From 52d0282b667a696c5e0b9da1482785bde616d288 Mon Sep 17 00:00:00 2001 From: william Date: Thu, 7 Nov 2024 16:32:17 +1100 Subject: [PATCH] rename lambda name --- config/constants.ts | 6 ++--- config/stacks/authorizationManager.ts | 4 ++-- lib/workload/components/api-gateway/README.md | 2 +- lib/workload/components/api-gateway/index.ts | 22 +++++++++---------- .../stacks/authorization-manager/README.md | 5 +---- ...ccess_authorizer.py => http_authorizer.py} | 0 .../stacks/authorization-manager/stack.ts | 18 +++++++-------- .../stacks/filemanager/deploy/stack.ts | 4 ++-- 8 files changed, 29 insertions(+), 32 deletions(-) rename lib/workload/stateful/stacks/authorization-manager/http-lambda-authorizer/{admin_access_authorizer.py => http_authorizer.py} (100%) diff --git a/config/constants.ts b/config/constants.ts index 46a47363e..16d308ad9 100644 --- a/config/constants.ts +++ b/config/constants.ts @@ -37,10 +37,10 @@ export const vpcProps: VpcLookupOptions = { }; /** - * The SSM Parameter Name for HTTP Lambda Authorizer ARN (admin user pool group) + * The SSM Parameter Name for HTTP Lambda Authorizer ARN defined in authorization stack manager */ -export const adminHttpLambdaAuthorizerParameterName = - '/orcabus/authorization-stack/admin-http-lambda-authorization-arn'; +export const authStackHttpLambdaAuthorizerParameterName = + '/orcabus/authorization-stack/http-lambda-authorization-arn'; // upstream infra: cognito export const cognitoPortalAppClientIdParameterName = diff --git a/config/stacks/authorizationManager.ts b/config/stacks/authorizationManager.ts index d6c34c20e..ed88bbecc 100644 --- a/config/stacks/authorizationManager.ts +++ b/config/stacks/authorizationManager.ts @@ -4,7 +4,7 @@ import { region, accountIdAlias, AppStage, - adminHttpLambdaAuthorizerParameterName, + authStackHttpLambdaAuthorizerParameterName, } from '../constants'; export const getAuthorizationManagerStackProps = ( @@ -16,6 +16,6 @@ export const getAuthorizationManagerStackProps = ( region: region, accountNumber: accountIdAlias[stage], }, - adminHttpLambdaAuthorizerParameterName: adminHttpLambdaAuthorizerParameterName, + authStackHttpLambdaAuthorizerParameterName: authStackHttpLambdaAuthorizerParameterName, }; }; diff --git a/lib/workload/components/api-gateway/README.md b/lib/workload/components/api-gateway/README.md index e62a5653d..1ee28b8f7 100644 --- a/lib/workload/components/api-gateway/README.md +++ b/lib/workload/components/api-gateway/README.md @@ -20,7 +20,7 @@ new HttpRoute(this, 'GetHttpRoute', { new HttpRoute(this, 'PostHttpRoute', { httpApi: httpApi, integration: apiIntegration, - authorizer: apiGateway.cognitoAdminGroupAuthorizer, + authorizer: apiGateway.authStackHttpLambdaAuthorizer, routeKey: HttpRouteKey.with('/{proxy+}', HttpMethod.POST), }); ``` diff --git a/lib/workload/components/api-gateway/index.ts b/lib/workload/components/api-gateway/index.ts index d671f8889..7bad949d0 100644 --- a/lib/workload/components/api-gateway/index.ts +++ b/lib/workload/components/api-gateway/index.ts @@ -13,7 +13,7 @@ import { ARecord, HostedZone, RecordTarget } from 'aws-cdk-lib/aws-route53'; import { Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam'; import { Function } from 'aws-cdk-lib/aws-lambda'; import { ApiGatewayv2DomainProperties } from 'aws-cdk-lib/aws-route53-targets'; -import { adminHttpLambdaAuthorizerParameterName } from '../../../../config/constants'; +import { authStackHttpLambdaAuthorizerParameterName } from '../../../../config/constants'; export interface ApiGwLogsConfig { /** @@ -62,7 +62,7 @@ export interface ApiGatewayConstructProps { export class ApiGatewayConstruct extends