-
Notifications
You must be signed in to change notification settings - Fork 243
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: migrate sms only MFA infra to Gen 2 (#5291)
* chore: add new auth backend * chore: add auth extension * chore: add license headers * chore: add mfa to env * chore: add trigger to enable MFA * chore: add infra for sms required * chore: refactor tests for gen 2 backends * chore: add backends to deploy script * chore: package-lock for mfa-required-sms * chore: remove bundling of @aws-crypto/client-node * chore: fix formatting
- Loading branch information
1 parent
c51445e
commit 04406a5
Showing
28 changed files
with
423 additions
and
150 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# amplify | ||
node_modules | ||
.amplify | ||
amplify_outputs* | ||
amplifyconfiguration* |
14 changes: 14 additions & 0 deletions
14
infra-gen2/backends/auth/mfa-optional-sms/amplify/auth/resource.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
// SPDX-License-Identifier: Apache-2.0 | ||
|
||
import { defineAuth } from "@aws-amplify/backend"; | ||
|
||
export const auth = defineAuth({ | ||
loginWith: { | ||
email: true, | ||
}, | ||
multifactor: { | ||
mode: "OPTIONAL", | ||
sms: true, | ||
}, | ||
}); |
25 changes: 25 additions & 0 deletions
25
infra-gen2/backends/auth/mfa-optional-sms/amplify/backend.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
// SPDX-License-Identifier: Apache-2.0 | ||
|
||
import { defineBackend } from "@aws-amplify/backend"; | ||
import { addAuthUserExtensions } from "infra-common"; | ||
import { auth } from "./auth/resource"; | ||
|
||
const backend = defineBackend({ | ||
auth, | ||
}); | ||
|
||
const resources = backend.auth.resources; | ||
const { userPool, cfnResources } = resources; | ||
const { stack } = userPool; | ||
const { cfnUserPool } = cfnResources; | ||
|
||
// Adds infra for creating/deleting users via App Sync and fetching confirmation | ||
// and MFA codes from App Sync. | ||
const customOutputs = addAuthUserExtensions({ | ||
name: "mfa-optional-sms", | ||
stack, | ||
userPool, | ||
cfnUserPool, | ||
}); | ||
backend.addOutput(customOutputs); |
3 changes: 3 additions & 0 deletions
3
infra-gen2/backends/auth/mfa-optional-sms/amplify/package.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
{ | ||
"type": "module" | ||
} |
17 changes: 17 additions & 0 deletions
17
infra-gen2/backends/auth/mfa-optional-sms/amplify/tsconfig.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
{ | ||
"compilerOptions": { | ||
"target": "es2022", | ||
"module": "es2022", | ||
"moduleResolution": "bundler", | ||
"resolveJsonModule": true, | ||
"esModuleInterop": true, | ||
"forceConsistentCasingInFileNames": true, | ||
"strict": true, | ||
"skipLibCheck": true, | ||
"paths": { | ||
"$amplify/*": [ | ||
"../.amplify/generated/*" | ||
] | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
{ | ||
"name": "mfa-optional-sms", | ||
"version": "1.0.0", | ||
"main": "index.js" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# amplify | ||
node_modules | ||
.amplify | ||
amplify_outputs* | ||
amplifyconfiguration* |
14 changes: 14 additions & 0 deletions
14
infra-gen2/backends/auth/mfa-required-sms/amplify/auth/resource.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
// SPDX-License-Identifier: Apache-2.0 | ||
|
||
import { defineAuth } from "@aws-amplify/backend"; | ||
|
||
export const auth = defineAuth({ | ||
loginWith: { | ||
email: true, | ||
}, | ||
multifactor: { | ||
mode: "REQUIRED", | ||
sms: true, | ||
}, | ||
}); |
25 changes: 25 additions & 0 deletions
25
infra-gen2/backends/auth/mfa-required-sms/amplify/backend.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
// SPDX-License-Identifier: Apache-2.0 | ||
|
||
import { defineBackend } from "@aws-amplify/backend"; | ||
import { addAuthUserExtensions } from "infra-common"; | ||
import { auth } from "./auth/resource"; | ||
|
||
const backend = defineBackend({ | ||
auth, | ||
}); | ||
|
||
const resources = backend.auth.resources; | ||
const { userPool, cfnResources } = resources; | ||
const { stack } = userPool; | ||
const { cfnUserPool } = cfnResources; | ||
|
||
// Adds infra for creating/deleting users via App Sync and fetching confirmation | ||
// and MFA codes from App Sync. | ||
const customOutputs = addAuthUserExtensions({ | ||
