Merge pull request #15 from Guysnacho/21-Auth-Lambda

21 Auth Lambda
Guysnacho · Sep 18, 2024 · 87e8c2e · 87e8c2e
2 parents 0a1e93e + 988e9fb
commit 87e8c2e
Show file tree

Hide file tree

Showing 16 changed files with 603 additions and 97 deletions.
diff --git a/fixtures/.gitignore b/fixtures/.gitignore
@@ -0,0 +1 @@
+**/testiiiiing.sql
diff --git a/fixtures/json/ValidLogin.json b/fixtures/json/ValidLogin.json
@@ -0,0 +1,7 @@
+{
+  "method": "LOGIN",
+  "email": "test",
+  "password": "test",
+  "fname": "test",
+  "lname": "test"
+}
diff --git a/fixtures/json/ValidSignUp.json b/fixtures/json/ValidSignUp.json
@@ -0,0 +1,7 @@
+{
+  "method": "SIGNUP",
+  "email": "test",
+  "password": "test",
+  "fname": "test",
+  "lname": "test"
+}
diff --git a/fixtures/sql/1_build_auth_tables.sql b/fixtures/sql/1_build_auth_tables.sql
@@ -0,0 +1,29 @@
+-- ALWAYS KEEP THESE SEPARATE IN REAL LIFE
+-- CREATE TABLE member (id UUID PRIMARY KEY DEFAULT gen_random_uuid ())
+-- CREATE TABLE auth (
+--     id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
+--     email TEXT NOT NULL,
+--     password TEXT NOT NULL,
+--     fname TEXT NOT NULL,
+--     lname TEXT NOT NULL,
+-- )
+
+CREATE TABLE member (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
+    email TEXT NOT NULL,
+    password TEXT NOT NULL,
+    fname TEXT NOT NULL,
+    lname TEXT NOT NULL
+);
+
+SELECT * from public.member;
+
+-- Test your queries here before writing up production queries in the lambda
+INSERT into
+    member (email, password, fname, lname)
+VALUES (
+        'email',
+        'password',
+        'fname',
+        'lname'
+    );
diff --git a/terraform/auth_lambda.tf b/terraform/auth_lambda.tf
@@ -0,0 +1,102 @@
+locals {
+  package = "deployment_package.zip"
+}
+
+data "aws_caller_identity" "current" {}
+
+data "archive_file" "package" {
+  type        = "zip"
+  source_dir  = "${path.module}/lib/auth/"
+  output_path = "${path.module}/lib/auth/${local.package}"
+  excludes    = [".gitignore", "README.md", "testbench.js", "package-lock.json", local.package]
+}
+
+module "auth_lambda" {
+  source  = "terraform-aws-modules/lambda/aws"
+  version = "7.9.0"
+
+  function_name      = "storefront-auth-lambda"
+  description        = "Lambda for handling user login and signup requests"
+  runtime            = "nodejs20.x"
+  handler            = "index.handler"
+  publish            = true
+  authorization_type = "NONE"
+  timeout            = 10
+  # Without a zipped package
+  # source_path            = "${path.module}/lib/auth/auth.js"
+  # source_path  = "${path.module}/lib/auth/"
+
+  local_existing_package = data.archive_file.package.output_path
+  package_type           = "Zip"
+  create_package         = false
+
+  architectures = ["arm64"] # Arm is cheeaaaper
+  # lambda_at_edge     = true
+
+  # Environmental variables needed to log into database
+  environment_variables = {
+    db_host     = module.db.db_instance_endpoint
+    db_username = var.db-username
+    # Not an output of a normal RDS instance
+    # db_password = module.db.cluster_master_password
+    db_secret = module.db.db_instance_master_user_secret_arn
+    secret    = var.cloudfront_secret
+    # found this by running `terraform state show insert_module_here`
+    # Replace `insert_module_here` with your specific instance from a `terraform state list`
+  }
+
+  # Might not be needed but lets specify open cors anyways
+  cors = {
+    allow_credentials = true
+    allow_origins     = ["*"]
+    allow_methods     = ["*"]
+    allow_headers     = ["date", "keep-alive", "storefront-secret"]
+    expose_headers    = ["keep-alive", "date"]
+    max_age           = 86400
+  }
+
+  # use_existing_cloudwatch_log_group = true
+  # VPC got in the way of public access https://repost.aws/questions/QU1WLg4Q2-TCqznkgmpPnW0g/getting-secret-from-lambda-times-out-when-attached-to-vpc-subnet
+  # vpc_subnet_ids                     = module.vpc.public_subnets # Public access through public VPC subnets
+  # vpc_security_group_ids             = [module.security_group.security_group_id]
+  # replacement_security_group_ids     = [module.vpc.default_security_group_id]
+  attach_network_policy              = true
+  replace_security_groups_on_destroy = true
+  create_lambda_function_url         = true
+
+  # Sets up rules for your service role
+  assume_role_policy_statements = {
+    account_root = {
+      effect  = "Allow",
+      actions = ["sts:AssumeRole"],
+      principals = {
+        account_principal = {
+          type        = "AWS",
+          identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+        }
+      }
+    }
+  }
+
+  attach_policy_statements = true
+  policy_statements = {
+    secret_read = {
+      effect    = "Allow",
+      actions   = ["secretsmanager:GetSecretValue", "secretsmanager:ListSecrets"],
+      resources = ["*"]
+    }
+  }
+  # allowed_triggers = {
+  #   // Allows any invoker through the API Gateway
+  #   APIGatewayAny = {
+  #     service    = "apigateway"
+  #     source_arn = "arn:aws:execute-api:us-west-2:${data.aws_caller_identity.current.account_id}:*/*/*/*"
+  #   }
+  # }
+}
+
+# Allows you to add the lambda to VPC
+# resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
+#   role       = module.auth_lambda.lambda_role_name
+#   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+# }
diff --git a/terraform/cloudfront.tf b/terraform/cloudfront.tf
@@ -14,6 +14,12 @@ module "cloudfront" {
       origin_access_control    = "s3_oac"
       origin_access_control_id = aws_cloudfront_origin_access_control.cloudfront_oac.id # external OAС resource
       origin_ssl_protocols     = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+      custom_header = [
+        {
+          name  = "storefront-secret"
+          value = var.cloudfront_secret
+        }
+      ]
       origin_shield = {
         enabled              = true
         origin_shield_region = "us-west-2"
@@ -25,6 +31,12 @@ module "cloudfront" {
       origin_access_control    = "s3_oac2"
       origin_access_control_id = aws_cloudfront_origin_access_control.cloudfront_oac.id
       origin_ssl_protocols     = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+      custom_header = [
+        {
+          name  = "storefront-secret"
+          value = var.cloudfront_secret
+        }
+      ]
       origin_shield = {
         enabled              = true
         origin_shield_region = "us-west-2"
@@ -38,6 +50,18 @@ module "cloudfront" {
     allowed_methods        = ["GET", "HEAD", "OPTIONS"]
     cached_methods         = ["GET", "HEAD"]
 
+    # lambda_function_association = {
+    #   # Valid keys: viewer-request, origin-request, viewer-response, origin-response
+    #   viewer-request = {
+    #     lambda_arn   = module.sale_lambda.lambda_function_qualified_arn
+    #     include_body = true
+    #   }
+
+    #   origin-request = {
+    #     lambda_arn = module.sale_lambda.lambda_function_qualified_arn
+    #   }
+    # }
+
     use_forwarded_values = true
   }