Construct { private readonly _httpApi: HttpApi; private readonly _domainName: string; - readonly cognitoAdminGroupAuthorizer: HttpLambdaAuthorizer; + readonly authStackHttpLambdaAuthorizer: HttpLambdaAuthorizer; constructor(scope: Construct, id: string, props: ApiGatewayConstructProps) { super(scope, id); @@ -109,8 +109,8 @@ export class ApiGatewayConstruct extends Construct { }, }); - this.cognitoAdminGroupAuthorizer = this.getCognitoAdminGroupHTTPAuthorizer( - adminHttpLambdaAuthorizerParameterName + this.authStackHttpLambdaAuthorizer = this.getAuthStackHTTPLambdaAuthorizer( + authStackHttpLambdaAuthorizerParameterName ); new ARecord(this, 'CustomDomainARecord', { @@ -202,28 +202,28 @@ export class ApiGatewayConstruct extends Construct { } /** - * Get the Cognito Admin Group HTTP Lambda Authorizer - * @param adminHttpLambdaAuthorizerParameterName The SSM Parameter Name that stores the ARN of the lambda authorizer + * Get the HTTP Lambda Authorizer defined in the authorization stack manager + * @param authStackHttpLambdaAuthorizerParameterName The SSM Parameter Name that stores the ARN of the lambda authorizer * @returns */ - private getCognitoAdminGroupHTTPAuthorizer(adminHttpLambdaAuthorizerParameterName: string) { + private getAuthStackHTTPLambdaAuthorizer(authStackHttpLambdaAuthorizerParameterName: string) { const lambdaArn = StringParameter.valueForStringParameter( this, - adminHttpLambdaAuthorizerParameterName + authStackHttpLambdaAuthorizerParameterName ); // Get the lambda HTTP authorizer defined in the authorization stack manager const lambdaAuthorizer = Function.fromFunctionAttributes( this, - 'AdminGroupHTTPAuthorizerLambda', + 'AuthStackHTTPLambdaAuthorizer', { functionArn: lambdaArn, sameEnvironment: true, } ); - return new HttpLambdaAuthorizer('AdminGroupLambdaAuthorizer', lambdaAuthorizer, { - authorizerName: 'CognitoAdminGroupLambdaAuthorizer', + return new HttpLambdaAuthorizer('AuthStackLambdaHttpAuthorizer', lambdaAuthorizer, { + authorizerName: 'AuthStackHTTPLambdaAuthorizer', responseTypes: [HttpLambdaResponseType.SIMPLE], }); } diff --git a/lib/workload/stateful/stacks/authorization-manager/README.md b/lib/workload/stateful/stacks/authorization-manager/README.md index 54998d97d..42f060833 100644 --- a/lib/workload/stateful/stacks/authorization-manager/README.md +++ b/lib/workload/stateful/stacks/authorization-manager/README.md @@ -4,7 +4,7 @@ This stack contains resources that handle authorization requests. ## AWS Verified Permissions -The current stack deploys AWS Verified Permissions, defining an identity source and policies as described below. A HTTP Lambda Authorizer is also included for use with other stacks. +The current stack deploys AWS Verified Permissions, defining an identity source and policies as described below. An HTTP Lambda Authorizer is included for use in stacks where routes/methods need to comply with this policy. The Lambda ARN is stored in an SSM Parameter String defined in `config/constants.ts` as the `authStackHttpLambdaAuthorizerParameterName` constant. ### Identity Source @@ -21,6 +21,3 @@ The current stack deploys AWS Verified Permissions, defining an identity source A static policy defined in the stack that allows anyone in the `admin` group of the Cognito user pool to perform any action. This essentially checks if a user is in the `admin` group, integrated with the Cognito setup. - - The HTTP Lambda Authorizer is also defined for use in stacks where routes/methods need to comply with this policy. The - Lambda ARN is stored in SSM Parameter String defined in `config/constants.ts` as the `adminHttpLambdaAuthorizerParameterName` constant. diff --git a/lib/workload/stateful/stacks/authorization-manager/http-lambda-authorizer/admin_access_authorizer.py b/lib/workload/stateful/stacks/authorization-manager/http-lambda-authorizer/http_authorizer.py similarity index 100% rename from lib/workload/stateful/stacks/authorization-manager/http-lambda-authorizer/admin_access_authorizer.py rename to lib/workload/stateful/stacks/authorization-manager/http-lambda-authorizer/http_authorizer.py diff --git a/lib/workload/stateful/stacks/authorization-manager/stack.ts b/lib/workload/stateful/stacks/authorization-manager/stack.ts index 7ed0bff0a..8fdfcec94 100644 --- a/lib/workload/stateful/stacks/authorization-manager/stack.ts +++ b/lib/workload/stateful/stacks/authorization-manager/stack.ts @@ -11,7 +11,7 @@ import { PolicyStatement } from 'aws-cdk-lib/aws-iam'; export interface AuthorizationManagerStackProps { cognito: CognitoConfig; - adminHttpLambdaAuthorizerParameterName: string; + authStackHttpLambdaAuthorizerParameterName: string; } interface CognitoConfig { @@ -50,7 +50,7 @@ export class AuthorizationManagerStack extends Stack { this.setupTokenLambdaAuthorization({ policyStoreARN: policyStore.attrArn, policyStoreId: policyStore.attrPolicyStoreId, - adminHttpLambdaAuthorizerParameterName: props.adminHttpLambdaAuthorizerParameterName, + authStackHttpLambdaAuthorizerParameterName: props.authStackHttpLambdaAuthorizerParameterName, }); } @@ -108,13 +108,13 @@ export class AuthorizationManagerStack extends Stack { private setupTokenLambdaAuthorization(props: { policyStoreId: string; policyStoreARN: string; - adminHttpLambdaAuthorizerParameterName: string; + authStackHttpLambdaAuthorizerParameterName: string; }) { - const adminLambdaAuth = new PythonFunction(this, 'AdminHTTPAuthorizerLambda', { + const lambdaAuth = new PythonFunction(this, 'HTTPAuthorizerLambda', { entry: path.join(__dirname, 'http-lambda-authorizer'), architecture: Architecture.ARM_64, runtime: Runtime.PYTHON_3_12, - index: 'admin_access_authorizer.py', + index: 'http_authorizer.py', retryAttempts: 0, environment: { POLICY_STORE_ID: props.policyStoreId }, initialPolicy: [ @@ -125,11 +125,11 @@ export class AuthorizationManagerStack extends Stack { ], }); - new StringParameter(this, 'AdminHTTPAuthorizerLambdaARNParameter', { - parameterName: props.adminHttpLambdaAuthorizerParameterName, + new StringParameter(this, 'HTTPAuthorizerLambdaARNParameter', { + parameterName: props.authStackHttpLambdaAuthorizerParameterName, description: - 'ARN of the HTTP lambda authorizer that allow access for admin in the cognito user pool group', - stringValue: adminLambdaAuth.functionArn, + 'ARN of the HTTP lambda authorizer that allow access defined in Amazon Verified Permission', + stringValue: lambdaAuth.functionArn, }); } } diff --git a/lib/workload/stateless/stacks/filemanager/deploy/stack.ts b/lib/workload/stateless/stacks/filemanager/deploy/stack.ts index 5846e4e94..b88a16d51 100644 --- a/lib/workload/stateless/stacks/filemanager/deploy/stack.ts +++ b/lib/workload/stateless/stacks/filemanager/deploy/stack.ts @@ -153,14 +153,14 @@ export class Filemanager extends Stack { new HttpRoute(this, 'PatchHttpRoute', { httpApi: httpApi, integration: apiIntegration, - authorizer: apiGateway.cognitoAdminGroupAuthorizer, + authorizer: apiGateway.authStackHttpLambdaAuthorizer, routeKey: HttpRouteKey.with('/{proxy+}', HttpMethod.PATCH), }); new HttpRoute(this, 'PostHttpRoute', { httpApi: httpApi, integration: apiIntegration, - authorizer: apiGateway.cognitoAdminGroupAuthorizer, + authorizer: apiGateway.authStackHttpLambdaAuthorizer, routeKey: HttpRouteKey.with('/{proxy+}', HttpMethod.POST), });