name: "mfa-required-sms", | ||
stack, | ||
userPool, | ||
cfnUserPool, | ||
}); | ||
backend.addOutput(customOutputs); |
3 changes: 3 additions & 0 deletions
3
infra-gen2/backends/auth/mfa-required-sms/amplify/package.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
{ | ||
"type": "module" | ||
} |
17 changes: 17 additions & 0 deletions
17
infra-gen2/backends/auth/mfa-required-sms/amplify/tsconfig.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
{ | ||
"compilerOptions": { | ||
"target": "es2022", | ||
"module": "es2022", | ||
"moduleResolution": "bundler", | ||
"resolveJsonModule": true, | ||
"esModuleInterop": true, | ||
"forceConsistentCasingInFileNames": true, | ||
"strict": true, | ||
"skipLibCheck": true, | ||
"paths": { | ||
"$amplify/*": [ | ||
"../.amplify/generated/*" | ||
] | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
{ | ||
"name": "mfa-required-sms", | ||
"version": "1.0.0", | ||
"main": "index.js" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
49 changes: 49 additions & 0 deletions
49
infra-gen2/infra-common/src/auth-user-extensions/enable-sms-mfa-lambda.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
// SPDX-License-Identifier: Apache-2.0 | ||
|
||
import { Stack } from "aws-cdk-lib"; | ||
import { GraphqlApi, MappingTemplate } from "aws-cdk-lib/aws-appsync"; | ||
import { IUserPool } from "aws-cdk-lib/aws-cognito"; | ||
import { Runtime } from "aws-cdk-lib/aws-lambda"; | ||
import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs"; | ||
import path from "path"; | ||
|
||
export function addEnableSmsMfaLambda({ | ||
name, | ||
stack, | ||
graphQL, | ||
userPool, | ||
}: { | ||
name: string; | ||
stack: Stack; | ||
graphQL: GraphqlApi; | ||
userPool: IUserPool; | ||
}) { | ||
const enableSmsMfaLambda = new NodejsFunction(stack, `${name}-enableSmsMfa`, { | ||
runtime: Runtime.NODEJS_18_X, | ||
entry: path.resolve( | ||
__dirname, | ||
"..", | ||
"lambda-triggers", | ||
"enable-sms-mfa.js" | ||
), | ||
environment: { | ||
USER_POOL_ID: userPool.userPoolId, | ||
}, | ||
}); | ||
|
||
userPool.grant(enableSmsMfaLambda, "cognito-idp:AdminSetUserMFAPreference"); | ||
|
||
// Mutation.enableSmsMfa | ||
const enableSmsMfaSource = graphQL.addLambdaDataSource( | ||
"GraphQLApiEnableSmsMfaLambda", | ||
enableSmsMfaLambda | ||
); | ||
|
||
enableSmsMfaSource.createResolver("MutationEnableSmsMfaResolver", { | ||
typeName: "Mutation", | ||
fieldName: "enableSmsMfa", | ||
requestMappingTemplate: MappingTemplate.lambdaRequest(), | ||
responseMappingTemplate: MappingTemplate.lambdaResult(), | ||
}); | ||
} |
54 changes: 54 additions & 0 deletions
54
infra-gen2/infra-common/src/lambda-triggers/enable-sms-mfa.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
// SPDX-License-Identifier: Apache-2.0 | ||
|
||
import * as cognito from "@aws-sdk/client-cognito-identity-provider"; | ||
import type * as lambda from "aws-lambda"; | ||
|
||
interface EnableSmsMfaRequest { | ||
username: string; | ||
} | ||
|
||
interface EnableSmsMfaResponse { | ||
success: boolean; | ||
error?: string; | ||
} | ||
|
||
const USER_POOL_ID = process.env.USER_POOL_ID; | ||
const CLIENT = new cognito.CognitoIdentityProviderClient({ | ||
region: process.env.REGION, | ||
}); | ||
|
||
export const handler: lambda.AppSyncResolverHandler< | ||
EnableSmsMfaRequest, | ||
EnableSmsMfaResponse | ||
> = async ( | ||
event: lambda.AppSyncResolverEvent<EnableSmsMfaRequest> | ||
): Promise<EnableSmsMfaResponse> => { | ||
console.log(`Got event: ${JSON.stringify(event, null, 2)}`); | ||
|
||
const { username } = event.arguments; | ||
console.log(`Enabling SMS MFA for user ${username}...`); | ||
try { | ||
const mfaParams: cognito.AdminSetUserMFAPreferenceCommandInput = { | ||
UserPoolId: USER_POOL_ID, | ||
Username: username, | ||
SMSMfaSettings: { | ||
Enabled: true, | ||
PreferredMfa: true, | ||
}, | ||
}; | ||
const resp = await CLIENT.send( | ||
new cognito.AdminSetUserMFAPreferenceCommand(mfaParams), | ||
); | ||
console.log(`Successfully enabled MFA for ${username}`, resp); | ||
return { | ||
success: true, | ||
}; | ||
} catch (err: any) { | ||
console.log(`Could not enable MFA for ${username}`, err); | ||
return { | ||
success: false, | ||
error: err.toString(), | ||
}; | ||
} | ||
}; |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.