@@ -83,4 +87,23 @@ resource "aws_cognito_user_pool_client" "client" {
   allowed_oauth_scopes                 = each.value.allowed_scopes
 
   depends_on = [aws_cognito_resource_server.ife_resource_server]
+}
+
+resource "random_password" "password" {
+  for_each = local.basic_auth_client_settings
+  length   = 32
+  special  = false
+  keepers = {
+    client = each.key
+  }
+}
+
+resource "aws_ssm_parameter" "basic_auth_client" {
+  for_each = local.basic_auth_client_settings
+
+  name  = "/${var.param_store_client_prefix}/client/${each.key}"
+  value = "{\"password\":${jsonencode(random_password.password[each.key].result)}, \"allowed_scopes\":\"${join(" ", each.value.allowed_scopes)}\"}"
+  type  = "SecureString"
+
+  tags = var.tags
 }

ife-cognito/variables.tf

@@ -35,6 +35,11 @@ variable "certificate_arn" {
   default     = ""
 }
 
+variable "param_store_client_prefix" {
+  description = "Prefix used in parameter store where all client basic auth configurations will be stored"
+  type        = string
+}
+
 variable "tags" {
   description = "A map of tags to add to all resources"
   type        = map(string)

ife-configuration-example.json

@@ -16,6 +16,7 @@
   "clients": [
     {
       "name": "ife-client-1",
+      "basic_auth": true,
       "allowed_oauth_flows": [
         "client_credentials"
       ],
@@ -26,6 +27,7 @@
     },
     {
       "name": "ife-client-2",
+      "basic_auth": false,
       "allowed_oauth_flows": [
         "client_credentials"
       ],